SYMBOLCOMMON_NAMEaka. SYNONYMS
win.contopee (Back to overview)

Contopee

aka: WHITEOUT

Actor(s): Lazarus Group


FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSymantec Security Response
@online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
Yara Rules
[TLP:WHITE] win_contopee_auto (20220516 | Detects win.contopee.)
rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.contopee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 ff15???????? 83fdff 5b 7413 55 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   ff15????????         |                     
            //   83fdff               | cmp                 ebp, -1
            //   5b                   | pop                 ebx
            //   7413                 | je                  0x15
            //   55                   | push                ebp

        $sequence_1 = { 81c630040000 52 57 ff15???????? }
            // n = 4, score = 100
            //   81c630040000         | add                 esi, 0x430
            //   52                   | push                edx
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_2 = { 8b4c2410 8b54240c 8d442410 50 51 56 6a01 }
            // n = 7, score = 100
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   56                   | push                esi
            //   6a01                 | push                1

        $sequence_3 = { 50 6a02 f3ab ff15???????? }
            // n = 4, score = 100
            //   50                   | push                eax
            //   6a02                 | push                2
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   ff15????????         |                     

        $sequence_4 = { 50 ff15???????? 8d8ed00f0000 8d96c80f0000 51 52 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d8ed00f0000         | lea                 ecx, [esi + 0xfd0]
            //   8d96c80f0000         | lea                 edx, [esi + 0xfc8]
            //   51                   | push                ecx
            //   52                   | push                edx

        $sequence_5 = { ff15???????? 85c0 5f 750a ff15???????? 89442400 8d4c2404 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   5f                   | pop                 edi
            //   750a                 | jne                 0xc
            //   ff15????????         |                     
            //   89442400             | mov                 dword ptr [esp], eax
            //   8d4c2404             | lea                 ecx, [esp + 4]

        $sequence_6 = { 8b442424 8b6c2420 8b742414 85c0 7418 55 6a00 }
            // n = 7, score = 100
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   8b6c2420             | mov                 ebp, dword ptr [esp + 0x20]
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   85c0                 | test                eax, eax
            //   7418                 | je                  0x1a
            //   55                   | push                ebp
            //   6a00                 | push                0

        $sequence_7 = { 7f0a 7c17 81faf8ff0300 720f }
            // n = 4, score = 100
            //   7f0a                 | jg                  0xc
            //   7c17                 | jl                  0x19
            //   81faf8ff0300         | cmp                 edx, 0x3fff8
            //   720f                 | jb                  0x11

        $sequence_8 = { 8d8c2450020000 50 8d54240c 51 52 68???????? 8d866a070000 }
            // n = 7, score = 100
            //   8d8c2450020000       | lea                 ecx, [esp + 0x250]
            //   50                   | push                eax
            //   8d54240c             | lea                 edx, [esp + 0xc]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   68????????           |                     
            //   8d866a070000         | lea                 eax, [esi + 0x76a]

        $sequence_9 = { 84c0 751c 8d8c2414020000 c7842440040000ffffffff e8???????? 83c8ff eb54 }
            // n = 7, score = 100
            //   84c0                 | test                al, al
            //   751c                 | jne                 0x1e
            //   8d8c2414020000       | lea                 ecx, [esp + 0x214]
            //   c7842440040000ffffffff     | mov    dword ptr [esp + 0x440], 0xffffffff
            //   e8????????           |                     
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb54                 | jmp                 0x56

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules