SYMBOLCOMMON_NAMEaka. SYNONYMS
win.contopee (Back to overview)

Contopee

aka: WHITEOUT

Actor(s): Lazarus Group


FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

References
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSymantec Security Response
@online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
Yara Rules
[TLP:WHITE] win_contopee_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_contopee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a78 50 53 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6a78                 | push                0x78
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_1 = { 51 ff15???????? 85c0 5e 7504 8944240c 53 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   5e                   | pop                 esi
            //   7504                 | jne                 6
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   53                   | push                ebx

        $sequence_2 = { 8b44241c 8d542404 52 8d0c00 8b44241c 50 894c240c }
            // n = 7, score = 100
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8d542404             | lea                 edx, [esp + 4]
            //   52                   | push                edx
            //   8d0c00               | lea                 ecx, [eax + eax]
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   50                   | push                eax
            //   894c240c             | mov                 dword ptr [esp + 0xc], ecx

        $sequence_3 = { 895c2414 33f6 89742420 8b842440120000 83f806 }
            // n = 5, score = 100
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   33f6                 | xor                 esi, esi
            //   89742420             | mov                 dword ptr [esp + 0x20], esi
            //   8b842440120000       | mov                 eax, dword ptr [esp + 0x1240]
            //   83f806               | cmp                 eax, 6

        $sequence_4 = { 89442460 8b442414 89542464 8b54240c 8d4c2424 }
            // n = 5, score = 100
            //   89442460             | mov                 dword ptr [esp + 0x60], eax
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   89542464             | mov                 dword ptr [esp + 0x64], edx
            //   8b54240c             | mov                 edx, dword ptr [esp + 0xc]
            //   8d4c2424             | lea                 ecx, [esp + 0x24]

        $sequence_5 = { 6a40 89442428 ff15???????? 8bd8 85db }
            // n = 5, score = 100
            //   6a40                 | push                0x40
            //   89442428             | mov                 dword ptr [esp + 0x28], eax
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx

        $sequence_6 = { 83c408 3bc5 0f8587000000 68???????? ffd6 }
            // n = 5, score = 100
            //   83c408               | add                 esp, 8
            //   3bc5                 | cmp                 eax, ebp
            //   0f8587000000         | jne                 0x8d
            //   68????????           |                     
            //   ffd6                 | call                esi

        $sequence_7 = { 8bbc2424020000 c744240c01000000 85ff 89442410 c744241400000000 0f84d0000000 83ffff }
            // n = 7, score = 100
            //   8bbc2424020000       | mov                 edi, dword ptr [esp + 0x224]
            //   c744240c01000000     | mov                 dword ptr [esp + 0xc], 1
            //   85ff                 | test                edi, edi
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   0f84d0000000         | je                  0xd6
            //   83ffff               | cmp                 edi, -1

        $sequence_8 = { 85ff 89442410 c744241400000000 0f84d0000000 83ffff 0f84c7000000 }
            // n = 6, score = 100
            //   85ff                 | test                edi, edi
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   0f84d0000000         | je                  0xd6
            //   83ffff               | cmp                 edi, -1
            //   0f84c7000000         | je                  0xcd

        $sequence_9 = { 6880020000 6a40 c744241000000000 c744240c80020000 }
            // n = 4, score = 100
            //   6880020000           | push                0x280
            //   6a40                 | push                0x40
            //   c744241000000000     | mov                 dword ptr [esp + 0x10], 0
            //   c744240c80020000     | mov                 dword ptr [esp + 0xc], 0x280

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules