SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dratzarus (Back to overview)

DRATzarus

aka: ThreatNeedle

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2021-10-08Virus BulletinSeongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-01-29NSFOCUSFuying Laboratory
认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
ComeBacker DRATzarus Torisma
2021-01-25GoogleAdam Weidemann
New campaign targeting security researchers
ComeBacker DRATzarus
2020-08-13ClearSkyClearSky Research Team
Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus LPEClient NedDnLoader
Yara Rules
[TLP:WHITE] win_dratzarus_auto (20230808 | Detects win.dratzarus.)
rule win_dratzarus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.dratzarus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 740a 488b1b 4885db 75c2 eb2f 8b8398010000 }
            // n = 6, score = 200
            //   740a                 | lea                 eax, [ebp + 0x220]
            //   488b1b               | movzx               esi, word ptr [ebp - 0x5e]
            //   4885db               | inc                 esp
            //   75c2                 | movzx               ecx, word ptr [ebp - 0x60]
            //   eb2f                 | mov                 dword ptr [esp + 0x40], edx
            //   8b8398010000         | mov                 dword ptr [esp + 0x38], eax

        $sequence_1 = { f6c201 7403 66ffc3 66ffc0 6683f81a }
            // n = 5, score = 200
            //   f6c201               | inc                 edx
            //   7403                 | movzx               eax, word ptr [edx + 0x24d00]
            //   66ffc3               | dec                 eax
            //   66ffc0               | lea                 ecx, [ebp + 0x300]
            //   6683f81a             | dec                 eax

        $sequence_2 = { e8???????? f20f5ef0 f20f1005???????? f20f2cd6 660f6eca 4863c2 488d0c40 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   f20f5ef0             | lea                 ebx, [0x1f6ff]
            //   f20f1005????????     |                     
            //   f20f2cd6             | inc                 ecx
            //   660f6eca             | mov                 eax, 0x19000
            //   4863c2               | dec                 eax
            //   488d0c40             | mov                 ecx, eax

        $sequence_3 = { ff15???????? 488d4d68 ba13000000 488905???????? e8???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   488d4d68             | mov                 edx, 0x80000000
            //   ba13000000           | mov                 dword ptr [esp + 0x28], 0x80
            //   488905????????       |                     
            //   e8????????           |                     

        $sequence_4 = { 488d8dc8000000 ba1c000000 488905???????? e8???????? 488bcb 488bd0 ff15???????? }
            // n = 7, score = 200
            //   488d8dc8000000       | dec                 eax
            //   ba1c000000           | add                 ecx, dword ptr [edi + 8]
            //   488905????????       |                     
            //   e8????????           |                     
            //   488bcb               | dec                 esp
            //   488bd0               | arpl                ax, ax
            //   ff15????????         |                     

        $sequence_5 = { 3c41 7c04 3c5a 7e08 3c30 7c19 3c39 }
            // n = 7, score = 200
            //   3c41                 | inc                 esp
            //   7c04                 | lea                 eax, [eax + 0x41]
            //   3c5a                 | dec                 eax
            //   7e08                 | mov                 ebx, eax
            //   3c30                 | dec                 eax
            //   7c19                 | mov                 dword ptr [esp + 0x38], eax
            //   3c39                 | dec                 eax

        $sequence_6 = { 6683f81a 72e3 0fb7c3 4883c420 }
            // n = 4, score = 200
            //   6683f81a             | dec                 esp
            //   72e3                 | lea                 ecx, [esp + 0x48]
            //   0fb7c3               | dec                 esp
            //   4883c420             | lea                 eax, [esp + 0x44]

        $sequence_7 = { c745303ae47159 c7453474b06493 c745380897878b c6453c5b e8???????? 488bc8 }
            // n = 6, score = 200
            //   c745303ae47159       | dec                 eax
            //   c7453474b06493       | add                 esp, 0x110
            //   c745380897878b       | pop                 ebp
            //   c6453c5b             | ret                 
            //   e8????????           |                     
            //   488bc8               | dec                 eax

        $sequence_8 = { c7450f86f5e3e6 c74513a93633c4 c7451793554020 c7451b48549c39 c7451faaa5f9c7 }
            // n = 5, score = 200
            //   c7450f86f5e3e6       | lea                 ecx, [eax + 1]
            //   c74513a93633c4       | mov                 dword ptr [esp + 0x28], eax
            //   c7451793554020       | dec                 eax
            //   c7451b48549c39       | mov                 esi, edx
            //   c7451faaa5f9c7       | repe cmpsb          byte ptr [esi], byte ptr es:[edi]

        $sequence_9 = { 488d4dc8 ba0c000000 488905???????? e8???????? 488bcb 488bd0 ff15???????? }
            // n = 7, score = 200
            //   488d4dc8             | lea                 eax, [0x56bfb]
            //   ba0c000000           | lea                 edx, [ebp + 9]
            //   488905????????       |                     
            //   e8????????           |                     
            //   488bcb               | lea                 ecx, [ebp + 6]
            //   488bd0               | inc                 ecx
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1606656
}
Download all Yara Rules