SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dratzarus (Back to overview)

DRATzarus

aka: ThreatNeedle

Actor(s): Lazarus Group


There is no description at this point.

References
2021-10-08Virus BulletinSeongsu Park
@techreport{park:20211008:multiuniverse:87fc078, author = {Seongsu Park}, title = {{Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections}}, date = {2021-10-08}, institution = {Virus Bulletin}, url = {https://vblocalhost.com/uploads/VB2021-Park.pdf}, language = {English}, urldate = {2023-07-24} } Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-01-29NSFOCUSFuying Laboratory
@online{laboratory:20210129:stumbzarusaptlazarus:4d0bf52, author = {Fuying Laboratory}, title = {{认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析}}, date = {2021-01-29}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/stumbzarus-apt-lazarus/}, language = {Chinese}, urldate = {2023-08-03} } 认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
ComeBacker DRATzarus Torisma
2021-01-25GoogleAdam Weidemann
@online{weidemann:20210125:new:f286d05, author = {Adam Weidemann}, title = {{New campaign targeting security researchers}}, date = {2021-01-25}, organization = {Google}, url = {https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/}, language = {English}, urldate = {2023-08-03} } New campaign targeting security researchers
ComeBacker DRATzarus
2020-08-13ClearSkyClearSky Research Team
@techreport{team:20200813:operation:429bf86, author = {ClearSky Research Team}, title = {{Operation ‘Dream Job’ Widespread North Korean Espionage Campaign}}, date = {2020-08-13}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf}, language = {English}, urldate = {2023-09-07} } Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus LPEClient NedDnLoader
Yara Rules
[TLP:WHITE] win_dratzarus_auto (20230715 | Detects win.dratzarus.)
rule win_dratzarus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.dratzarus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d8d12040000 33d2 41b8260a0000 66899d10040000 e8???????? 8d4b40 ba00200300 }
            // n = 7, score = 100
            //   488d8d12040000       | inc                 ecx
            //   33d2                 | mov                 ecx, 0xf003f
            //   41b8260a0000         | ja                  0x146f
            //   66899d10040000       | dec                 ecx
            //   e8????????           |                     
            //   8d4b40               | movsx               eax, ah
            //   ba00200300           | inc                 edx

        $sequence_1 = { 418b400c 418b4810 418b5014 458bca 0f1f440000 0bc1 0bca }
            // n = 7, score = 100
            //   418b400c             | lea                 ecx, [0x20864]
            //   418b4810             | dec                 eax
            //   418b5014             | test                eax, eax
            //   458bca               | je                  0x5dc
            //   0f1f440000           | dec                 eax
            //   0bc1                 | lea                 edx, [0x2083a]
            //   0bca                 | dec                 eax

        $sequence_2 = { eb69 01bbccaf0600 8b8bccaf0600 4c8d0524b20100 0fb69419b8af0100 8d4101 488bcb }
            // n = 7, score = 100
            //   eb69                 | test                eax, eax
            //   01bbccaf0600         | inc                 eax
            //   8b8bccaf0600         | sete                dh
            //   4c8d0524b20100       | mov                 eax, esi
            //   0fb69419b8af0100     | inc                 ebp
            //   8d4101               | xor                 ecx, ecx
            //   488bcb               | dec                 esp

        $sequence_3 = { 2b756f 81fe50140000 0f8f8b030000 81feb0ebffff 0f8c6f030000 4c8d2d0ecc0000 4983ed60 }
            // n = 7, score = 100
            //   2b756f               | mov                 ecx, ebx
            //   81fe50140000         | dec                 eax
            //   0f8f8b030000         | mov                 ecx, dword ptr [esp + 0x250]
            //   81feb0ebffff         | dec                 eax
            //   0f8c6f030000         | xor                 ecx, esp
            //   4c8d2d0ecc0000       | dec                 esp
            //   4983ed60             | lea                 ebx, [esp + 0x260]

        $sequence_4 = { 4885db 744e 448d4208 488d156e370100 488bcb e8???????? 85c0 }
            // n = 7, score = 100
            //   4885db               | mov                 ebp, eax
            //   744e                 | dec                 eax
            //   448d4208             | sub                 edx, ecx
            //   488d156e370100       | dec                 eax
            //   488bcb               | mov                 dword ptr [esp + 0x28], 0
            //   e8????????           |                     
            //   85c0                 | nop                 dword ptr [eax]

        $sequence_5 = { 4c8d0504bf0100 e8???????? 81fd1e010000 7f0e 83fb1e 7f09 83fe13 }
            // n = 7, score = 100
            //   4c8d0504bf0100       | dec                 eax
            //   e8????????           |                     
            //   81fd1e010000         | mov                 edx, eax
            //   7f0e                 | ret                 
            //   83fb1e               | dec                 eax
            //   7f09                 | lea                 ecx, [ebp - 0x20]
            //   83fe13               | mov                 edx, 0x15

        $sequence_6 = { 6685c0 75e7 488d8dc0280000 ba04010000 ff15???????? 4c8d8df0260000 4c8d85c0280000 }
            // n = 7, score = 100
            //   6685c0               | mov                 byte ptr [ebp - 0x10], 0x35
            //   75e7                 | mov                 dword ptr [ebp - 0x40], 0x44f1bdb5
            //   488d8dc0280000       | mov                 dword ptr [ebp - 0x3c], 0xaf998512
            //   ba04010000           | mov                 dword ptr [ebp - 0x38], 0x486561df
            //   ff15????????         |                     
            //   4c8d8df0260000       | mov                 dword ptr [ebp - 0x34], 0x63e48f17
            //   4c8d85c0280000       | mov                 dword ptr [ebp - 0x11], 0xd82f9d0f

        $sequence_7 = { 488d3d3a280200 4c8d442450 48f7d1 488d542458 48897c2420 48ffc9 }
            // n = 6, score = 100
            //   488d3d3a280200       | mov                 dword ptr [ebp - 0x74], 0x47607077
            //   4c8d442450           | mov                 word ptr [ebp - 0x70], 0x2a0d
            //   48f7d1               | mov                 byte ptr [ebp - 0x6e], 0x9f
            //   488d542458           | mov                 dword ptr [esp + 0x38], 0x3eb37d52
            //   48897c2420           | mov                 word ptr [esp + 0x3c], 0x3e3a
            //   48ffc9               | mov                 dword ptr [ebp - 0x70], 0x242d2405

        $sequence_8 = { 72ce 48215c2420 488d8520060000 448bc6 442bc0 488b442450 488d0da3b80400 }
            // n = 7, score = 100
            //   72ce                 | mov                 dword ptr [ebp + 0x2dc], 0x9ba8a32b
            //   48215c2420           | mov                 dword ptr [ebp + 0x2e0], 0x1c7dc79a
            //   488d8520060000       | mov                 dword ptr [ebp + 0x3c0], 0x6c70784e
            //   448bc6               | mov                 dword ptr [ebp + 0x3c4], 0x64737a5d
            //   442bc0               | mov                 dword ptr [ebp + 0x3c8], 0xe9eb360d
            //   488b442450           | mov                 dword ptr [ebp + 0x3d8], 0x4ac9ed45
            //   488d0da3b80400       | mov                 dword ptr [ebp + 0x3dc], 0xa840388d

        $sequence_9 = { 488bd0 ff15???????? 488d4c2420 ba07000000 488905???????? e8???????? }
            // n = 6, score = 100
            //   488bd0               | dec                 eax
            //   ff15????????         |                     
            //   488d4c2420           | mov                 ecx, ebx
            //   ba07000000           | dec                 eax
            //   488905????????       |                     
            //   e8????????           |                     

    condition:
        7 of them and filesize < 905216
}
Download all Yara Rules