SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dratzarus (Back to overview)

DRATzarus

aka: ThreatNeedle, ThreatNeedleTea

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2025-10-30Gen DigitalAlexandru-Cristian Bardaș
DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant
ComeBacker DRATzarus NikiTeaR
2025-07-28Wiz.ioMerav Bar
TraderTraitor: Deep Dive
GolangGhost Manuscrypt RN Stealer DRATzarus GolangGhost PostNapTea Volgmer wAgentTea
2025-04-24KasperskySojun Ryu, Vasily Berdnikov
Operation SyncHole: Lazarus APT goes back to the well
Bankshot DRATzarus PostNapTea wAgentTea
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2022-08-15BrandefenseBrandefense
Lazarus APT Group (APT38)
AppleJeus AppleJeus BADCALL Bankshot BLINDINGCAN DRATzarus Dtrack KEYMARBLE Sierra(Alfa,Bravo, ...) Torisma WannaCryptor
2021-10-08Virus BulletinSeongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient
2021-01-29NSFOCUSFuying Laboratory
认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
ComeBacker DRATzarus Torisma
2021-01-25GoogleAdam Weidemann
New campaign targeting security researchers
ComeBacker DRATzarus
2020-08-13ClearSkyClearSky Research Team
Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus LPEClient NedDnLoader
Yara Rules
[TLP:WHITE] win_dratzarus_auto (20260504 | Detects win.dratzarus.)
rule win_dratzarus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.dratzarus."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33d2 33c9 4889442420 48895c2448 c744244001000000 }
            // n = 5, score = 200
            //   33d2                 | lea                 ecx, [0x35b27]
            //   33c9                 | lea                 edx, [eax + 0x34]
            //   4889442420           | inc                 esp
            //   48895c2448           | lea                 eax, [eax + 0x31]
            //   c744244001000000     | jne                 0x10ae

        $sequence_1 = { c6453c5b e8???????? 488bc8 ff15???????? 488bd8 4885c0 7511 }
            // n = 7, score = 200
            //   c6453c5b             | dec                 eax
            //   e8????????           |                     
            //   488bc8               | lea                 edx, [0x5b4e2]
            //   ff15????????         |                     
            //   488bd8               | dec                 eax
            //   4885c0               | lea                 ecx, [0x928d7]
            //   7511                 | dec                 ebp

        $sequence_2 = { c785380400004e70775d c7853c04000063706229 c745b002332420 c745b435240728 c745b82d240041 c74424607a2ed60d }
            // n = 6, score = 200
            //   c785380400004e70775d     | test    esi, esi
            //   c7853c04000063706229     | inc    esp
            //   c745b002332420       | mov                 dword ptr [esp + 0x88], edx
            //   c745b435240728       | inc                 esp
            //   c745b82d240041       | mov                 dword ptr [esp + 0x98], edi
            //   c74424607a2ed60d     | nop                 word ptr [eax + eax]

        $sequence_3 = { 6689440afe 6685c0 75ef 33c0 4883c9ff 488dbc2480060000 }
            // n = 6, score = 200
            //   6689440afe           | lea                 ecx, [0x404b6]
            //   6685c0               | mov                 edx, 0xa9
            //   75ef                 | inc                 esp
            //   33c0                 | lea                 eax, [ecx - 0xd]
            //   4883c9ff             | mov                 ecx, 0x1388
            //   488dbc2480060000     | mov                 ecx, 0x1388

        $sequence_4 = { 4883c430 5f 5e 5b c3 488b4c2468 41b902000000 }
            // n = 7, score = 200
            //   4883c430             | dec                 eax
            //   5f                   | mov                 ecx, esi
            //   5e                   | dec                 eax
            //   5b                   | test                ebp, ebp
            //   c3                   | je                  0xa5c
            //   488b4c2468           | dec                 eax
            //   41b902000000         | lea                 edx, [0x35965]

        $sequence_5 = { bf01000000 488bcb ff15???????? 8bc7 488b8c2460020000 4833cc e8???????? }
            // n = 7, score = 200
            //   bf01000000           | mov                 ecx, ebx
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   8bc7                 | mov                 edx, eax
            //   488b8c2460020000     | dec                 eax
            //   4833cc               | lea                 ecx, [esp + 0x30]
            //   e8????????           |                     

        $sequence_6 = { c785f0000000fd77f4c4 c785f4000000ba55a70a c785f8000000d01a40b1 66c785fc00000064ca c685fe000000e4 }
            // n = 5, score = 200
            //   c785f0000000fd77f4c4     | mov    edx, eax
            //   c785f4000000ba55a70a     | dec    eax
            //   c785f8000000d01a40b1     | lea    ecx, [ebp + 0x360]
            //   66c785fc00000064ca     | mov    edx, 0x15
            //   c685fe000000e4       | dec                 eax

        $sequence_7 = { e8???????? 488bcb 488bd0 ff15???????? 488d8d58020000 ba13000000 488905???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488bcb               | dec                 eax
            //   488bd0               | mov                 ecx, dword ptr [ebp + 0x1260]
            //   ff15????????         |                     
            //   488d8d58020000       | dec                 eax
            //   ba13000000           | xor                 ecx, esp
            //   488905????????       |                     

        $sequence_8 = { 89842454020000 e8???????? b902000000 8d5701 4533c0 }
            // n = 5, score = 200
            //   89842454020000       | test                ecx, ecx
            //   e8????????           |                     
            //   b902000000           | jne                 0xb7f
            //   8d5701               | inc                 esp
            //   4533c0               | lea                 eax, [eax + 0x5c]

        $sequence_9 = { 488d4de0 ba16000000 e8???????? 488bcb 488bd0 ff15???????? 488b5c2460 }
            // n = 7, score = 200
            //   488d4de0             | cmp                 dword ptr [eax], edi
            //   ba16000000           | dec                 esp
            //   e8????????           |                     
            //   488bcb               | lea                 ebp, [0x1ae98]
            //   488bd0               | mov                 ebx, eax
            //   ff15????????         |                     
            //   488b5c2460           | mov                 eax, 0x66666667

    condition:
        7 of them and filesize < 1606656
}
Download all Yara Rules