SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hardrain (Back to overview)

HARDRAIN

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-02-05US-CERTUnknown Unknown
@techreport{unknown:20180205:hidden:3e1e07e, author = {Unknown Unknown}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2018-02-05}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf}, language = {English}, urldate = {2019-12-20} } HIDDEN COBRA - North Korean Malicious Cyber Activity
HARDRAIN HARDRAIN
Yara Rules
[TLP:WHITE] win_hardrain_auto (20211008 | Detects win.hardrain.)
rule win_hardrain_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.hardrain."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a03 6800000080 68???????? c744242800000000 ff15???????? 8bf0 }
            // n = 6, score = 200
            //   6a03                 | push                3
            //   6800000080           | push                0x80000000
            //   68????????           |                     
            //   c744242800000000     | mov                 dword ptr [esp + 0x28], 0
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_1 = { f3ab 8b4c2438 8b44240c 6a00 6880000000 }
            // n = 5, score = 200
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b4c2438             | mov                 ecx, dword ptr [esp + 0x38]
            //   8b44240c             | mov                 eax, dword ptr [esp + 0xc]
            //   6a00                 | push                0
            //   6880000000           | push                0x80

        $sequence_2 = { 33c2 d1e8 33c2 81e2ffff3f00 c1e811 03d2 }
            // n = 6, score = 200
            //   33c2                 | xor                 eax, edx
            //   d1e8                 | shr                 eax, 1
            //   33c2                 | xor                 eax, edx
            //   81e2ffff3f00         | and                 edx, 0x3fffff
            //   c1e811               | shr                 eax, 0x11
            //   03d2                 | add                 edx, edx

        $sequence_3 = { f3a4 5f 750a 55 53 e8???????? }
            // n = 6, score = 200
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   5f                   | pop                 edi
            //   750a                 | jne                 0xc
            //   55                   | push                ebp
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_4 = { ff15???????? 89442410 6aff 8d442410 6a00 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   6aff                 | push                -1
            //   8d442410             | lea                 eax, dword ptr [esp + 0x10]
            //   6a00                 | push                0

        $sequence_5 = { a3???????? 5e c3 3d41030000 7523 }
            // n = 5, score = 200
            //   a3????????           |                     
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   3d41030000           | cmp                 eax, 0x341
            //   7523                 | jne                 0x25

        $sequence_6 = { 68b4000000 89442408 894c2414 6a01 8d542418 }
            // n = 5, score = 200
            //   68b4000000           | push                0xb4
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   6a01                 | push                1
            //   8d542418             | lea                 edx, dword ptr [esp + 0x18]

        $sequence_7 = { 8b4c2408 8b542410 51 52 ff15???????? }
            // n = 5, score = 200
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_8 = { 6a0c 52 56 89442418 894c2414 }
            // n = 5, score = 200
            //   6a0c                 | push                0xc
            //   52                   | push                edx
            //   56                   | push                esi
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx

        $sequence_9 = { ff15???????? 663dc800 720a 5f 5e 5d }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   663dc800             | cmp                 ax, 0xc8
            //   720a                 | jb                  0xc
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules