SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hardrain (Back to overview)

HARDRAIN

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-02-05US-CERTUnknown Unknown
@techreport{unknown:20180205:hidden:3e1e07e, author = {Unknown Unknown}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2018-02-05}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf}, language = {English}, urldate = {2019-12-20} } HIDDEN COBRA - North Korean Malicious Cyber Activity
HARDRAIN HARDRAIN
Yara Rules
[TLP:WHITE] win_hardrain_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_hardrain_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7518 8b4c2400 8b442410 51 50 e8???????? 83c408 }
            // n = 7, score = 200
            //   7518                 | jne                 0x1a
            //   8b4c2400             | mov                 ecx, dword ptr [esp]
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   51                   | push                ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_1 = { 8bce e8???????? 8bf8 85ff 7434 8d542414 }
            // n = 6, score = 200
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   85ff                 | test                edi, edi
            //   7434                 | je                  0x36
            //   8d542414             | lea                 edx, [esp + 0x14]

        $sequence_2 = { 33c2 d1e8 33c2 81e2ffff3f00 c1e811 03d2 }
            // n = 6, score = 200
            //   33c2                 | xor                 eax, edx
            //   d1e8                 | shr                 eax, 1
            //   33c2                 | xor                 eax, edx
            //   81e2ffff3f00         | and                 edx, 0x3fffff
            //   c1e811               | shr                 eax, 0x11
            //   03d2                 | add                 edx, edx

        $sequence_3 = { 51 ff15???????? 6685c0 0f86a3000000 8b5500 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   6685c0               | test                ax, ax
            //   0f86a3000000         | jbe                 0xa9
            //   8b5500               | mov                 edx, dword ptr [ebp]

        $sequence_4 = { 8bce e8???????? 85c0 746c 55 }
            // n = 5, score = 200
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   746c                 | je                  0x6e
            //   55                   | push                ebp

        $sequence_5 = { 7463 8b742414 85f6 745b 8b6c2418 55 6a40 }
            // n = 7, score = 200
            //   7463                 | je                  0x65
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   85f6                 | test                esi, esi
            //   745b                 | je                  0x5d
            //   8b6c2418             | mov                 ebp, dword ptr [esp + 0x18]
            //   55                   | push                ebp
            //   6a40                 | push                0x40

        $sequence_6 = { 7406 83f201 89510c c3 8b5110 }
            // n = 5, score = 200
            //   7406                 | je                  8
            //   83f201               | xor                 edx, 1
            //   89510c               | mov                 dword ptr [ecx + 0xc], edx
            //   c3                   | ret                 
            //   8b5110               | mov                 edx, dword ptr [ecx + 0x10]

        $sequence_7 = { 33c0 8d7c2418 c744241400000000 f3ab b9bc010000 8dbc244c020000 }
            // n = 6, score = 200
            //   33c0                 | xor                 eax, eax
            //   8d7c2418             | lea                 edi, [esp + 0x18]
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   b9bc010000           | mov                 ecx, 0x1bc
            //   8dbc244c020000       | lea                 edi, [esp + 0x24c]

        $sequence_8 = { 56 8b7104 8bc2 c1e80b 83e001 33f0 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   8b7104               | mov                 esi, dword ptr [ecx + 4]
            //   8bc2                 | mov                 eax, edx
            //   c1e80b               | shr                 eax, 0xb
            //   83e001               | and                 eax, 1
            //   33f0                 | xor                 esi, eax

        $sequence_9 = { 50 56 6857340000 51 e8???????? }
            // n = 5, score = 200
            //   50                   | push                eax
            //   56                   | push                esi
            //   6857340000           | push                0x3457
            //   51                   | push                ecx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules