SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hardrain (Back to overview)

HARDRAIN

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-02-05US-CERTUnknown Unknown
@techreport{unknown:20180205:hidden:3e1e07e, author = {Unknown Unknown}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2018-02-05}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf}, language = {English}, urldate = {2019-12-20} } HIDDEN COBRA - North Korean Malicious Cyber Activity
HARDRAIN HARDRAIN
Yara Rules
[TLP:WHITE] win_hardrain_auto (20220411 | Detects win.hardrain.)
rule win_hardrain_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.hardrain."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81ec28010000 e8???????? e8???????? 85c0 }
            // n = 4, score = 200
            //   81ec28010000         | sub                 esp, 0x128
            //   e8????????           |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_1 = { c1e803 33c2 d1e8 33c2 }
            // n = 4, score = 200
            //   c1e803               | shr                 eax, 3
            //   33c2                 | xor                 eax, edx
            //   d1e8                 | shr                 eax, 1
            //   33c2                 | xor                 eax, edx

        $sequence_2 = { 55 56 85c0 7463 }
            // n = 4, score = 200
            //   55                   | push                ebp
            //   56                   | push                esi
            //   85c0                 | test                eax, eax
            //   7463                 | je                  0x65

        $sequence_3 = { 83c414 85c0 740a b802000000 5e 83c418 }
            // n = 6, score = 200
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   b802000000           | mov                 eax, 2
            //   5e                   | pop                 esi
            //   83c418               | add                 esp, 0x18

        $sequence_4 = { ff15???????? 6685c0 0f86a3000000 8b5500 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   6685c0               | test                ax, ax
            //   0f86a3000000         | jbe                 0xa9
            //   8b5500               | mov                 edx, dword ptr [ebp]

        $sequence_5 = { 7463 8b742414 85f6 745b 8b6c2418 55 6a40 }
            // n = 7, score = 200
            //   7463                 | je                  0x65
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   85f6                 | test                esi, esi
            //   745b                 | je                  0x5d
            //   8b6c2418             | mov                 ebp, dword ptr [esp + 0x18]
            //   55                   | push                ebp
            //   6a40                 | push                0x40

        $sequence_6 = { 68b4000000 89442408 894c2414 6a01 8d542418 }
            // n = 5, score = 200
            //   68b4000000           | push                0xb4
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   6a01                 | push                1
            //   8d542418             | lea                 edx, dword ptr [esp + 0x18]

        $sequence_7 = { 51 ff15???????? 33c0 81c4540c0000 c3 b803000000 }
            // n = 6, score = 200
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax
            //   81c4540c0000         | add                 esp, 0xc54
            //   c3                   | ret                 
            //   b803000000           | mov                 eax, 3

        $sequence_8 = { 8994242c040000 8b542418 68f0060000 50 51 89942444040000 }
            // n = 6, score = 200
            //   8994242c040000       | mov                 dword ptr [esp + 0x42c], edx
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]
            //   68f0060000           | push                0x6f0
            //   50                   | push                eax
            //   51                   | push                ecx
            //   89942444040000       | mov                 dword ptr [esp + 0x444], edx

        $sequence_9 = { 6689442422 ff15???????? 8bf0 83feff 0f8493000000 8d442408 50 }
            // n = 7, score = 200
            //   6689442422           | mov                 word ptr [esp + 0x22], ax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   0f8493000000         | je                  0x99
            //   8d442408             | lea                 eax, dword ptr [esp + 8]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules