SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hardrain (Back to overview)

HARDRAIN

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-02-05US-CERTUnknown Unknown
@techreport{unknown:20180205:hidden:3e1e07e, author = {Unknown Unknown}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2018-02-05}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf}, language = {English}, urldate = {2019-12-20} } HIDDEN COBRA - North Korean Malicious Cyber Activity
HARDRAIN HARDRAIN
Yara Rules
[TLP:WHITE] win_hardrain_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_hardrain_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 8bf9 85ed 897c2410 750a 5f 5e }
            // n = 7, score = 200
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   85ed                 | test                ebp, ebp
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   750a                 | jne                 0xc
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { e8???????? 85c0 0f8498000000 55 8bce e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f8498000000         | je                  0x9e
            //   55                   | push                ebp
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_2 = { 5e 81c418010000 c20400 83ec0c }
            // n = 4, score = 200
            //   5e                   | pop                 esi
            //   81c418010000         | add                 esp, 0x118
            //   c20400               | ret                 4
            //   83ec0c               | sub                 esp, 0xc

        $sequence_3 = { 40 668b00 50 ff15???????? 6689460c }
            // n = 5, score = 200
            //   40                   | inc                 eax
            //   668b00               | mov                 ax, word ptr [eax]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6689460c             | mov                 word ptr [esi + 0xc], ax

        $sequence_4 = { 8bce e8???????? 85c0 0f84b0000000 55 8bce e8???????? }
            // n = 7, score = 200
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84b0000000         | je                  0xb6
            //   55                   | push                ebp
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_5 = { 85ff 897108 7e21 53 8bdf 8b790c }
            // n = 6, score = 200
            //   85ff                 | test                edi, edi
            //   897108               | mov                 dword ptr [ecx + 8], esi
            //   7e21                 | jle                 0x23
            //   53                   | push                ebx
            //   8bdf                 | mov                 ebx, edi
            //   8b790c               | mov                 edi, dword ptr [ecx + 0xc]

        $sequence_6 = { 89442418 894c2414 e8???????? 83c410 85c0 740a }
            // n = 6, score = 200
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   894c2414             | mov                 dword ptr [esp + 0x14], ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc

        $sequence_7 = { 897104 5e 7428 8bc2 d1e8 33c2 c1e804 }
            // n = 7, score = 200
            //   897104               | mov                 dword ptr [ecx + 4], esi
            //   5e                   | pop                 esi
            //   7428                 | je                  0x2a
            //   8bc2                 | mov                 eax, edx
            //   d1e8                 | shr                 eax, 1
            //   33c2                 | xor                 eax, edx
            //   c1e804               | shr                 eax, 4

        $sequence_8 = { 894c242c e8???????? 83c414 85c0 740a b802000000 5e }
            // n = 7, score = 200
            //   894c242c             | mov                 dword ptr [esp + 0x2c], ecx
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   b802000000           | mov                 eax, 2
            //   5e                   | pop                 esi

        $sequence_9 = { 8b4c2404 68b4000000 6a01 680c010000 50 51 e8???????? }
            // n = 7, score = 200
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   68b4000000           | push                0xb4
            //   6a01                 | push                1
            //   680c010000           | push                0x10c
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules