SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hardrain (Back to overview)

HARDRAIN

Actor(s): Lazarus Group


There is no description at this point.

References
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2018-02-05US-CERTUnknown Unknown
@techreport{unknown:20180205:hidden:3e1e07e, author = {Unknown Unknown}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2018-02-05}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf}, language = {English}, urldate = {2019-12-20} } HIDDEN COBRA - North Korean Malicious Cyber Activity
HARDRAIN HARDRAIN
Yara Rules
[TLP:WHITE] win_hardrain_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_hardrain_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bce e8???????? 8b4e10 8b560c 8b4608 33ca 33c8 }
            // n = 7, score = 100
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   8b560c               | mov                 edx, dword ptr [esi + 0xc]
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   33ca                 | xor                 ecx, edx
            //   33c8                 | xor                 ecx, eax

        $sequence_1 = { 85c0 7e34 8d542424 52 }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   7e34                 | jle                 0x36
            //   8d542424             | lea                 edx, [esp + 0x24]
            //   52                   | push                edx

        $sequence_2 = { e8???????? 83c404 85c0 7455 8b4c2404 68???????? 6851520000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7455                 | je                  0x57
            //   8b4c2404             | mov                 ecx, dword ptr [esp + 4]
            //   68????????           |                     
            //   6851520000           | push                0x5251

        $sequence_3 = { 83fe03 775a ff24b5f0453400 8d7d02 b906000000 8db42498000000 f3a5 }
            // n = 7, score = 100
            //   83fe03               | cmp                 esi, 3
            //   775a                 | ja                  0x5c
            //   ff24b5f0453400       | jmp                 dword ptr [esi*4 + 0x3445f0]
            //   8d7d02               | lea                 edi, [ebp + 2]
            //   b906000000           | mov                 ecx, 6
            //   8db42498000000       | lea                 esi, [esp + 0x98]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_4 = { 84c9 7518 40 668b00 }
            // n = 4, score = 100
            //   84c9                 | test                cl, cl
            //   7518                 | jne                 0x1a
            //   40                   | inc                 eax
            //   668b00               | mov                 ax, word ptr [eax]

        $sequence_5 = { 8b742408 68b4000000 6a01 8d442410 }
            // n = 4, score = 100
            //   8b742408             | mov                 esi, dword ptr [esp + 8]
            //   68b4000000           | push                0xb4
            //   6a01                 | push                1
            //   8d442410             | lea                 eax, [esp + 0x10]

        $sequence_6 = { 33c0 0fbe84c1e8d33400 c1f804 83f807 8945c4 0f87e9060000 ff24859c5f3400 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   0fbe84c1e8d33400     | movsx               eax, byte ptr [ecx + eax*8 + 0x34d3e8]
            //   c1f804               | sar                 eax, 4
            //   83f807               | cmp                 eax, 7
            //   8945c4               | mov                 dword ptr [ebp - 0x3c], eax
            //   0f87e9060000         | ja                  0x6ef
            //   ff24859c5f3400       | jmp                 dword ptr [eax*4 + 0x345f9c]

        $sequence_7 = { 3d41030000 7523 68???????? ff15???????? 56 }
            // n = 5, score = 100
            //   3d41030000           | cmp                 eax, 0x341
            //   7523                 | jne                 0x25
            //   68????????           |                     
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_8 = { 3b96108c3600 0f851c010000 a1???????? 83f801 0f84e8000000 85c0 750d }
            // n = 7, score = 100
            //   3b96108c3600         | cmp                 edx, dword ptr [esi + 0x368c10]
            //   0f851c010000         | jne                 0x122
            //   a1????????           |                     
            //   83f801               | cmp                 eax, 1
            //   0f84e8000000         | je                  0xee
            //   85c0                 | test                eax, eax
            //   750d                 | jne                 0xf

        $sequence_9 = { 7429 6a02 6a00 6a00 56 }
            // n = 5, score = 100
            //   7429                 | je                  0x2b
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   56                   | push                esi

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules