SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hermes (Back to overview)

Hermes

Actor(s): Lazarus Group

URLhaus    

There is no description at this point.

References
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2020-12-09CrowdStrikeJosh Burgess, Jason Rivera
@techreport{burgess:20201209:from:1811e9c, author = {Josh Burgess and Jason Rivera}, title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}}, date = {2020-12-09}, institution = {CrowdStrike}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf}, language = {English}, urldate = {2020-12-11} } From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor
2020-11-21vxhive blog0xastrovax
@online{0xastrovax:20201121:deep:89c1a51, author = {0xastrovax}, title = {{Deep Dive Into HERMES Ransomware}}, date = {2020-11-21}, organization = {vxhive blog}, url = {https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html}, language = {English}, urldate = {2021-12-13} } Deep Dive Into HERMES Ransomware
Hermes
2020-11-14Medium 0xastrovaxastrovax
@online{astrovax:20201114:deep:b50ae08, author = {astrovax}, title = {{Deep Dive Into Ryuk Ransomware}}, date = {2020-11-14}, organization = {Medium 0xastrovax}, url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12}, language = {English}, urldate = {2021-01-25} } Deep Dive Into Ryuk Ransomware
Hermes Ryuk
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-03-18DCSODCSO
@online{dcso:20190318:enterprise:ff92a62, author = {DCSO}, title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}}, date = {2019-03-18}, organization = {DCSO}, url = {https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/}, language = {English}, urldate = {2021-12-13} } Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware
Hermes
2018-11-17Youtube (Demonslay335)Michael Gillespie
@online{gillespie:20181117:analyzing:ecd5641, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Beginner Static Analysis}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=9nuo-AGg4p4}, language = {English}, urldate = {2021-12-13} } Analyzing Ransomware - Beginner Static Analysis
Hermes
2018-07-30ProofpointProofpoint Staff
@online{staff:20180730:new:07c5e76, author = {Proofpoint Staff}, title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}}, date = {2018-07-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside}, language = {English}, urldate = {2021-12-13} } New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes
2017-10-16Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, James Wong
@online{shevchenko:20171016:taiwan:081b125, author = {Sergei Shevchenko and Hirman Muhammad bin Abu Bakar and James Wong}, title = {{Taiwan Heist: Lazarus Tools and Ransomware}}, date = {2017-10-16}, url = {http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html}, language = {English}, urldate = {2020-01-07} } Taiwan Heist: Lazarus Tools and Ransomware
Bitsran Hermes
Yara Rules
[TLP:WHITE] win_hermes_auto (20220411 | Detects win.hermes.)
rule win_hermes_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.hermes."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 6a01 6810660000 ff75fc ff15???????? 85c0 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6810660000           | push                0x6610
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_1 = { ff15???????? 33d2 6a79 59 f7f1 83c261 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   6a79                 | push                0x79
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx
            //   83c261               | add                 edx, 0x61

        $sequence_2 = { 6a01 ff15???????? 8d45fc 50 }
            // n = 4, score = 200
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax

        $sequence_3 = { 33d2 6a79 59 f7f1 83c261 }
            // n = 5, score = 200
            //   33d2                 | xor                 edx, edx
            //   6a79                 | push                0x79
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx
            //   83c261               | add                 edx, 0x61

        $sequence_4 = { 7508 6a01 ff15???????? 8be5 5d c3 }
            // n = 6, score = 200
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_5 = { 7508 6a01 ff15???????? 8be5 5d }
            // n = 5, score = 200
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_6 = { 8b4508 83c801 50 6a01 }
            // n = 4, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c801               | or                  eax, 1
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_7 = { 6a01 6810660000 ff75fc ff15???????? }
            // n = 4, score = 200
            //   6a01                 | push                1
            //   6810660000           | push                0x6610
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_8 = { 7508 6a01 ff15???????? 8be5 5d c3 55 }
            // n = 7, score = 200
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_9 = { 50 6a01 6810660000 ff75fc ff15???????? }
            // n = 5, score = 200
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6810660000           | push                0x6610
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 7192576
}
[TLP:WHITE] win_hermes_w0   (20180301 | No description)
rule win_hermes_w0 {
    meta:
        author = "BAE"
        reference = "https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        //in both version 2.1 and sample in Feb
        $s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
        $s2 = "0419"
        $s3 = "0422"
        $s4 = "0423"
        //in version 2.1 only
        $S1 = "HERMES"
        $S2 = "vssadminn"
        $S3 = "finish work"
        $S4 = "testlib.dll"
        $S5 = "shadowstorageiet"
        //maybe unique in the file
        $u1 = "ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777"
        $u2 = "HERMES 2.1 TEST BUILD, press ok"
        $u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
    condition:
        all of ($s*) and 3 of ($S*) and 1 of ($u*)
}
Download all Yara Rules