SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hermes (Back to overview)

Hermes

Actor(s): Lazarus Group

URLhaus    

There is no description at this point.

References
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2020-12-09CrowdStrikeJosh Burgess, Jason Rivera
@techreport{burgess:20201209:from:1811e9c, author = {Josh Burgess and Jason Rivera}, title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}}, date = {2020-12-09}, institution = {CrowdStrike}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf}, language = {English}, urldate = {2020-12-11} } From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor
2020-11-21vxhive blog0xastrovax
@online{0xastrovax:20201121:deep:89c1a51, author = {0xastrovax}, title = {{Deep Dive Into HERMES Ransomware}}, date = {2020-11-21}, organization = {vxhive blog}, url = {https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html}, language = {English}, urldate = {2021-12-13} } Deep Dive Into HERMES Ransomware
Hermes
2020-11-14Medium 0xastrovaxastrovax
@online{astrovax:20201114:deep:b50ae08, author = {astrovax}, title = {{Deep Dive Into Ryuk Ransomware}}, date = {2020-11-14}, organization = {Medium 0xastrovax}, url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12}, language = {English}, urldate = {2021-01-25} } Deep Dive Into Ryuk Ransomware
Hermes Ryuk
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-03-18DCSODCSO
@online{dcso:20190318:enterprise:ff92a62, author = {DCSO}, title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}}, date = {2019-03-18}, organization = {DCSO}, url = {https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/}, language = {English}, urldate = {2021-12-13} } Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware
Hermes
2018-11-17Youtube (Demonslay335)Michael Gillespie
@online{gillespie:20181117:analyzing:ecd5641, author = {Michael Gillespie}, title = {{Analyzing Ransomware - Beginner Static Analysis}}, date = {2018-11-17}, organization = {Youtube (Demonslay335)}, url = {https://www.youtube.com/watch?v=9nuo-AGg4p4}, language = {English}, urldate = {2021-12-13} } Analyzing Ransomware - Beginner Static Analysis
Hermes
2018-07-30ProofpointProofpoint Staff
@online{staff:20180730:new:07c5e76, author = {Proofpoint Staff}, title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}}, date = {2018-07-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside}, language = {English}, urldate = {2021-12-13} } New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes
2017-10-16Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, James Wong
@online{shevchenko:20171016:taiwan:081b125, author = {Sergei Shevchenko and Hirman Muhammad bin Abu Bakar and James Wong}, title = {{Taiwan Heist: Lazarus Tools and Ransomware}}, date = {2017-10-16}, url = {http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html}, language = {English}, urldate = {2020-01-07} } Taiwan Heist: Lazarus Tools and Ransomware
Bitsran Hermes
Yara Rules
[TLP:WHITE] win_hermes_auto (20230125 | Detects win.hermes.)
rule win_hermes_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.hermes."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 6a07 59 be???????? }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   6a07                 | push                7
            //   59                   | pop                 ecx
            //   be????????           |                     

        $sequence_1 = { 83c801 50 6a01 ff75fc }
            // n = 4, score = 200
            //   83c801               | or                  eax, 1
            //   50                   | push                eax
            //   6a01                 | push                1
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_2 = { 50 8b4508 83c801 50 6a01 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c801               | or                  eax, 1
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_3 = { 50 8d45fc 50 ff15???????? 6a20 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a20                 | push                0x20

        $sequence_4 = { 6a04 6800100000 6888130000 6a00 }
            // n = 4, score = 200
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   6888130000           | push                0x1388
            //   6a00                 | push                0

        $sequence_5 = { 6810660000 ff75fc ff15???????? 85c0 }
            // n = 4, score = 200
            //   6810660000           | push                0x6610
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 50 8b4508 83c801 50 6a01 ff75fc ff15???????? }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c801               | or                  eax, 1
            //   50                   | push                eax
            //   6a01                 | push                1
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_7 = { 33d2 6a79 59 f7f1 83c261 }
            // n = 5, score = 200
            //   33d2                 | xor                 edx, edx
            //   6a79                 | push                0x79
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx
            //   83c261               | add                 edx, 0x61

        $sequence_8 = { ff15???????? 33d2 6a79 59 f7f1 83c261 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   6a79                 | push                0x79
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx
            //   83c261               | add                 edx, 0x61

        $sequence_9 = { ff15???????? 33d2 6a79 59 f7f1 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   6a79                 | push                0x79
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx

    condition:
        7 of them and filesize < 7192576
}
[TLP:WHITE] win_hermes_w0   (20180301 | No description)
rule win_hermes_w0 {
    meta:
        author = "BAE"
        reference = "https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        //in both version 2.1 and sample in Feb
        $s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
        $s2 = "0419"
        $s3 = "0422"
        $s4 = "0423"
        //in version 2.1 only
        $S1 = "HERMES"
        $S2 = "vssadminn"
        $S3 = "finish work"
        $S4 = "testlib.dll"
        $S5 = "shadowstorageiet"
        //maybe unique in the file
        $u1 = "ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777"
        $u2 = "HERMES 2.1 TEST BUILD, press ok"
        $u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
    condition:
        all of ($s*) and 3 of ($S*) and 1 of ($u*)
}
Download all Yara Rules