SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hermes (Back to overview)

Hermes

Actor(s): Lazarus Group

VTCollection     URLhaus    

There is no description at this point.

References
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2020-12-09CrowdStrikeJason Rivera, Josh Burgess
From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor
2020-11-21vxhive blog0xastrovax
Deep Dive Into HERMES Ransomware
Hermes
2020-11-14Medium 0xastrovaxastrovax
Deep Dive Into Ryuk Ransomware
Hermes Ryuk
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-02-19LexfoLexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2019-03-18DCSODCSO
Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware
Hermes
2018-11-17Youtube (Demonslay335)Michael Gillespie
Analyzing Ransomware - Beginner Static Analysis
Hermes
2018-07-30ProofpointProofpoint Staff
New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes
2018-03-14Malwarebytes Labshasherezade, Jérôme Segura, Vasilios Hioureas
Hermes ransomware distributed to South Koreans via recent Flash zero-day
Hermes
2017-10-16Hirman Muhammad bin Abu Bakar, James Wong, Sergei Shevchenko
Taiwan Heist: Lazarus Tools and Ransomware
Bitsran Hermes
Yara Rules
[TLP:WHITE] win_hermes_auto (20241030 | Detects win.hermes.)
rule win_hermes_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.hermes."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a79 59 f7f1 83c261 }
            // n = 4, score = 200
            //   6a79                 | push                0x79
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx
            //   83c261               | add                 edx, 0x61

        $sequence_1 = { ff15???????? 33d2 6a79 59 f7f1 83c261 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   33d2                 | xor                 edx, edx
            //   6a79                 | push                0x79
            //   59                   | pop                 ecx
            //   f7f1                 | div                 ecx
            //   83c261               | add                 edx, 0x61

        $sequence_2 = { 6810660000 ff75fc ff15???????? 85c0 }
            // n = 4, score = 200
            //   6810660000           | push                0x6610
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_3 = { 50 8d45fc 50 ff15???????? 6a20 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a20                 | push                0x20

        $sequence_4 = { 83c801 50 6a01 ff75fc ff15???????? }
            // n = 5, score = 200
            //   83c801               | or                  eax, 1
            //   50                   | push                eax
            //   6a01                 | push                1
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     

        $sequence_5 = { 8b4508 83c801 50 6a01 }
            // n = 4, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c801               | or                  eax, 1
            //   50                   | push                eax
            //   6a01                 | push                1

        $sequence_6 = { 7508 6a01 ff15???????? 8be5 5d }
            // n = 5, score = 200
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_7 = { ff15???????? 6a07 59 be???????? }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   6a07                 | push                7
            //   59                   | pop                 ecx
            //   be????????           |                     

        $sequence_8 = { 7508 6a01 ff15???????? 8d45fc 50 }
            // n = 5, score = 200
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_9 = { 50 6a01 6810660000 ff75fc ff15???????? 85c0 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6810660000           | push                0x6610
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 7192576
}
[TLP:WHITE] win_hermes_w0   (20180301 | No description)
rule win_hermes_w0 {
    meta:
        author = "BAE"
        reference = "https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        //in both version 2.1 and sample in Feb
        $s1 = "SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\"
        $s2 = "0419"
        $s3 = "0422"
        $s4 = "0423"
        //in version 2.1 only
        $S1 = "HERMES"
        $S2 = "vssadminn"
        $S3 = "finish work"
        $S4 = "testlib.dll"
        $S5 = "shadowstorageiet"
        //maybe unique in the file
        $u1 = "ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777"
        $u2 = "HERMES 2.1 TEST BUILD, press ok"
        $u3 = "hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA" //RSA Key part
    condition:
        all of ($s*) and 3 of ($S*) and 1 of ($u*)
}
Download all Yara Rules