SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hermeticwizard (Back to overview)

HermeticWizard


There is no description at this point.

References
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-14KasperskyGReAT
@online{great:20220314:webinar:f6bfb3c, author = {GReAT}, title = {{Webinar on cyberattacks in Ukraine – summary and Q&A}}, date = {2022-03-14}, organization = {Kaspersky}, url = {https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/}, language = {English}, urldate = {2022-04-05} } Webinar on cyberattacks in Ukraine – summary and Q&A
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-12Twitter (@ET_Labs)ET Labs
@online{labs:20220312:quick:ef9cb00, author = {ET Labs}, title = {{A quick thread examining the network artifacts of the HermeticWizard spreading}}, date = {2022-03-12}, organization = {Twitter (@ET_Labs)}, url = {https://twitter.com/ET_Labs/status/1502494650640351236}, language = {English}, urldate = {2022-03-28} } A quick thread examining the network artifacts of the HermeticWizard spreading
HermeticWizard
2022-03-10BrightTALK (Kaspersky GReAT)Costin Raiu, Marco Preuss, Kurt Baumgartner, Dan Demeter, Ivan Kwiatkowski
@online{raiu:20220310:brighttalk:a3d9072, author = {Costin Raiu and Marco Preuss and Kurt Baumgartner and Dan Demeter and Ivan Kwiatkowski}, title = {{BrightTALK: A look at current cyberattacks in Ukraine}}, date = {2022-03-10}, organization = {BrightTALK (Kaspersky GReAT)}, url = {https://www.brighttalk.com/webcast/15591/534324}, language = {English}, urldate = {2022-04-05} } BrightTALK: A look at current cyberattacks in Ukraine
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-09Twitter (@silascutler)Silas Cutler
@online{cutler:20220309:hermeticwizards:3cd717d, author = {Silas Cutler}, title = {{Tweet on HermeticWizard's self-spreading mechanism}}, date = {2022-03-09}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1501668345640366091}, language = {English}, urldate = {2022-03-10} } Tweet on HermeticWizard's self-spreading mechanism
HermeticWizard
Yara Rules
[TLP:WHITE] win_hermeticwizard_auto (20220516 | Detects win.hermeticwizard.)
rule win_hermeticwizard_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.hermeticwizard."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f881e080000 8d8548eeffff 50 ff15???????? }
            // n = 4, score = 100
            //   0f881e080000         | js                  0x824
            //   8d8548eeffff         | lea                 eax, [ebp - 0x11b8]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_1 = { 66894596 6a6c 58 66894598 33c0 6689459e 8d4588 }
            // n = 7, score = 100
            //   66894596             | mov                 word ptr [ebp - 0x6a], ax
            //   6a6c                 | push                0x6c
            //   58                   | pop                 eax
            //   66894598             | mov                 word ptr [ebp - 0x68], ax
            //   33c0                 | xor                 eax, eax
            //   6689459e             | mov                 word ptr [ebp - 0x62], ax
            //   8d4588               | lea                 eax, [ebp - 0x78]

        $sequence_2 = { 8d4b08 e8???????? 84c0 7506 8b36 3bf7 75ea }
            // n = 7, score = 100
            //   8d4b08               | lea                 ecx, [ebx + 8]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7506                 | jne                 8
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   3bf7                 | cmp                 esi, edi
            //   75ea                 | jne                 0xffffffec

        $sequence_3 = { 56 8bf1 837e0400 747e }
            // n = 4, score = 100
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   837e0400             | cmp                 dword ptr [esi + 4], 0
            //   747e                 | je                  0x80

        $sequence_4 = { 83c704 6685db 75de 33c9 }
            // n = 4, score = 100
            //   83c704               | add                 edi, 4
            //   6685db               | test                bx, bx
            //   75de                 | jne                 0xffffffe0
            //   33c9                 | xor                 ecx, ecx

        $sequence_5 = { e8???????? eb5c 8d45ec 8bce 50 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   eb5c                 | jmp                 0x5e
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   8bce                 | mov                 ecx, esi
            //   50                   | push                eax

        $sequence_6 = { 83fe1f 0f8705050000 ff24b52b2b0110 8b41e4 }
            // n = 4, score = 100
            //   83fe1f               | cmp                 esi, 0x1f
            //   0f8705050000         | ja                  0x50b
            //   ff24b52b2b0110       | jmp                 dword ptr [esi*4 + 0x10012b2b]
            //   8b41e4               | mov                 eax, dword ptr [ecx - 0x1c]

        $sequence_7 = { 8d542418 8d4c2430 e8???????? 59 84c0 0f8493000000 }
            // n = 6, score = 100
            //   8d542418             | lea                 edx, [esp + 0x18]
            //   8d4c2430             | lea                 ecx, [esp + 0x30]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   84c0                 | test                al, al
            //   0f8493000000         | je                  0x99

        $sequence_8 = { 8b4a14 2bc8 3b4c2420 721d 837c242408 }
            // n = 5, score = 100
            //   8b4a14               | mov                 ecx, dword ptr [edx + 0x14]
            //   2bc8                 | sub                 ecx, eax
            //   3b4c2420             | cmp                 ecx, dword ptr [esp + 0x20]
            //   721d                 | jb                  0x1f
            //   837c242408           | cmp                 dword ptr [esp + 0x24], 8

        $sequence_9 = { 7407 83c004 3bc2 75c3 3bc2 7435 }
            // n = 6, score = 100
            //   7407                 | je                  9
            //   83c004               | add                 eax, 4
            //   3bc2                 | cmp                 eax, edx
            //   75c3                 | jne                 0xffffffc5
            //   3bc2                 | cmp                 eax, edx
            //   7435                 | je                  0x37

    condition:
        7 of them and filesize < 263168
}
Download all Yara Rules