SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hermeticwizard (Back to overview)

HermeticWizard

There is no description at this point.

References
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
@online{adamov:20221024:russian:97d3e2a, author = {Alexander Adamov}, title = {{Russian wipers in the cyberwar against Ukraine}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=mrTdSdMMgnk}, language = {English}, urldate = {2023-03-20} } Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-14KasperskyGReAT
@online{great:20220314:webinar:f6bfb3c, author = {GReAT}, title = {{Webinar on cyberattacks in Ukraine – summary and Q&A}}, date = {2022-03-14}, organization = {Kaspersky}, url = {https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/}, language = {English}, urldate = {2022-04-05} } Webinar on cyberattacks in Ukraine – summary and Q&A
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-12Twitter (@ET_Labs)ET Labs
@online{labs:20220312:quick:ef9cb00, author = {ET Labs}, title = {{A quick thread examining the network artifacts of the HermeticWizard spreading}}, date = {2022-03-12}, organization = {Twitter (@ET_Labs)}, url = {https://twitter.com/ET_Labs/status/1502494650640351236}, language = {English}, urldate = {2022-03-28} } A quick thread examining the network artifacts of the HermeticWizard spreading
HermeticWizard
2022-03-10BrightTALK (Kaspersky GReAT)Costin Raiu, Marco Preuss, Kurt Baumgartner, Dan Demeter, Ivan Kwiatkowski
@online{raiu:20220310:brighttalk:a3d9072, author = {Costin Raiu and Marco Preuss and Kurt Baumgartner and Dan Demeter and Ivan Kwiatkowski}, title = {{BrightTALK: A look at current cyberattacks in Ukraine}}, date = {2022-03-10}, organization = {BrightTALK (Kaspersky GReAT)}, url = {https://www.brighttalk.com/webcast/15591/534324}, language = {English}, urldate = {2022-04-05} } BrightTALK: A look at current cyberattacks in Ukraine
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-09Twitter (@silascutler)Silas Cutler
@online{cutler:20220309:hermeticwizards:3cd717d, author = {Silas Cutler}, title = {{Tweet on HermeticWizard's self-spreading mechanism}}, date = {2022-03-09}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1501668345640366091}, language = {English}, urldate = {2022-03-10} } Tweet on HermeticWizard's self-spreading mechanism
HermeticWizard
Yara Rules
[TLP:WHITE] win_hermeticwizard_auto (20230715 | Detects win.hermeticwizard.)
rule win_hermeticwizard_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.hermeticwizard."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33ff 837d0c00 744b 53 ff750c ff15???????? }
            // n = 6, score = 100
            //   33ff                 | xor                 edi, edi
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   744b                 | je                  0x4d
            //   53                   | push                ebx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff15????????         |                     

        $sequence_1 = { 894de0 ff15???????? f7d8 1ac0 fec0 5f }
            // n = 6, score = 100
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   ff15????????         |                     
            //   f7d8                 | neg                 eax
            //   1ac0                 | sbb                 al, al
            //   fec0                 | inc                 al
            //   5f                   | pop                 edi

        $sequence_2 = { 7415 668b5902 663b5f02 750f }
            // n = 4, score = 100
            //   7415                 | je                  0x17
            //   668b5902             | mov                 bx, word ptr [ecx + 2]
            //   663b5f02             | cmp                 bx, word ptr [edi + 2]
            //   750f                 | jne                 0x11

        $sequence_3 = { 8b450c 0fb684c8c05d0110 c1e804 5d c20800 }
            // n = 5, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   0fb684c8c05d0110     | movzx               eax, byte ptr [eax + ecx*8 + 0x10015dc0]
            //   c1e804               | shr                 eax, 4
            //   5d                   | pop                 ebp
            //   c20800               | ret                 8

        $sequence_4 = { 8bcf 50 e8???????? eb61 8d45e8 8bce }
            // n = 6, score = 100
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   eb61                 | jmp                 0x63
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   8bce                 | mov                 ecx, esi

        $sequence_5 = { 6bc930 53 56 8b0485c0dd0110 33db 8b7508 }
            // n = 6, score = 100
            //   6bc930               | imul                ecx, ecx, 0x30
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8b0485c0dd0110       | mov                 eax, dword ptr [eax*4 + 0x1001ddc0]
            //   33db                 | xor                 ebx, ebx
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_6 = { 0f84d3000000 8b048dc47c0110 89859cf8ffff 85c0 0f8498000000 }
            // n = 5, score = 100
            //   0f84d3000000         | je                  0xd9
            //   8b048dc47c0110       | mov                 eax, dword ptr [ecx*4 + 0x10017cc4]
            //   89859cf8ffff         | mov                 dword ptr [ebp - 0x764], eax
            //   85c0                 | test                eax, eax
            //   0f8498000000         | je                  0x9e

        $sequence_7 = { 66894584 33c0 66894586 8d856cffffff 50 6689957affffff }
            // n = 6, score = 100
            //   66894584             | mov                 word ptr [ebp - 0x7c], ax
            //   33c0                 | xor                 eax, eax
            //   66894586             | mov                 word ptr [ebp - 0x7a], ax
            //   8d856cffffff         | lea                 eax, [ebp - 0x94]
            //   50                   | push                eax
            //   6689957affffff       | mov                 word ptr [ebp - 0x86], dx

        $sequence_8 = { 750c 8b4d08 8d4708 50 e8???????? 8b3f }
            // n = 6, score = 100
            //   750c                 | jne                 0xe
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d4708               | lea                 eax, [edi + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b3f                 | mov                 edi, dword ptr [edi]

        $sequence_9 = { 8bd1 8d7de4 59 33c0 }
            // n = 4, score = 100
            //   8bd1                 | mov                 edx, ecx
            //   8d7de4               | lea                 edi, [ebp - 0x1c]
            //   59                   | pop                 ecx
            //   33c0                 | xor                 eax, eax

    condition:
        7 of them and filesize < 263168
}
Download all Yara Rules