SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hermeticwizard (Back to overview)

HermeticWizard

There is no description at this point.

References
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-14KasperskyGReAT
@online{great:20220314:webinar:f6bfb3c, author = {GReAT}, title = {{Webinar on cyberattacks in Ukraine – summary and Q&A}}, date = {2022-03-14}, organization = {Kaspersky}, url = {https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/}, language = {English}, urldate = {2022-04-05} } Webinar on cyberattacks in Ukraine – summary and Q&A
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-12Twitter (@ET_Labs)ET Labs
@online{labs:20220312:quick:ef9cb00, author = {ET Labs}, title = {{A quick thread examining the network artifacts of the HermeticWizard spreading}}, date = {2022-03-12}, organization = {Twitter (@ET_Labs)}, url = {https://twitter.com/ET_Labs/status/1502494650640351236}, language = {English}, urldate = {2022-03-28} } A quick thread examining the network artifacts of the HermeticWizard spreading
HermeticWizard
2022-03-10BrightTALK (Kaspersky GReAT)Costin Raiu, Marco Preuss, Kurt Baumgartner, Dan Demeter, Ivan Kwiatkowski
@online{raiu:20220310:brighttalk:a3d9072, author = {Costin Raiu and Marco Preuss and Kurt Baumgartner and Dan Demeter and Ivan Kwiatkowski}, title = {{BrightTALK: A look at current cyberattacks in Ukraine}}, date = {2022-03-10}, organization = {BrightTALK (Kaspersky GReAT)}, url = {https://www.brighttalk.com/webcast/15591/534324}, language = {English}, urldate = {2022-04-05} } BrightTALK: A look at current cyberattacks in Ukraine
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-09Twitter (@silascutler)Silas Cutler
@online{cutler:20220309:hermeticwizards:3cd717d, author = {Silas Cutler}, title = {{Tweet on HermeticWizard's self-spreading mechanism}}, date = {2022-03-09}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1501668345640366091}, language = {English}, urldate = {2022-03-10} } Tweet on HermeticWizard's self-spreading mechanism
HermeticWizard
Yara Rules
[TLP:WHITE] win_hermeticwizard_auto (20221125 | Detects win.hermeticwizard.)
rule win_hermeticwizard_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.hermeticwizard."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 668945b0 58 668945b4 33c0 53 }
            // n = 5, score = 100
            //   668945b0             | mov                 word ptr [ebp - 0x50], ax
            //   58                   | pop                 eax
            //   668945b4             | mov                 word ptr [ebp - 0x4c], ax
            //   33c0                 | xor                 eax, eax
            //   53                   | push                ebx

        $sequence_1 = { 0f8501010000 c745e0b48d0110 8b4508 8bcf 8b7510 c745dc04000000 dd00 }
            // n = 7, score = 100
            //   0f8501010000         | jne                 0x107
            //   c745e0b48d0110       | mov                 dword ptr [ebp - 0x20], 0x10018db4
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8bcf                 | mov                 ecx, edi
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]
            //   c745dc04000000       | mov                 dword ptr [ebp - 0x24], 4
            //   dd00                 | fld                 qword ptr [eax]

        $sequence_2 = { 59 6a65 66898d76ffffff 59 6a20 66898d78ffffff }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   6a65                 | push                0x65
            //   66898d76ffffff       | mov                 word ptr [ebp - 0x8a], cx
            //   59                   | pop                 ecx
            //   6a20                 | push                0x20
            //   66898d78ffffff       | mov                 word ptr [ebp - 0x88], cx

        $sequence_3 = { b8bc310000 e8???????? 53 56 57 }
            // n = 5, score = 100
            //   b8bc310000           | mov                 eax, 0x31bc
            //   e8????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_4 = { 50 8945f8 ff15???????? 8d5e04 8b03 8bcb ff5004 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   ff15????????         |                     
            //   8d5e04               | lea                 ebx, [esi + 4]
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8bcb                 | mov                 ecx, ebx
            //   ff5004               | call                dword ptr [eax + 4]

        $sequence_5 = { 8d7b08 57 ff15???????? 8b4d08 8d45fc 50 }
            // n = 6, score = 100
            //   8d7b08               | lea                 edi, [ebx + 8]
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax

        $sequence_6 = { 66895dd2 66894de8 66895dee 66895df4 668955f6 66894df8 e8???????? }
            // n = 7, score = 100
            //   66895dd2             | mov                 word ptr [ebp - 0x2e], bx
            //   66894de8             | mov                 word ptr [ebp - 0x18], cx
            //   66895dee             | mov                 word ptr [ebp - 0x12], bx
            //   66895df4             | mov                 word ptr [ebp - 0xc], bx
            //   668955f6             | mov                 word ptr [ebp - 0xa], dx
            //   66894df8             | mov                 word ptr [ebp - 8], cx
            //   e8????????           |                     

        $sequence_7 = { 85c0 0f88d7080000 6a5c 58 6a25 59 6a73 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f88d7080000         | js                  0x8dd
            //   6a5c                 | push                0x5c
            //   58                   | pop                 eax
            //   6a25                 | push                0x25
            //   59                   | pop                 ecx
            //   6a73                 | push                0x73

        $sequence_8 = { 8d45dc 50 e8???????? 3b30 742f 8b3f }
            // n = 6, score = 100
            //   8d45dc               | lea                 eax, [ebp - 0x24]
            //   50                   | push                eax
            //   e8????????           |                     
            //   3b30                 | cmp                 esi, dword ptr [eax]
            //   742f                 | je                  0x31
            //   8b3f                 | mov                 edi, dword ptr [edi]

        $sequence_9 = { 50 6af6 ff15???????? 8b04bdc0dd0110 834c0318ff }
            // n = 5, score = 100
            //   50                   | push                eax
            //   6af6                 | push                -0xa
            //   ff15????????         |                     
            //   8b04bdc0dd0110       | mov                 eax, dword ptr [edi*4 + 0x1001ddc0]
            //   834c0318ff           | or                  dword ptr [ebx + eax + 0x18], 0xffffffff

    condition:
        7 of them and filesize < 263168
}
Download all Yara Rules