SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hoplight (Back to overview)

HOPLIGHT

aka: HANGMAN

Actor(s): Lazarus Group

VTCollection    

There is no description at this point.

References
2020-02-25SentinelOneJim Walter
DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES
2020-02-19LexfoLexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-14US-CERTUS-CERT
Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT
HOPLIGHT
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2019-10-31CISACISA
Malware Analysis Report (AR19-304A)
HOPLIGHT
2019-08-01Kaspersky LabsGReAT
APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2019-04-11Computing.co.ukDev Kundaliya
Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea
HOPLIGHT
2019-04-10US-CERTUS-CERT
Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT
HOPLIGHT
2017-08-14Palo Alto Networks Unit 42Anthony Kasza
The Blockbuster Saga Continues
HOPLIGHT
2015-09-10FireEyeGenwei Jiang, Josiah Kimble
Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors
HOPLIGHT
Yara Rules
[TLP:WHITE] win_hoplight_auto (20260504 | Detects win.hoplight.)
rule win_hoplight_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.hoplight."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4889842460080000 488b8c2460080000 e8???????? 4889442420 488d4c2440 e8???????? 4889442428 }
            // n = 7, score = 100
            //   4889842460080000     | mov                 eax, dword ptr [eax]
            //   488b8c2460080000     | movzx               eax, byte ptr [eax]
            //   e8????????           |                     
            //   4889442420           | dec                 eax
            //   488d4c2440           | mov                 ecx, dword ptr [esp + 0x30]
            //   e8????????           |                     
            //   4889442428           | mov                 dword ptr [ecx], eax

        $sequence_1 = { 488b00 0fb600 488b4c2430 8901 488b442450 488b00 48ffc0 }
            // n = 7, score = 100
            //   488b00               | mov                 ecx, dword ptr [ecx + 0x1c]
            //   0fb600               | mov                 eax, dword ptr [eax + 8]
            //   488b4c2430           | xor                 eax, ecx
            //   8901                 | dec                 eax
            //   488b442450           | mov                 ecx, dword ptr [esp + 0x20]
            //   488b00               | mov                 dword ptr [ecx + 0x20], eax
            //   48ffc0               | dec                 eax

        $sequence_2 = { 4c8bd8 488905???????? 4885c0 7422 488d15ed620300 488bce ff15???????? }
            // n = 7, score = 100
            //   4c8bd8               | dec                 eax
            //   488905????????       |                     
            //   4885c0               | mov                 eax, dword ptr [esp + 0x50]
            //   7422                 | dec                 eax
            //   488d15ed620300       | mov                 eax, dword ptr [eax]
            //   488bce               | dec                 eax
            //   ff15????????         |                     

        $sequence_3 = { 48837c243800 7411 488b442438 488b4c2430 488b4920 488908 48837c244000 }
            // n = 7, score = 100
            //   48837c243800         | test                eax, eax
            //   7411                 | je                  0x24
            //   488b442438           | dec                 eax
            //   488b4c2430           | lea                 edx, [0x362ed]
            //   488b4920             | dec                 eax
            //   488908               | mov                 ecx, esi
            //   48837c244000         | xor                 eax, dword ptr [esp + 0xa0]

        $sequence_4 = { 338424a0000000 488b8c24b0000000 8901 8b442438 83f006 4898 488b4c2420 }
            // n = 7, score = 100
            //   338424a0000000       | inc                 eax
            //   488b8c24b0000000     | dec                 eax
            //   8901                 | mov                 dword ptr [esp + 0x860], eax
            //   8b442438             | dec                 eax
            //   83f006               | mov                 ecx, dword ptr [esp + 0x860]
            //   4898                 | dec                 eax
            //   488b4c2420           | mov                 dword ptr [esp + 0x20], eax

        $sequence_5 = { 488d4c2422 33d2 41b8fe1f0000 6689442420 e8???????? 488b15???????? 488d0d30f30400 }
            // n = 7, score = 100
            //   488d4c2422           | dec                 eax
            //   33d2                 | lea                 ecx, [esp + 0x22]
            //   41b8fe1f0000         | xor                 edx, edx
            //   6689442420           | inc                 ecx
            //   e8????????           |                     
            //   488b15????????       |                     
            //   488d0d30f30400       | mov                 eax, 0x1ffe

        $sequence_6 = { 488b442420 488b4c2420 8b491c 8b4008 33c1 488b4c2420 894120 }
            // n = 7, score = 100
            //   488b442420           | mov                 word ptr [esp + 0x20], ax
            //   488b4c2420           | dec                 eax
            //   8b491c               | lea                 ecx, [0x4f330]
            //   8b4008               | dec                 eax
            //   33c1                 | mov                 eax, dword ptr [esp + 0x20]
            //   488b4c2420           | dec                 eax
            //   894120               | mov                 ecx, dword ptr [esp + 0x20]

        $sequence_7 = { 4898 488b4c2420 488d0481 4889842498000000 8b8424c0000000 83f005 4898 }
            // n = 7, score = 100
            //   4898                 | dec                 eax
            //   488b4c2420           | lea                 ecx, [esp + 0x40]
            //   488d0481             | dec                 eax
            //   4889842498000000     | mov                 dword ptr [esp + 0x28], eax
            //   8b8424c0000000       | dec                 esp
            //   83f005               | mov                 ebx, eax
            //   4898                 | dec                 eax

    condition:
        7 of them and filesize < 765952
}
Download all Yara Rules