HOTWAX (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.hotwax (Back to overview)

HOTWAX

Actor(s): Lazarus Group

VTCollection

HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

References

2018-10-03 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor

2018-03-01 ⋅ Kaspersky Labs ⋅ Kaspersky Lab
Lazarus under the Hood
BlueNoroff HOTWAX REDSHAWL WORMHOLE

2018-01-01 ⋅ FireEye ⋅ FireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group

2017-05-30 ⋅ Group-IB ⋅ Group-IB
Lazarus Arisen: Architecture, Techniques and Attribution
HOTWAX NACHOCHEESE Ratankba

2017-04-03 ⋅ Kaspersky Labs ⋅ GReAT
Lazarus under the Hood
Alreay DYEPACK HOTWAX NESTEGG RatankbaPOS REDSHAWL WORMHOLE Lazarus Group

2017-02-20 ⋅ BAE Systems ⋅ Sergei Shevchenko
Lazarus’ False Flag Malware
HOTWAX NACHOCHEESE

2017-02-16 ⋅ ESET Research ⋅ Peter Kálnai
Demystifying targeted malware used against Polish banks
BanPolMex RAT HOTWAX NACHOCHEESE

Yara Rules

[TLP:WHITE] win_hotwax_auto (20260504 | Detects win.hotwax.)

rule win_hotwax_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.hotwax."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c9 743f 83f902 7605 }
            // n = 4, score = 100
            //   85c9                 | and                 ecx, 0x1f
            //   743f                 | dec                 eax
            //   83f902               | mov                 eax, dword ptr [edx + eax*8]
            //   7605                 | dec                 eax

        $sequence_1 = { 4863d9 488d2d57960000 488bfb 83e31f 48c1ff05 }
            // n = 5, score = 100
            //   4863d9               | mov                 edx, ebx
            //   488d2d57960000       | je                  0x51e
            //   488bfb               | dec                 eax
            //   83e31f               | lea                 edx, [0x7478]
            //   48c1ff05             | inc                 ecx

        $sequence_2 = { 488d05f9b70000 c3 4053 4883ec20 }
            // n = 4, score = 100
            //   488d05f9b70000       | dec                 eax
            //   c3                   | mov                 ecx, ebx
            //   4053                 | dec                 eax
            //   4883ec20             | lea                 edx, [0xd5c6]

        $sequence_3 = { 418b8790000000 85c0 0f8491010000 488d2c02 }
            // n = 4, score = 100
            //   418b8790000000       | lea                 eax, [esp + 0x40]
            //   85c0                 | inc                 esp
            //   0f8491010000         | lea                 ecx, [ebx + 0x10]
            //   488d2c02             | xor                 edi, edi

        $sequence_4 = { 48c1f805 4c8d0573710000 83e11f 486bc958 498b04c0 80640808fe }
            // n = 6, score = 100
            //   48c1f805             | cmp                 dword ptr [edi + 0x14], esi
            //   4c8d0573710000       | jbe                 0xd0
            //   83e11f               | inc                 bp
            //   486bc958             | cmp                 dword ptr [ebp + 0x462], esi
            //   498b04c0             | jne                 0x3b
            //   80640808fe           | inc                 ecx

        $sequence_5 = { 49c1ff05 83e61f 4b8b8cf9a04b0100 486bf658 8a443108 a801 }
            // n = 6, score = 100
            //   49c1ff05             | dec                 ecx
            //   83e61f               | mov                 ecx, esi
            //   4b8b8cf9a04b0100     | dec                 eax
            //   486bf658             | mov                 edx, ecx
            //   8a443108             | dec                 eax
            //   a801                 | mov                 ecx, dword ptr [esp + 0xa8]

        $sequence_6 = { b81a000000 eb76 33c9 488d158bb70000 }
            // n = 4, score = 100
            //   b81a000000           | dec                 eax
            //   eb76                 | mov                 ecx, ebx
            //   33c9                 | dec                 eax
            //   488d158bb70000       | lea                 edx, [0xce87]

        $sequence_7 = { 8b430c 8905???????? 8bd7 4c8d0518b4ffff 89542420 }
            // n = 5, score = 100
            //   8b430c               | lea                 edx, [0xd29d]
            //   8905????????         |                     
            //   8bd7                 | dec                 eax
            //   4c8d0518b4ffff       | mov                 ecx, ebx
            //   89542420             | dec                 eax

        $sequence_8 = { 41b803010000 c644243000 e8???????? 488bcb }
            // n = 4, score = 100
            //   41b803010000         | mov                 edx, 0x58
            //   c644243000           | cmp                 edi, esi
            //   e8????????           |                     
            //   488bcb               | jae                 0xf6

        $sequence_9 = { 8a45d9 4b8b8cf8a04b0100 88443139 4b8b84f8a04b0100 8854303a }
            // n = 5, score = 100
            //   8a45d9               | dec                 eax
            //   4b8b8cf8a04b0100     | mov                 ecx, ebx
            //   88443139             | dec                 eax
            //   4b8b84f8a04b0100     | lea                 edx, [0xcc92]
            //   8854303a             | dec                 eax

    condition:
        7 of them and filesize < 198656
}

Download all Yara Rules

HOTWAX Propose Change

References

Yara Rules

HOTWAX