SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redshawl (Back to overview)

REDSHAWL

Actor(s): Lazarus Group


REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.

References
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
HOTWAX REDSHAWL WORMHOLE
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_redshawl_auto (20220808 | Detects win.redshawl.)
rule win_redshawl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.redshawl."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 741a 488d0529c20000 483bf8 740e }
            // n = 4, score = 100
            //   741a                 | test                esp, esp
            //   488d0529c20000       | dec                 eax
            //   483bf8               | lea                 ecx, [0x9baa]
            //   740e                 | dec                 esp

        $sequence_1 = { ff15???????? 488d158aa20000 498bcc 488905???????? ff15???????? 488d1553a20000 498bcc }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d158aa20000       | mov                 ebx, ecx
            //   498bcc               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1553a20000       | lea                 eax, [0x9175]
            //   498bcc               | dec                 eax

        $sequence_2 = { e8???????? 90 90 8b442460 e9???????? c784242001000001000000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   90                   | add                 esp, 0x28
            //   8b442460             | dec                 eax
            //   e9????????           |                     
            //   c784242001000001000000     | add    esp, 0x38

        $sequence_3 = { ffc7 4883c308 4c8b3b ffc7 4883c308 413bfe }
            // n = 6, score = 100
            //   ffc7                 | lea                 esi, [0x7fbc]
            //   4883c308             | and                 ebx, 0x1f
            //   4c8b3b               | dec                 eax
            //   ffc7                 | imul                ebx, ebx, 0x58
            //   4883c308             | dec                 eax
            //   413bfe               | mov                 ebp, edx

        $sequence_4 = { 488945f0 488d4dd0 c745d06b65726e c745d4656c3332 c745d82e646c6c c645dc00 c745e077747361 }
            // n = 7, score = 100
            //   488945f0             | dec                 eax
            //   488d4dd0             | mov                 ecx, dword ptr [esp + 0xb8]
            //   c745d06b65726e       | dec                 esp
            //   c745d4656c3332       | mov                 eax, dword ptr [ebp + 0xb8]
            //   c745d82e646c6c       | mov                 edx, ebx
            //   c645dc00             | dec                 eax
            //   c745e077747361       | lea                 ecx, [0x1724]

        $sequence_5 = { 33c9 e8???????? 4883c438 c3 4883ec28 488b01 813863736de0 }
            // n = 7, score = 100
            //   33c9                 | cmp                 esi, -1
            //   e8????????           |                     
            //   4883c438             | jne                 0x6fe
            //   c3                   | dec                 eax
            //   4883ec28             | lea                 ecx, [esp + 0xa0]
            //   488b01               | dec                 eax
            //   813863736de0         | lea                 ecx, [0xa11d]

        $sequence_6 = { e8???????? 4183fcff 747d 488d9424a0000000 418bcc }
            // n = 5, score = 100
            //   e8????????           |                     
            //   4183fcff             | dec                 eax
            //   747d                 | lea                 edx, [0x7deb]
            //   488d9424a0000000     | dec                 eax
            //   418bcc               | sar                 eax, 5

        $sequence_7 = { 90 90 8b442460 e9???????? 41b904000000 4c8d842488000000 }
            // n = 6, score = 100
            //   90                   | test                eax, eax
            //   90                   | inc                 ebp
            //   8b442460             | xor                 esp, esp
            //   e9????????           |                     
            //   41b904000000         | dec                 ebp
            //   4c8d842488000000     | mov                 dword ptr [ebx - 0x2e8], esp

        $sequence_8 = { 488b05???????? 4833c4 4889842470010000 4889642428 498bf8 }
            // n = 5, score = 100
            //   488b05????????       |                     
            //   4833c4               | lea                 eax, [0xbc44]
            //   4889842470010000     | mov                 dword ptr [esp + 0x120], 1
            //   4889642428           | dec                 eax
            //   498bf8               | mov                 eax, dword ptr [esp + 0x80]

        $sequence_9 = { b900000002 33db ff15???????? 488bf8 4885c0 7522 488d0d1da10000 }
            // n = 7, score = 100
            //   b900000002           | dec                 eax
            //   33db                 | arpl                dx, ax
            //   ff15????????         |                     
            //   488bf8               | dec                 eax
            //   4885c0               | arpl                cx, cx
            //   7522                 | dec                 eax
            //   488d0d1da10000       | lea                 edx, [eax + ecx*8]

    condition:
        7 of them and filesize < 174080
}
Download all Yara Rules