SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redshawl (Back to overview)

REDSHAWL

Actor(s): Lazarus Group


REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.

References
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
HOTWAX REDSHAWL WORMHOLE
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_redshawl_auto (20211008 | Detects win.redshawl.)
rule win_redshawl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.redshawl."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? e9???????? 4d85ed 750c 488d0dbb9a0000 e9???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   4d85ed               | lea                 eax, dword ptr [esp + 0xb0]
            //   750c                 | dec                 eax
            //   488d0dbb9a0000       | mov                 ecx, dword ptr [esp + 0x48]
            //   e9????????           |                     

        $sequence_1 = { 488b4c2450 488364242000 488d0525850000 488b0cc8 }
            // n = 4, score = 100
            //   488b4c2450           | sub                 esp, 0x88
            //   488364242000         | dec                 eax
            //   488d0525850000       | lea                 ecx, dword ptr [0xc5f1]
            //   488b0cc8             | je                  0x394

        $sequence_2 = { 85c0 750b 4883c428 48ff25???????? 33c0 4883c428 c3 }
            // n = 7, score = 100
            //   85c0                 | mov                 ecx, dword ptr [ebx + 0x158]
            //   750b                 | dec                 eax
            //   4883c428             | lea                 eax, dword ptr [0xc354]
            //   48ff25????????       |                     
            //   33c0                 | dec                 eax
            //   4883c428             | cmp                 ecx, eax
            //   c3                   | dec                 eax

        $sequence_3 = { 48833d????????00 741f 488d0dc2c10000 e8???????? 85c0 740f }
            // n = 6, score = 100
            //   48833d????????00     |                     
            //   741f                 | dec                 eax
            //   488d0dc2c10000       | mov                 esi, edx
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   740f                 | mov                 ebp, ecx

        $sequence_4 = { e8???????? 4c8d546d00 4c8d1d58c70000 49c1e204 bd04000000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   4c8d546d00           | mov                 ecx, ebx
            //   4c8d1d58c70000       | dec                 eax
            //   49c1e204             | mov                 ecx, esi
            //   bd04000000           | dec                 eax

        $sequence_5 = { 89442440 488b4c2450 ff15???????? 85db }
            // n = 4, score = 100
            //   89442440             | jmp                 0x5cf
            //   488b4c2450           | dec                 eax
            //   ff15????????         |                     
            //   85db                 | mov                 eax, dword ptr [ebx]

        $sequence_6 = { ff15???????? 90 488b4d78 4885c9 7407 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   90                   | lea                 ecx, dword ptr [0xa11d]
            //   488b4d78             | dec                 eax
            //   4885c9               | mov                 ebx, dword ptr [esp + 0x30]
            //   7407                 | dec                 eax

        $sequence_7 = { 4d85d2 741f 498bca e8???????? 41833a00 7511 488d0550c50000 }
            // n = 7, score = 100
            //   4d85d2               | jae                 0x3d
            //   741f                 | dec                 eax
            //   498bca               | arpl                cx, cx
            //   e8????????           |                     
            //   41833a00             | dec                 eax
            //   7511                 | lea                 edx, dword ptr [0x9be0]
            //   488d0550c50000       | dec                 eax

        $sequence_8 = { 8b442448 8907 488d150c000000 488b4c2428 }
            // n = 4, score = 100
            //   8b442448             | lea                 ecx, dword ptr [esp + 0x6c]
            //   8907                 | test                eax, eax
            //   488d150c000000       | jne                 0x6c8
            //   488b4c2428           | dec                 eax

        $sequence_9 = { 41b910000000 4c8d842420010000 33d2 488b4c2468 ff15???????? 85c0 7532 }
            // n = 7, score = 100
            //   41b910000000         | dec                 eax
            //   4c8d842420010000     | mov                 ecx, edi
            //   33d2                 | dec                 eax
            //   488b4c2468           | lea                 edx, dword ptr [0x4ca4]
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   7532                 | mov                 ecx, esi

    condition:
        7 of them and filesize < 174080
}
Download all Yara Rules