SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redshawl (Back to overview)

REDSHAWL

Actor(s): Lazarus Group

REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.

References
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{Lazarus Group A Mahjong Game Played with Different Sets of Tiles}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2023-08-31} } Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
BlueNoroff HOTWAX REDSHAWL WORMHOLE
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2017-04-03Kaspersky LabsGReAT
@online{great:20170403:lazarus:033fcf7, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-under-the-hood/77908/}, language = {English}, urldate = {2023-08-14} } Lazarus under the Hood
Alreay DYEPACK HOTWAX NESTEGG RatankbaPOS REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_redshawl_auto (20230715 | Detects win.redshawl.)
rule win_redshawl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.redshawl."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8bef 49c1fd05 4c8d35bc7f0000 83e31f 486bdb58 4b8b04ee }
            // n = 6, score = 100
            //   4c8bef               | cmp                 esi, -1
            //   49c1fd05             | jne                 0x83
            //   4c8d35bc7f0000       | dec                 eax
            //   83e31f               | lea                 ecx, [esp + 0xa0]
            //   486bdb58             | mov                 dword ptr [esp + 0x40], eax
            //   4b8b04ee             | jne                 0x172

        $sequence_1 = { ff15???????? 85c0 7532 488d0d279e0000 e8???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   85c0                 | mov                 eax, dword ptr [esp + 0x60]
            //   7532                 | dec                 esp
            //   488d0d279e0000       | lea                 ecx, [esp + 0x48]
            //   e8????????           |                     

        $sequence_2 = { e8???????? 488d1dcf5e0000 488d3dd05e0000 eb0e 488b03 4885c0 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488d1dcf5e0000       | dec                 eax
            //   488d3dd05e0000       | sub                 esp, 0x20
            //   eb0e                 | dec                 eax
            //   488b03               | mov                 edi, edx
            //   4885c0               | dec                 eax

        $sequence_3 = { 4883c428 48ff25???????? 33c0 4883c428 c3 48895c2408 }
            // n = 6, score = 100
            //   4883c428             | mov                 edi, dword ptr [ebx]
            //   48ff25????????       |                     
            //   33c0                 | inc                 edi
            //   4883c428             | dec                 eax
            //   c3                   | add                 ebx, 8
            //   48895c2408           | inc                 ecx

        $sequence_4 = { 0f1f4000 488b13 0fb602 3c2d 7418 3c2f 7414 }
            // n = 7, score = 100
            //   0f1f4000             | dec                 eax
            //   488b13               | test                eax, eax
            //   0fb602               | jne                 0x41c
            //   3c2d                 | or                  eax, 0xffffffff
            //   7418                 | dec                 eax
            //   3c2f                 | add                 esp, 0x20
            //   7414                 | pop                 ebx

        $sequence_5 = { 0f1f840000000000 410fb603 8801 49ffc3 }
            // n = 4, score = 100
            //   0f1f840000000000     | dec                 eax
            //   410fb603             | mov                 edx, dword ptr [ebx]
            //   8801                 | movzx               eax, byte ptr [edx]
            //   49ffc3               | cmp                 al, 0x2d

        $sequence_6 = { 8b7c2444 4c8b442468 8b542460 41bb00020000 4c8d0d11b4ffff }
            // n = 5, score = 100
            //   8b7c2444             | dec                 eax
            //   4c8b442468           | mov                 dword ptr [esp + 8], ecx
            //   8b542460             | dec                 eax
            //   41bb00020000         | sub                 esp, 0x88
            //   4c8d0d11b4ffff       | dec                 eax

        $sequence_7 = { 83611000 c7411c01000000 c781c800000001000000 c6817401000043 c681f701000043 488d0544bc0000 }
            // n = 6, score = 100
            //   83611000             | inc                 esp
            //   c7411c01000000       | mov                 dword ptr [ebp + 0xc], ebx
            //   c781c800000001000000     | dec    esp
            //   c6817401000043       | mov                 dword ptr [ebp + 4], ebx
            //   c681f701000043       | rep stosd           dword ptr es:[edi], eax
            //   488d0544bc0000       | dec                 eax

        $sequence_8 = { 8b442448 8907 488d150c000000 488b4c2428 }
            // n = 4, score = 100
            //   8b442448             | jne                 0x4ab
            //   8907                 | dec                 eax
            //   488d150c000000       | lea                 ecx, [esp + 0x78]
            //   488b4c2428           | test                eax, eax

        $sequence_9 = { 41b910000000 4c8d842420010000 33d2 488b4c2468 ff15???????? 85c0 7532 }
            // n = 7, score = 100
            //   41b910000000         | dec                 eax
            //   4c8d842420010000     | cmp                 ecx, edx
            //   33d2                 | jb                  0x6e1
            //   488b4c2468           | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 eax, [0xbd8d]
            //   7532                 | dec                 eax

    condition:
        7 of them and filesize < 174080
}
Download all Yara Rules