SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redshawl (Back to overview)

REDSHAWL

Actor(s): Lazarus Group


REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.

References
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
HOTWAX REDSHAWL WORMHOLE
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
Yara Rules
[TLP:WHITE] win_redshawl_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_redshawl_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bcb 488bc3 488d15eb7d0000 48c1f805 83e11f 488b04c2 }
            // n = 6, score = 100
            //   488bcb               | cmp                 eax, -1
            //   488bc3               | jne                 0xb1
            //   488d15eb7d0000       | dec                 eax
            //   48c1f805             | lea                 ecx, [0xa18a]
            //   83e11f               | mov                 eax, dword ptr [ebx + 0xc]
            //   488b04c2             | mov                 edx, edi

        $sequence_1 = { 4533e4 4d89a318fdffff 33c0 49898320fdffff 49898328fdffff 4589a338fdffff }
            // n = 6, score = 100
            //   4533e4               | dec                 eax
            //   4d89a318fdffff       | cwde                
            //   33c0                 | inc                 ecx
            //   49898320fdffff       | movzx               eax, byte ptr [eax + eax + 0x1d9c]
            //   49898328fdffff       | inc                 ecx
            //   4589a338fdffff       | mov                 ecx, dword ptr [eax + eax*4 + 0x1d8c]

        $sequence_2 = { 488d05939c0000 48898424c0000000 c78424ec00000001000000 664489a424f0000000 0fbaeb1b c7842440020000433a5c00 33d2 }
            // n = 7, score = 100
            //   488d05939c0000       | test                ebp, ebp
            //   48898424c0000000     | jne                 0x409
            //   c78424ec00000001000000     | dec    eax
            //   664489a424f0000000     | lea    ecx, [0x9abb]
            //   0fbaeb1b             | inc                 ebp
            //   c7842440020000433a5c00     | test    esp, esp
            //   33d2                 | dec                 ebp

        $sequence_3 = { 7762 4898 410fb684009c1d0000 418b8c808c1d0000 4903c8 ffe1 ffc7 }
            // n = 7, score = 100
            //   7762                 | mov                 dword ptr [esp + 0x28], esp
            //   4898                 | dec                 ecx
            //   410fb684009c1d0000     | mov    edi, eax
            //   418b8c808c1d0000     | dec                 eax
            //   4903c8               | mov                 esi, edx
            //   ffe1                 | dec                 eax
            //   ffc7                 | sub                 esp, 0x88

        $sequence_4 = { 391e 7524 891e 4885ff }
            // n = 4, score = 100
            //   391e                 | mov                 dword ptr [esp + 0x120], esp
            //   7524                 | dec                 eax
            //   891e                 | mov                 dword ptr [esp + 0x128], eax
            //   4885ff               | dec                 esp

        $sequence_5 = { 00861a000066 1a00 00b01a000000 0301 }
            // n = 4, score = 100
            //   00861a000066         | add                 byte ptr [esi + 0x6600001a], al
            //   1a00                 | sbb                 al, byte ptr [eax]
            //   00b01a000000         | add                 byte ptr [eax + 0x1a], dh
            //   0301                 | add                 eax, dword ptr [ecx]

        $sequence_6 = { 488d0d985d0000 e8???????? 488d15b45d0000 488d0da55d0000 }
            // n = 4, score = 100
            //   488d0d985d0000       | jmp                 0x169
            //   e8????????           |                     
            //   488d15b45d0000       | dec                 eax
            //   488d0da55d0000       | lea                 edx, [0x5db7]

        $sequence_7 = { 83c8ff 4883c428 c3 4053 4883ec20 4885c9 }
            // n = 6, score = 100
            //   83c8ff               | inc                 ecx
            //   4883c428             | mov                 eax, 6
            //   c3                   | dec                 eax
            //   4053                 | lea                 edx, [0xc520]
            //   4883ec20             | dec                 eax
            //   4885c9               | cmp                 dword ptr [eax - 0x10], edx

        $sequence_8 = { e8???????? 89442440 85c0 742f 448b8424a0000000 498bd7 488d0d4f990000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   89442440             | dec                 eax
            //   85c0                 | mov                 ebp, esp
            //   742f                 | dec                 eax
            //   448b8424a0000000     | sub                 esp, 0x80
            //   498bd7               | dec                 eax
            //   488d0d4f990000       | xor                 eax, esp

        $sequence_9 = { 41b910000000 4c8d842420010000 33d2 488b4c2468 ff15???????? 85c0 7532 }
            // n = 7, score = 100
            //   41b910000000         | inc                 ebp
            //   4c8d842420010000     | xor                 eax, eax
            //   33d2                 | mov                 edx, 0x2000000
            //   488b4c2468           | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 ecx, [esp + 0x44]
            //   7532                 | dec                 eax

    condition:
        7 of them and filesize < 174080
}
Download all Yara Rules