SYMBOLCOMMON_NAMEaka. SYNONYMS
win.snatchcrypto (Back to overview)

SnatchCrypto

Actor(s): Lazarus Group

Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence.

References
2022-12-16SekoiaThreat & Detection Research Team
@online{team:20221216:dprk:4abe047, author = {Threat & Detection Research Team}, title = {{The DPRK delicate sound of cyber}}, date = {2022-12-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/}, language = {English}, urldate = {2022-12-29} } The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto
2022-01-13Kaspersky LabsSeongsu Park, Vitaly Kamluk
@online{park:20220113:bluenoroff:a3ce5e4, author = {Seongsu Park and Vitaly Kamluk}, title = {{The BlueNoroff cryptocurrency hunt is still on}}, date = {2022-01-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/}, language = {English}, urldate = {2022-01-17} } The BlueNoroff cryptocurrency hunt is still on
SnatchCrypto
2019-11-21ThreatBookThreatBook
@techreport{threatbook:20191121:nightmare:f88dec3, author = {ThreatBook}, title = {{The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization}}, date = {2019-11-21}, institution = {ThreatBook}, url = {https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf}, language = {English}, urldate = {2022-08-12} } The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization
SnatchCrypto
Yara Rules
[TLP:WHITE] win_snatchcrypto_auto (20230125 | Detects win.snatchcrypto.)
rule win_snatchcrypto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.snatchcrypto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { bf2f000000 83f802 0f8593000000 4c8d25d3950300 488d4c2448 498bd4 e8???????? }
            // n = 7, score = 200
            //   bf2f000000           | inc                 ecx
            //   83f802               | pop                 ebp
            //   0f8593000000         | pop                 edi
            //   4c8d25d3950300       | pop                 ebx
            //   488d4c2448           | ret                 
            //   498bd4               | cmp                 byte ptr [ecx + 0x38c], bl
            //   e8????????           |                     

        $sequence_1 = { 4c8d0c88 498b4610 4963c8 4c8d1488 418b4500 2bc2 41ffc0 }
            // n = 7, score = 200
            //   4c8d0c88             | lea                 edx, [0x2f995]
            //   498b4610             | mov                 eax, edx
            //   4963c8               | shr                 eax, 0x1f
            //   4c8d1488             | add                 edx, eax
            //   418b4500             | cmp                 edx, 2
            //   2bc2                 | je                  0x548
            //   41ffc0               | cmp                 ebx, 1

        $sequence_2 = { f20f581d???????? f20f58fd f20f59dc f20f58cb f20f58cf f20f102d???????? 488d15f92f0000 }
            // n = 7, score = 200
            //   f20f581d????????     |                     
            //   f20f58fd             | dec                 eax
            //   f20f59dc             | dec                 edi
            //   f20f58cb             | inc                 ecx
            //   f20f58cf             | mov                 dword ptr [ecx - 4], eax
            //   f20f102d????????     |                     
            //   488d15f92f0000       | jne                 0x1176

        $sequence_3 = { e8???????? 448be0 e9???????? 498b10 4885d2 0f84a60a0000 488b8f08070000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   448be0               | dec                 eax
            //   e9????????           |                     
            //   498b10               | lea                 ecx, [esp + 0x20]
            //   4885d2               | inc                 eax
            //   0f84a60a0000         | push                edi
            //   488b8f08070000       | dec                 eax

        $sequence_4 = { 4885c9 0f84f6000000 85d2 0f84ee000000 4d85c0 0f84e5000000 4585c9 }
            // n = 7, score = 200
            //   4885c9               | inc                 ecx
            //   0f84f6000000         | call                esi
            //   85d2                 | mov                 ebx, eax
            //   0f84ee000000         | test                eax, eax
            //   4d85c0               | jne                 0x205d
            //   0f84e5000000         | dec                 ecx
            //   4585c9               | mov                 edx, edi

        $sequence_5 = { e8???????? 85c0 0f89dc000000 8b4318 488b93b0070000 83f803 751d }
            // n = 7, score = 200
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   0f89dc000000         | arpl                dx, cx
            //   8b4318               | dec                 esp
            //   488b93b0070000       | lea                 ecx, [eax + ecx*4]
            //   83f803               | dec                 ecx
            //   751d                 | mov                 eax, dword ptr [edi + 0x10]

        $sequence_6 = { b801000000 eb0e 80fb5d 410f94c6 418bc6 eb02 33c0 }
            // n = 7, score = 200
            //   b801000000           | dec                 eax
            //   eb0e                 | add                 ecx, edx
            //   80fb5d               | jmp                 ecx
            //   410f94c6             | dec                 eax
            //   418bc6               | lea                 edx, [0x319c2]
            //   eb02                 | dec                 eax
            //   33c0                 | lea                 edx, [0x319a6]

        $sequence_7 = { 89542470 4885c9 742a 48634310 398598030000 751e 488b5308 }
            // n = 7, score = 200
            //   89542470             | mov                 dword ptr [edx - 4], ecx
            //   4885c9               | jne                 0xffd
            //   742a                 | dec                 eax
            //   48634310             | mov                 ecx, esi
            //   398598030000         | mov                 ecx, dword ptr [esi + 4]
            //   751e                 | or                  ecx, eax
            //   488b5308             | dec                 ecx

        $sequence_8 = { 8bd7 e8???????? 85c0 0f8585000000 8b8b00010000 8d5001 4c8bcb }
            // n = 7, score = 200
            //   8bd7                 | jne                 0x97a
            //   e8????????           |                     
            //   85c0                 | lea                 edx, [eax + 5]
            //   0f8585000000         | dec                 eax
            //   8b8b00010000         | mov                 ecx, ebx
            //   8d5001               | dec                 eax
            //   4c8bcb               | add                 esp, 0x20

        $sequence_9 = { 8b8390030000 83f801 0f8496000000 83f805 0f848d000000 488b8be8060000 ff15???????? }
            // n = 7, score = 200
            //   8b8390030000         | dec                 eax
            //   83f801               | inc                 dword ptr [edi]
            //   0f8496000000         | inc                 esp
            //   83f805               | mov                 ebp, ebp
            //   0f848d000000         | je                  0xe68
            //   488b8be8060000       | inc                 esp
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1400832
}
Download all Yara Rules