SYMBOLCOMMON_NAMEaka. SYNONYMS
win.snatchcrypto (Back to overview)

SnatchCrypto

Actor(s): Lazarus Group


Malware observed in the SnatchCrypto campaign, attributed by Kaspersky Labs to BlueNoroff with high confidence.

References
2023-05-01JPCERT/CCShusei Tomonaga
@online{tomonaga:20230501:attack:5c3693e, author = {Shusei Tomonaga}, title = {{Attack trends related to the attack campaign DangerousPassword}}, date = {2023-05-01}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html}, language = {English}, urldate = {2023-05-02} } Attack trends related to the attack campaign DangerousPassword
SnatchCrypto
2022-12-16SekoiaThreat & Detection Research Team
@online{team:20221216:dprk:4abe047, author = {Threat & Detection Research Team}, title = {{The DPRK delicate sound of cyber}}, date = {2022-12-16}, organization = {Sekoia}, url = {https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/}, language = {English}, urldate = {2022-12-29} } The DPRK delicate sound of cyber
AppleJeus AppleJeus SnatchCrypto
2022-01-13Kaspersky LabsSeongsu Park, Vitaly Kamluk
@online{park:20220113:bluenoroff:a3ce5e4, author = {Seongsu Park and Vitaly Kamluk}, title = {{The BlueNoroff cryptocurrency hunt is still on}}, date = {2022-01-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/}, language = {English}, urldate = {2022-01-17} } The BlueNoroff cryptocurrency hunt is still on
SnatchCrypto
2020-10-03VB LocalhostTakai Hajime, Shogo Hayashi, Rintaro Koike
@online{hajime:20201003:unveiling:826bb2b, author = {Takai Hajime and Shogo Hayashi and Rintaro Koike}, title = {{Unveiling the CryptoMimic}}, date = {2020-10-03}, organization = {VB Localhost}, url = {https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/}, language = {English}, urldate = {2023-05-24} } Unveiling the CryptoMimic
CageyChameleon SnatchCrypto
2019-11-21ThreatBookThreatBook
@techreport{threatbook:20191121:nightmare:f88dec3, author = {ThreatBook}, title = {{The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization}}, date = {2019-11-21}, institution = {ThreatBook}, url = {https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf}, language = {English}, urldate = {2022-08-12} } The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization
SnatchCrypto
Yara Rules
[TLP:WHITE] win_snatchcrypto_auto (20230407 | Detects win.snatchcrypto.)
rule win_snatchcrypto_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.snatchcrypto."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d842488000000 488bcd 4c8bcb 4889442420 e8???????? 8bf0 85c0 }
            // n = 7, score = 200
            //   488d842488000000     | dec                 eax
            //   488bcd               | add                 esp, 0x20
            //   4c8bcb               | pop                 ebx
            //   4889442420           | ret                 
            //   e8????????           |                     
            //   8bf0                 | mov                 eax, dword ptr [ecx + 0x8a7c]
            //   85c0                 | mov                 dword ptr [ebx], eax

        $sequence_1 = { 8b5710 413b505c 7504 8bc3 eb05 1bc0 83d8ff }
            // n = 7, score = 200
            //   8b5710               | inc                 ecx
            //   413b505c             | add                 eax, dword ptr [esi + 0x40]
            //   7504                 | inc                 esi
            //   8bc3                 | lea                 eax, [eax + ecx + 0x5c4dd124]
            //   eb05                 | inc                 ecx
            //   1bc0                 | rol                 eax, 0xc
            //   83d8ff               | inc                 ebp

        $sequence_2 = { 884101 410fb6817f020000 884102 b800400000 6641858194030000 750d 0fb7c2 }
            // n = 7, score = 200
            //   884101               | movzx               eax, cl
            //   410fb6817f020000     | inc                 ecx
            //   884102               | movzx               ecx, byte ptr [edx + eax*4 + 0x88d80]
            //   b800400000           | movzx               eax, byte ptr [esi + 4]
            //   6641858194030000     | inc                 ebp
            //   750d                 | xor                 eax, dword ptr [edx + ecx*4 + 0x8a180]
            //   0fb7c2               | movzx               ecx, al

        $sequence_3 = { 488d0d7f650100 4d8bc5 488bd3 e8???????? 498b4c2428 488bd8 4885c9 }
            // n = 7, score = 200
            //   488d0d7f650100       | inc                 esp
            //   4d8bc5               | cmp                 dword ptr [ebx + 0x4b0], edi
            //   488bd3               | je                  0x3f5
            //   e8????????           |                     
            //   498b4c2428           | test                eax, eax
            //   488bd8               | je                  0x30f
            //   4885c9               | dec                 esp

        $sequence_4 = { e8???????? 448d2c3f 0fb7be82020000 4963d5 488d8e14030000 448bc7 4803d5 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   448d2c3f             | dec                 eax
            //   0fb7be82020000       | lea                 edx, [0x1f817]
            //   4963d5               | dec                 eax
            //   488d8e14030000       | mov                 ecx, ebp
            //   448bc7               | mov                 dword ptr [ebp + 0x8970], 1
            //   4803d5               | dec                 ecx

        $sequence_5 = { c783a408000001000000 eb7d 488d15fd7f0200 488d4c2420 e8???????? 85c0 7433 }
            // n = 7, score = 200
            //   c783a408000001000000     | dec    eax
            //   eb7d                 | xor                 eax, esp
            //   488d15fd7f0200       | dec                 eax
            //   488d4c2420           | mov                 dword ptr [esp + 0x470], eax
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7433                 | mov                 eax, dword ptr [esp + 0x4e8]

        $sequence_6 = { f30fe6c0 f20f58c8 660f2fcc f2410f118d60070000 f24c0f2cf1 7606 660f28d1 }
            // n = 7, score = 200
            //   f30fe6c0             | add                 ecx, dword ptr [edi + eax + 0xc]
            //   f20f58c8             | mov                 eax, ebx
            //   660f2fcc             | inc                 esp
            //   f2410f118d60070000     | add    ecx, esi
            //   f24c0f2cf1           | inc                 ecx
            //   7606                 | and                 eax, ebx
            //   660f28d1             | inc                 esp

        $sequence_7 = { 4885c0 7419 3990ac020000 7411 e8???????? 85c0 7508 }
            // n = 7, score = 200
            //   4885c0               | inc                 esp
            //   7419                 | mov                 ecx, edx
            //   3990ac020000         | inc                 esp
            //   7411                 | mov                 byte ptr [eax + ecx + 0x1f60], bl
            //   e8????????           |                     
            //   85c0                 | inc                 dword ptr [ecx + 0x1af60]
            //   7508                 | dec                 esp

        $sequence_8 = { e8???????? 8bd8 85c0 0f85ce020000 4c8d442460 498bd7 488bce }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8bd8                 | inc                 ecx
            //   85c0                 | mov                 ah, 1
            //   0f85ce020000         | xor                 ecx, ecx
            //   4c8d442460           | dec                 eax
            //   498bd7               | lea                 ecx, [0x1d837]
            //   488bce               | dec                 eax

        $sequence_9 = { e8???????? eb6b 4883c9ff 33c0 488bfd f2ae 488d15c0ab0200 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   eb6b                 | mov                 ecx, ebx
            //   4883c9ff             | dec                 eax
            //   33c0                 | mov                 ecx, edi
            //   488bfd               | mov                 edx, eax
            //   f2ae                 | inc                 ecx
            //   488d15c0ab0200       | mov                 eax, 0x2a8

    condition:
        7 of them and filesize < 1400832
}
Download all Yara Rules