SYMBOLCOMMON_NAMEaka. SYNONYMS
win.torisma (Back to overview)

Torisma

Actor(s): Lazarus Group


There is no description at this point.

References
2021-04-15AhnLabAhnLab ASEC Analysis Team
@techreport{team:20210415:operation:98f465e, author = {AhnLab ASEC Analysis Team}, title = {{Operation Dream Job Targeting Job Seekers in South Korea}}, date = {2021-04-15}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf}, language = {English}, urldate = {2021-05-25} } Operation Dream Job Targeting Job Seekers in South Korea
LCPDot Torisma
2021-01-29NSFOCUSFuying Laboratory
@online{laboratory:20210129:stumbzarusaptlazarus:4d0bf52, author = {Fuying Laboratory}, title = {{认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析}}, date = {2021-01-29}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/stumbzarus-apt-lazarus/}, language = {Chinese}, urldate = {2021-02-02} } 认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
DRATzarus Torisma
2021-01-26JPCERT/CCShusei Tomonaga
@online{tomonaga:20210126:operation:bc16746, author = {Shusei Tomonaga}, title = {{Operation Dream Job by Lazarus}}, date = {2021-01-26}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html}, language = {English}, urldate = {2021-01-27} } Operation Dream Job by Lazarus
LCPDot Torisma Lazarus Group
2020-11-05McAfeeChristiaan Beek, Ryan Sherstobitoff
@online{beek:20201105:operation:ca0ac54, author = {Christiaan Beek and Ryan Sherstobitoff}, title = {{Operation North Star: Behind The Scenes}}, date = {2020-11-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/}, language = {English}, urldate = {2022-02-17} } Operation North Star: Behind The Scenes
Torisma
Yara Rules
[TLP:WHITE] win_torisma_auto (20221125 | Detects win.torisma.)
rule win_torisma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.torisma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b842488010000 488b8c2478010000 488d4481ec 48890424 488b842480010000 }
            // n = 5, score = 100
            //   8b842488010000       | dec                 eax
            //   488b8c2478010000     | add                 eax, 4
            //   488d4481ec           | dec                 eax
            //   48890424             | mov                 ecx, dword ptr [eax + 8]
            //   488b842480010000     | dec                 eax

        $sequence_1 = { eb0e c70424514b0000 8b0424 89442404 8b0424 }
            // n = 5, score = 100
            //   eb0e                 | mov                 eax, dword ptr [esp + 0xf0]
            //   c70424514b0000       | dec                 eax
            //   8b0424               | mov                 dword ptr [esp + 0x98], eax
            //   89442404             | dec                 eax
            //   8b0424               | mov                 eax, dword ptr [esp + 0x98]

        $sequence_2 = { c684242c010000ad c684242d010000e6 c684242e01000070 c684242f0100002c c68424300100001f c68424310100002d c68424320100008d }
            // n = 7, score = 100
            //   c684242c010000ad     | dec                 eax
            //   c684242d010000e6     | mov                 eax, dword ptr [esp + 0x78]
            //   c684242e01000070     | dec                 eax
            //   c684242f0100002c     | mov                 dword ptr [esp + 0xb8], eax
            //   c68424300100001f     | dec                 eax
            //   c68424310100002d     | mov                 ecx, dword ptr [esp + 0xb8]
            //   c68424320100008d     | dec                 eax

        $sequence_3 = { 4889442420 33c9 e8???????? 488b4c2420 483bc8 7f82 b833280000 }
            // n = 7, score = 100
            //   4889442420           | mov                 eax, 0x31
            //   33c9                 | mov                 word ptr [esp + 0x3a], ax
            //   e8????????           |                     
            //   488b4c2420           | mov                 eax, 0x31
            //   483bc8               | mov                 word ptr [esp + 0x38], ax
            //   7f82                 | mov                 eax, 0x31
            //   b833280000           | mov                 word ptr [esp + 0x3a], ax

        $sequence_4 = { 488b4c2458 482bc8 488bc1 488b4c2450 488b542438 488d0c51 48c7442420ffffff7f }
            // n = 7, score = 100
            //   488b4c2458           | xor                 eax, ecx
            //   482bc8               | dec                 eax
            //   488bc1               | mov                 ecx, dword ptr [esp + 0x50]
            //   488b4c2450           | mov                 ecx, dword ptr [ecx + 0x6c]
            //   488b542438           | mov                 ecx, dword ptr [ecx + 0x6c]
            //   488d0c51             | shr                 ecx, 0xa
            //   48c7442420ffffff7f     | and    ecx, 1

        $sequence_5 = { 488b8c2420010000 48894808 488b842480000000 48c7401000000000 41b918000000 4c8b842480000000 ba26000000 }
            // n = 7, score = 100
            //   488b8c2420010000     | mov                 eax, ecx
            //   48894808             | mov                 dword ptr [esp + 0x30], eax
            //   488b842480000000     | dec                 eax
            //   48c7401000000000     | mov                 eax, dword ptr [esp + 0x50]
            //   41b918000000         | mov                 eax, dword ptr [eax + 0x4c]
            //   4c8b842480000000     | shr                 eax, 0x19
            //   ba26000000           | and                 eax, 1

        $sequence_6 = { 488d1567fe0000 83e11f 48c1f805 486bc958 48030cc2 eb07 }
            // n = 6, score = 100
            //   488d1567fe0000       | xor                 eax, ecx
            //   83e11f               | dec                 eax
            //   48c1f805             | mov                 ecx, dword ptr [esp + 0x20]
            //   486bc958             | mov                 ecx, dword ptr [ecx + 8]
            //   48030cc2             | shr                 ecx, 1
            //   eb07                 | and                 ecx, 1

        $sequence_7 = { 458b00 41c1e807 4183e001 41c1e004 410bd0 c1ea05 8bd2 }
            // n = 7, score = 100
            //   458b00               | mov                 ecx, eax
            //   41c1e807             | inc                 ecx
            //   4183e001             | and                 eax, 0x1f
            //   41c1e004             | dec                 eax
            //   410bd0               | sar                 ecx, 5
            //   c1ea05               | dec                 ebp
            //   8bd2                 | imul                eax, eax, 0x58

        $sequence_8 = { 8b9424bc000000 0bd1 8bca 898c24c0000000 488b542478 8b520c 488b7c2470 }
            // n = 7, score = 100
            //   8b9424bc000000       | and                 eax, 1
            //   0bd1                 | xor                 ecx, eax
            //   8bca                 | mov                 eax, ecx
            //   898c24c0000000       | mov                 dword ptr [esp + 0x30], eax
            //   488b542478           | dec                 eax
            //   8b520c               | mov                 eax, dword ptr [esp + 0x50]
            //   488b7c2470           | mov                 eax, dword ptr [eax + 0x54]

        $sequence_9 = { 8b442424 8b4c2420 03c8 8bc1 89442420 488b842488000000 8b4c2428 }
            // n = 7, score = 100
            //   8b442424             | je                  0x37e
            //   8b4c2420             | dec                 eax
            //   03c8                 | lea                 edx, [0xb41e]
            //   8bc1                 | jbe                 0x34a
            //   89442420             | dec                 eax
            //   488b842488000000     | mov                 dword ptr [esp + 0x48], 0
            //   8b4c2428             | mov                 ecx, 0x28104

    condition:
        7 of them and filesize < 322560
}
Download all Yara Rules