SYMBOLCOMMON_NAMEaka. SYNONYMS
win.torisma (Back to overview)

Torisma

Actor(s): Lazarus Group


There is no description at this point.

References
2021-04-15AhnLabAhnLab ASEC Analysis Team
@techreport{team:20210415:operation:98f465e, author = {AhnLab ASEC Analysis Team}, title = {{Operation Dream Job Targeting Job Seekers in South Korea}}, date = {2021-04-15}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf}, language = {English}, urldate = {2021-05-25} } Operation Dream Job Targeting Job Seekers in South Korea
LCPDot Torisma
2021-01-29NSFOCUSFuying Laboratory
@online{laboratory:20210129:stumbzarusaptlazarus:4d0bf52, author = {Fuying Laboratory}, title = {{认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析}}, date = {2021-01-29}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/stumbzarus-apt-lazarus/}, language = {Chinese}, urldate = {2021-02-02} } 认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
DRATzarus Torisma
2021-01-26JPCERT/CCShusei Tomonaga
@online{tomonaga:20210126:operation:bc16746, author = {Shusei Tomonaga}, title = {{Operation Dream Job by Lazarus}}, date = {2021-01-26}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html}, language = {English}, urldate = {2021-01-27} } Operation Dream Job by Lazarus
LCPDot Torisma Lazarus Group
2020-11-05McAfeeChristiaan Beek, Ryan Sherstobitoff
@online{beek:20201105:operation:ca0ac54, author = {Christiaan Beek and Ryan Sherstobitoff}, title = {{Operation North Star: Behind The Scenes}}, date = {2020-11-05}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/}, language = {English}, urldate = {2022-02-17} } Operation North Star: Behind The Scenes
Torisma
Yara Rules
[TLP:WHITE] win_torisma_auto (20220411 | Detects win.torisma.)
rule win_torisma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.torisma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bca 83e101 c1e103 8b9424a8000000 0bd1 8bca 898c24ac000000 }
            // n = 7, score = 100
            //   8bca                 | dec                 eax
            //   83e101               | mov                 ecx, dword ptr [ecx]
            //   c1e103               | mov                 ecx, dword ptr [ecx + 0x40]
            //   8b9424a8000000       | imul                ecx, ecx, 0x3c
            //   0bd1                 | mov                 ecx, ecx
            //   8bca                 | xor                 ecx, ecx
            //   898c24ac000000       | mov                 eax, dword ptr [esp + 0x30]

        $sequence_1 = { c6842485010000ce c68424860100007c c6842487010000af c684248801000059 c68424890100002d c684248a010000f6 c684248b010000d3 }
            // n = 7, score = 100
            //   c6842485010000ce     | cmp                 dword ptr [esp + 0x58], 0
            //   c68424860100007c     | je                  0x623
            //   c6842487010000af     | mov                 eax, dword ptr [esp + 0x20]
            //   c684248801000059     | shr                 eax, 8
            //   c68424890100002d     | mov                 ecx, dword ptr [esp + 0x24]
            //   c684248a010000f6     | dec                 eax
            //   c684248b010000d3     | mov                 edx, dword ptr [esp + 0x58]

        $sequence_2 = { 7419 ba01000000 488b4c2450 e8???????? 4889842480000000 }
            // n = 5, score = 100
            //   7419                 | dec                 eax
            //   ba01000000           | mov                 dword ptr [esp + 0x30], eax
            //   488b4c2450           | dec                 eax
            //   e8????????           |                     
            //   4889842480000000     | sub                 esp, 0x68

        $sequence_3 = { eb12 817c245833280000 7508 c744243033280000 eb08 c744243033280000 }
            // n = 6, score = 100
            //   eb12                 | shr                 ecx, 5
            //   817c245833280000     | and                 ecx, 1
            //   7508                 | xor                 eax, ecx
            //   c744243033280000     | dec                 eax
            //   eb08                 | mov                 ecx, dword ptr [esp + 0x50]
            //   c744243033280000     | dec                 eax

        $sequence_4 = { b862000000 6689442442 b862000000 6689442444 }
            // n = 4, score = 100
            //   b862000000           | lea                 edx, dword ptr [0x153bc]
            //   6689442442           | dec                 eax
            //   b862000000           | mov                 ecx, eax
            //   6689442444           | dec                 esp

        $sequence_5 = { 48894c2408 4883ec38 c7442420514b0000 488d15a3360100 488b4c2448 }
            // n = 5, score = 100
            //   48894c2408           | dec                 eax
            //   4883ec38             | mov                 eax, dword ptr [eax]
            //   c7442420514b0000     | dec                 eax
            //   488d15a3360100       | add                 eax, 0x38
            //   488b4c2448           | mov                 dword ptr [eax + 0x40], 0

        $sequence_6 = { 33c0 b904810200 f3aa c74424309d9c0000 488b8424c0000000 488b00 }
            // n = 6, score = 100
            //   33c0                 | mov                 ecx, dword ptr [eax]
            //   b904810200           | dec                 esp
            //   f3aa                 | lea                 ecx, dword ptr [esp + 0x38]
            //   c74424309d9c0000     | inc                 ecx
            //   488b8424c0000000     | mov                 eax, 1
            //   488b00               | xor                 edx, edx

        $sequence_7 = { 488b8eb8000000 4c8d25c70e0100 f0ff09 7511 }
            // n = 4, score = 100
            //   488b8eb8000000       | dec                 eax
            //   4c8d25c70e0100       | mov                 ecx, dword ptr [esp + 0x60]
            //   f0ff09               | dec                 eax
            //   7511                 | mov                 eax, dword ptr [esp + 0x38]

        $sequence_8 = { 48c78424e000000000000000 48837c244000 7423 488b442440 48898424a0000000 488b8c24a0000000 }
            // n = 6, score = 100
            //   48c78424e000000000000000     | dec    eax
            //   48837c244000         | lea                 edx, dword ptr [esp + 0x5c]
            //   7423                 | dec                 eax
            //   488b442440           | mov                 ecx, dword ptr [eax + 0xc0]
            //   48898424a0000000     | dec                 eax
            //   488b8c24a0000000     | lea                 eax, dword ptr [0x132d3]

        $sequence_9 = { 48894c2408 56 57 4881ec98000000 c744244000000000 c744243400000000 c744243000000000 }
            // n = 7, score = 100
            //   48894c2408           | dec                 eax
            //   56                   | mov                 dword ptr [ecx], eax
            //   57                   | push                edi
            //   4881ec98000000       | dec                 eax
            //   c744244000000000     | sub                 esp, 0x20
            //   c744243400000000     | dec                 eax
            //   c744243000000000     | lea                 eax, dword ptr [0x124c7]

    condition:
        7 of them and filesize < 322560
}
Download all Yara Rules