Unidentified 077 (Lazarus Downloader) (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.unidentified_077 (Back to overview)
Unidentified 077 (Lazarus Downloader)

Actor(s): Lazarus Group
There is no description at this point.
References

2020-06-28 ⋅ Twitter (@ccxsaber) ⋅ z3r0
Tweet on Sample
Unidentified 077 (Lazarus Downloader)
Yara Rules

[TLP:WHITE] win_unidentified_077_auto (20230125 | Detects win.unidentified_077.)
rule win_unidentified_077_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.unidentified_077."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 410fb74716 c1e80d 83e001 48896e58 894620 488d058dfcffff 48894628 }
            // n = 7, score = 600
            //   410fb74716           | mov                 ecx, esi
            //   c1e80d               | test                eax, eax
            //   83e001               | dec                 eax
            //   48896e58             | mov                 edx, dword ptr [ebp + 0x740]
            //   894620               | dec                 esp
            //   488d058dfcffff       | lea                 eax, [0x6470]
            //   48894628             | dec                 ecx

        $sequence_1 = { 48895c2458 ff15???????? 488bf8 4885c0 750e ff15???????? }
            // n = 6, score = 600
            //   48895c2458           | nop                 dword ptr [eax + eax]
            //   ff15????????         |                     
            //   488bf8               | inc                 ecx
            //   4885c0               | mov                 eax, 0x8000
            //   750e                 | dec                 eax
            //   ff15????????         |                     

        $sequence_2 = { 85c0 7556 e8???????? e8???????? 85c0 740c 488d0dc9060000 }
            // n = 7, score = 600
            //   85c0                 | je                  0x15a
            //   7556                 | or                  eax, 0xffffffff
            //   e8????????           |                     
            //   e8????????           |                     
            //   85c0                 | lock xadd           dword ptr [ecx], eax
            //   740c                 | cmp                 eax, 1
            //   488d0dc9060000       | jne                 0x178

        $sequence_3 = { 4883ec38 33c0 4c8d05b3feffff 4889442428 4533c9 }
            // n = 5, score = 600
            //   4883ec38             | mov                 eax, eax
            //   33c0                 | mov                 ecx, ebx
            //   4c8d05b3feffff       | dec                 ecx
            //   4889442428           | add                 ecx, esp
            //   4533c9               | test                eax, eax

        $sequence_4 = { 8d41ff 8b8482e8400100 85c0 7462 83f801 }
            // n = 5, score = 600
            //   8d41ff               | mov                 ecx, 0x40
            //   8b8482e8400100       | and                 eax, 0x3f
            //   85c0                 | sub                 ecx, eax
            //   7462                 | dec                 eax
            //   83f801               | lea                 edi, [0x12d6d]

        $sequence_5 = { 488bd5 ff15???????? 4c8bf0 4885c0 752d 448d4804 41b800300000 }
            // n = 7, score = 600
            //   488bd5               | mov                 dword ptr [esi + 0x38], eax
            //   ff15????????         |                     
            //   4c8bf0               | dec                 eax
            //   4885c0               | lea                 eax, [0xfffffc9c]
            //   752d                 | dec                 eax
            //   448d4804             | mov                 dword ptr [esi + 0x40], eax
            //   41b800300000         | dec                 eax

        $sequence_6 = { 7508 8d4301 e9???????? 41b8bb010000 4c89b424e00d0000 4533c9 488d95c0020000 }
            // n = 7, score = 600
            //   7508                 | mov                 ecx, esi
            //   8d4301               | test                eax, eax
            //   e9????????           |                     
            //   41b8bb010000         | je                  0xf3
            //   4c89b424e00d0000     | inc                 esp
            //   4533c9               | mov                 eax, eax
            //   488d95c0020000       | mov                 ecx, dword ptr [edx + 4]

        $sequence_7 = { 488d0dc9060000 e8???????? e8???????? e8???????? }
            // n = 4, score = 600
            //   488d0dc9060000       | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_8 = { 498784f740c70100 eb1e 488bc3 498784f740c70100 4885c0 7409 488bcb }
            // n = 7, score = 600
            //   498784f740c70100     | lea                 edx, [0x12fbd]
            //   eb1e                 | and                 ecx, 0x3f
            //   488bc3               | dec                 eax
            //   498784f740c70100     | mov                 eax, ebp
            //   4885c0               | dec                 eax
            //   7409                 | sar                 eax, 6
            //   488bcb               | dec                 eax

        $sequence_9 = { 48d3ca 4933d0 4b8794f7e0c70100 eb2d 4c8b15???????? ebb8 }
            // n = 6, score = 600
            //   48d3ca               | mov                 dword ptr [esi + eax], ebp
            //   4933d0               | dec                 eax
            //   4b8794f7e0c70100     | lea                 edx, [0x13159]
            //   eb2d                 | dec                 eax
            //   4c8b15????????       |                     
            //   ebb8                 | mov                 ecx, ebx

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules
Unidentified 077 (Lazarus Downloader) Propose Change

References

Yara Rules

Unidentified 077 (Lazarus Downloader)
