SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_077 (Back to overview)

Unidentified 077 (Lazarus Downloader)

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-18SymantecThreat Hunter Team
@online{team:20210218:lazarus:f98481c, author = {Threat Hunter Team}, title = {{Lazarus: Three North Koreans Charged for Financially Motivated Attacks}}, date = {2021-02-18}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment}, language = {English}, urldate = {2023-08-21} } Lazarus: Three North Koreans Charged for Financially Motivated Attacks
AppleJeus POOLRAT Unidentified macOS 001 (UnionCryptoTrader) AppleJeus Unidentified 077 (Lazarus Downloader)
2021-02-17US-CERTCISA
@online{cisa:20210217:malware:191d7ae, author = {CISA}, title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}}, date = {2021-02-17}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f}, language = {English}, urldate = {2023-06-29} } Malware Analysis Report (AR21-048F): AppleJeus: Dorusio
AppleJeus AppleJeus Unidentified 077 (Lazarus Downloader)
2020-06-28Twitter (@ccxsaber)z3r0
@online{z3r0:20200628:sample:8355378, author = {z3r0}, title = {{Tweet on Sample}}, date = {2020-06-28}, organization = {Twitter (@ccxsaber)}, url = {https://twitter.com/ccxsaber/status/1277064824434745345}, language = {English}, urldate = {2020-07-15} } Tweet on Sample
Unidentified 077 (Lazarus Downloader)
Yara Rules
[TLP:WHITE] win_unidentified_077_auto (20230715 | Detects win.unidentified_077.)
rule win_unidentified_077_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.unidentified_077."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bd5 33c9 ff15???????? 4c8bf0 4885c0 7510 }
            // n = 6, score = 600
            //   488bd5               | dec                 eax
            //   33c9                 | arpl                word ptr [ecx + 0x3c], cx
            //   ff15????????         |                     
            //   4c8bf0               | dec                 eax
            //   4885c0               | lea                 eax, [ecx + 0x108]
            //   7510                 | dec                 esp

        $sequence_1 = { 488bce ff15???????? 4c8bf0 4885c0 751b ff15???????? }
            // n = 6, score = 600
            //   488bce               | mov                 ebp, 4
            //   ff15????????         |                     
            //   4c8bf0               | mov                 eax, ebp
            //   4885c0               | dec                 ebp
            //   751b                 | lea                 ecx, [esp + 0x10]
            //   ff15????????         |                     

        $sequence_2 = { 498b9cf740c70100 4885db 7407 483bdf 747a }
            // n = 5, score = 600
            //   498b9cf740c70100     | dec                 eax
            //   4885db               | cmp                 ebx, eax
            //   7407                 | jne                 0x361
            //   483bdf               | dec                 eax
            //   747a                 | and                 dword ptr [ebx], 0

        $sequence_3 = { 4c3be8 72c2 42813c2150450000 4c897c2460 4e8d3c21 7515 b864860000 }
            // n = 7, score = 600
            //   4c3be8               | sub                 esp, 0x20
            //   72c2                 | dec                 eax
            //   42813c2150450000     | mov                 ebx, ecx
            //   4c897c2460           | dec                 eax
            //   4e8d3c21             | lea                 edi, [0xfffefadc]
            //   7515                 | dec                 eax
            //   b864860000           | mov                 ecx, edi

        $sequence_4 = { 0fb68c8252400100 0fb6b48253400100 8bd9 8bf8 }
            // n = 4, score = 600
            //   0fb68c8252400100     | test                ebx, ebx
            //   0fb6b48253400100     | je                  0x12e
            //   8bd9                 | inc                 ebp
            //   8bf8                 | sub                 esp, ebp

        $sequence_5 = { 4d8be1 498be8 4c8bea 4b8b8cf7e0c70100 4c8b15???????? }
            // n = 5, score = 600
            //   4d8be1               | dec                 eax
            //   498be8               | test                ebx, ebx
            //   4c8bea               | jne                 0x2b9
            //   4b8b8cf7e0c70100     | dec                 eax
            //   4c8b15????????       |                     

        $sequence_6 = { eb28 493bd0 720e 488d95d0040000 e8???????? }
            // n = 5, score = 600
            //   eb28                 | dec                 eax
            //   493bd0               | lea                 ecx, [0x12f5c]
            //   720e                 | dec                 eax
            //   488d95d0040000       | mov                 eax, ebx
            //   e8????????           |                     

        $sequence_7 = { 6690 b910000000 e8???????? 488bf0 4885c0 0f84ef000000 }
            // n = 6, score = 600
            //   6690                 | dec                 eax
            //   b910000000           | sub                 esp, 0x20
            //   e8????????           |                     
            //   488bf0               | inc                 ecx
            //   4885c0               | mov                 ebp, eax
            //   0f84ef000000         | dec                 esp

        $sequence_8 = { f30f6f0418 660fefc1 f30f7f0418 413bd1 72d7 413bd0 }
            // n = 6, score = 600
            //   f30f6f0418           | mov                 dword ptr [ecx + eax], 2
            //   660fefc1             | mov                 eax, 8
            //   f30f7f0418           | dec                 eax
            //   413bd1               | imul                eax, eax, 0
            //   72d7                 | dec                 eax
            //   413bd0               | mov                 dword ptr [esp + eax + 0x20], ecx

        $sequence_9 = { 4c8bf0 4885c0 752d 448d4804 41b800300000 488bd5 }
            // n = 6, score = 600
            //   4c8bf0               | mov                 esi, ecx
            //   4885c0               | dec                 esp
            //   752d                 | lea                 edi, [0xffff6aa2]
            //   448d4804             | dec                 ebp
            //   41b800300000         | mov                 esp, ecx
            //   488bd5               | dec                 ecx

    condition:
        7 of them and filesize < 270336
}
Download all Yara Rules