SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2021-02-25} } Lazarus targets defense industry with ThreatNeedle
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } How to communicate between RAT infected devices (White paper)
Volgmer
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20211008 | Detects win.volgmer.)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.volgmer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? 4833c4 }
            // n = 6, score = 300
            //   48897c2418           | xor                 ecx, esp
            //   55                   | dec                 eax
            //   488d6c24b0           | mov                 ebx, dword ptr [esp + 0x298]
            //   4881ec50010000       | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | mov                 ecx, dword ptr [esp + 0x250]

        $sequence_1 = { e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 }
            // n = 5, score = 300
            //   e8????????           |                     
            //   4c8d9c2450010000     | dec                 eax
            //   498b5b18             | mov                 ecx, dword ptr [esp + 0x250]
            //   498b7b20             | dec                 eax
            //   498be3               | xor                 ecx, esp

        $sequence_2 = { 4885c0 0f8409020000 4533c9 458be9 b800400000 4585ed 755a }
            // n = 7, score = 200
            //   4885c0               | dec                 eax
            //   0f8409020000         | sub                 esp, 0x150
            //   4533c9               | dec                 eax
            //   458be9               | mov                 dword ptr [esp + 0x18], edi
            //   b800400000           | push                ebp
            //   4585ed               | dec                 eax
            //   755a                 | lea                 ebp, dword ptr [esp - 0x50]

        $sequence_3 = { d1c6 c1c105 03c6 89742404 03c3 }
            // n = 5, score = 200
            //   d1c6                 | inc                 ecx
            //   c1c105               | pop                 ebp
            //   03c6                 | pop                 ebx
            //   89742404             | rol                 esi, 1
            //   03c3                 | rol                 ecx, 5

        $sequence_4 = { e8???????? 4189442408 4d85ff 7425 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   4189442408           | mov                 dword ptr [esp + 4], esi
            //   4d85ff               | add                 eax, ebx
            //   7425                 | mov                 ebx, dword ptr [esp + 0xa8]

        $sequence_5 = { e8???????? 488bd8 eb03 488bdf 488d056efeffff }
            // n = 5, score = 200
            //   e8????????           |                     
            //   488bd8               | add                 eax, esi
            //   eb03                 | mov                 dword ptr [esp + 4], esi
            //   488bdf               | add                 eax, ebx
            //   488d056efeffff       | dec                 eax

        $sequence_6 = { e8???????? 4885c0 7403 668918 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   4885c0               | rol                 esi, 1
            //   7403                 | rol                 ecx, 5
            //   668918               | add                 eax, esi

        $sequence_7 = { e8???????? 4881c428050000 415e 415d 5b }
            // n = 5, score = 200
            //   e8????????           |                     
            //   4881c428050000       | dec                 eax
            //   415e                 | add                 esp, 0x528
            //   415d                 | inc                 ecx
            //   5b                   | pop                 esi

        $sequence_8 = { e8???????? 8905???????? 488b9c2498020000 488b8c2450020000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8905????????         |                     
            //   488b9c2498020000     | test                edi, edi
            //   488b8c2450020000     | je                  0x27

        $sequence_9 = { 488d8d100b0000 e8???????? 488d95100b0000 498bce ff15???????? 33ff 488d542440 }
            // n = 7, score = 200
            //   488d8d100b0000       | dec                 eax
            //   e8????????           |                     
            //   488d95100b0000       | sub                 esp, 0x150
            //   498bce               | dec                 eax
            //   ff15????????         |                     
            //   33ff                 | mov                 dword ptr [esp + 0x18], edi
            //   488d542440           | push                ebp

        $sequence_10 = { c6843de00b000000 488d8de00b0000 e8???????? 488d95e00b0000 498bcd ff15???????? 0fb63d???????? }
            // n = 7, score = 200
            //   c6843de00b000000     | mov                 dword ptr [esp + 0x18], edi
            //   488d8de00b0000       | push                ebp
            //   e8????????           |                     
            //   488d95e00b0000       | dec                 eax
            //   498bcd               | lea                 ebp, dword ptr [esp - 0x50]
            //   ff15????????         |                     
            //   0fb63d????????       |                     

        $sequence_11 = { 488bcb e8???????? 85c0 7444 488d4c2430 e8???????? 85c0 }
            // n = 7, score = 200
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | xor                 eax, esp
            //   7444                 | dec                 eax
            //   488d4c2430           | mov                 dword ptr [ebp + 0x40], eax
            //   e8????????           |                     
            //   85c0                 | dec                 eax

        $sequence_12 = { 4881fe04010000 0f8379010000 498bd6 c684355003000000 488d8d70090000 ff15???????? 4533ff }
            // n = 7, score = 200
            //   4881fe04010000       | mov                 dword ptr [esp + 0x10], ebx
            //   0f8379010000         | dec                 eax
            //   498bd6               | mov                 dword ptr [esp + 0x18], edi
            //   c684355003000000     | push                ebp
            //   488d8d70090000       | dec                 eax
            //   ff15????????         |                     
            //   4533ff               | lea                 ebp, dword ptr [esp - 0x50]

        $sequence_13 = { e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_14 = { 488d442440 41b904000000 4889442420 4c8d442448 418d5108 41ffd4 4c8d8da0030000 }
            // n = 7, score = 200
            //   488d442440           | dec                 eax
            //   41b904000000         | lea                 ebp, dword ptr [esp - 0x50]
            //   4889442420           | dec                 eax
            //   4c8d442448           | sub                 esp, 0x150
            //   418d5108             | dec                 eax
            //   41ffd4               | mov                 dword ptr [esp + 0x10], ebx
            //   4c8d8da0030000       | dec                 eax

        $sequence_15 = { 353a413a5d 3a933ab83ada 3af9 3a33 }
            // n = 4, score = 100
            //   353a413a5d           | mov                 ecx, ebp
            //   3a933ab83ada         | inc                 ebp
            //   3af9                 | xor                 edi, edi
            //   3a33                 | mov                 dword ptr [esp + 0xa0], 0x5c3a41

        $sequence_16 = { 898424a0000000 89942498000000 898424a4000000 c644241cbb c644241d4b }
            // n = 5, score = 100
            //   898424a0000000       | mov                 dword ptr [esp + 0xa0], eax
            //   89942498000000       | mov                 dword ptr [esp + 0x98], edx
            //   898424a4000000       | mov                 dword ptr [esp + 0xa4], eax
            //   c644241cbb           | mov                 byte ptr [esp + 0x1c], 0xbb
            //   c644241d4b           | mov                 byte ptr [esp + 0x1d], 0x4b

        $sequence_17 = { c3 8b85c4f5ffff a3???????? 40 250f000080 }
            // n = 5, score = 100
            //   c3                   | dec                 eax
            //   8b85c4f5ffff         | lea                 ebp, dword ptr [esp - 0x50]
            //   a3????????           |                     
            //   40                   | dec                 esp
            //   250f000080           | lea                 ebx, dword ptr [esp + 0x150]

        $sequence_18 = { 8b0c8580f16e00 8b45e8 f644012880 7446 0fbec3 83e800 }
            // n = 6, score = 100
            //   8b0c8580f16e00       | mov                 ecx, dword ptr [eax*4 + 0x6ef180]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   f644012880           | test                byte ptr [ecx + eax + 0x28], 0x80
            //   7446                 | je                  0x48
            //   0fbec3               | movsx               eax, bl
            //   83e800               | sub                 eax, 0

        $sequence_19 = { 50 8b85a4f8ffff 0fb7048534977300 8d0485308e7300 }
            // n = 4, score = 100
            //   50                   | lea                 ecx, dword ptr [ebp + 0xbe0]
            //   8b85a4f8ffff         | dec                 eax
            //   0fb7048534977300     | lea                 edx, dword ptr [ebp + 0xbe0]
            //   8d0485308e7300       | dec                 ecx

        $sequence_20 = { ff15???????? 85db 8bf8 c7442410ffffffff 0f8422010000 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   85db                 | test                ebx, ebx
            //   8bf8                 | mov                 edi, eax
            //   c7442410ffffffff     | mov                 dword ptr [esp + 0x10], 0xffffffff
            //   0f8422010000         | je                  0x128

        $sequence_21 = { 8d95f0fdffff c1e009 8d8870f66e00 2bd1 0f1f840000000000 }
            // n = 5, score = 100
            //   8d95f0fdffff         | lea                 edx, dword ptr [ebp - 0x210]
            //   c1e009               | shl                 eax, 9
            //   8d8870f66e00         | lea                 ecx, dword ptr [eax + 0x6ef670]
            //   2bd1                 | sub                 edx, ecx
            //   0f1f840000000000     | nop                 dword ptr [eax + eax]

        $sequence_22 = { e8???????? 8bc6 c1e002 50 8b85b4f8ffff 0fb7048534976e00 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   c1e002               | shl                 eax, 2
            //   50                   | push                eax
            //   8b85b4f8ffff         | mov                 eax, dword ptr [ebp - 0x74c]
            //   0fb7048534976e00     | movzx               eax, word ptr [eax*4 + 0x6e9734]

        $sequence_23 = { be???????? c745ecf07d6e00 57 8d3c85fcffffff 8975cc 8d041f 8975d0 }
            // n = 7, score = 100
            //   be????????           |                     
            //   c745ecf07d6e00       | mov                 dword ptr [ebp - 0x14], 0x6e7df0
            //   57                   | push                edi
            //   8d3c85fcffffff       | lea                 edi, dword ptr [eax*4 - 4]
            //   8975cc               | mov                 dword ptr [ebp - 0x34], esi
            //   8d041f               | lea                 eax, dword ptr [edi + ebx]
            //   8975d0               | mov                 dword ptr [ebp - 0x30], esi

        $sequence_24 = { 8b9394010000 8915???????? 668b4104 66a3???????? 53 }
            // n = 5, score = 100
            //   8b9394010000         | mov                 edx, dword ptr [ebx + 0x194]
            //   8915????????         |                     
            //   668b4104             | mov                 ax, word ptr [ecx + 4]
            //   66a3????????         |                     
            //   53                   | push                ebx

        $sequence_25 = { 741b 8bcf 8b7d04 8bc1 }
            // n = 4, score = 100
            //   741b                 | je                  0x1d
            //   8bcf                 | mov                 ecx, edi
            //   8b7d04               | mov                 edi, dword ptr [ebp + 4]
            //   8bc1                 | mov                 eax, ecx

        $sequence_26 = { c6463c01 e8???????? eb14 85db 7507 c74634047b7300 }
            // n = 6, score = 100
            //   c6463c01             | call                esp
            //   e8????????           |                     
            //   eb14                 | dec                 esp
            //   85db                 | lea                 ecx, dword ptr [ebp + 0x3a0]
            //   7507                 | mov                 byte ptr [ebp + edi + 0xbe0], 0
            //   c74634047b7300       | dec                 eax

        $sequence_27 = { 33c0 8d3c9da4ef6e00 f00fb10f 8bc8 85c9 740b }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   8d3c9da4ef6e00       | lea                 edi, dword ptr [ebx*4 + 0x6eefa4]
            //   f00fb10f             | lock cmpxchg        dword ptr [edi], ecx
            //   8bc8                 | mov                 ecx, eax
            //   85c9                 | test                ecx, ecx
            //   740b                 | je                  0xd

        $sequence_28 = { 50 8b85b4f8ffff 0fb7048534976e00 8d0485308e6e00 50 8d8590faffff }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8b85b4f8ffff         | mov                 eax, dword ptr [ebp - 0x74c]
            //   0fb7048534976e00     | movzx               eax, word ptr [eax*4 + 0x6e9734]
            //   8d0485308e6e00       | lea                 eax, dword ptr [eax*4 + 0x6e8e30]
            //   50                   | push                eax
            //   8d8590faffff         | lea                 eax, dword ptr [ebp - 0x570]

        $sequence_29 = { 57 8975fc e8???????? 99 b90a000000 f7f9 81c618030000 }
            // n = 7, score = 100
            //   57                   | dec                 esp
            //   8975fc               | mov                 esi, eax
            //   e8????????           |                     
            //   99                   | dec                 eax
            //   b90a000000           | lea                 ecx, dword ptr [esp + 0x30]
            //   f7f9                 | xor                 eax, eax
            //   81c618030000         | xor                 edx, edx

        $sequence_30 = { c3 8bff 55 8bec 8b4508 57 8d3c85c8f47300 }
            // n = 7, score = 100
            //   c3                   | dec                 eax
            //   8bff                 | mov                 dword ptr [esp + 0x20], eax
            //   55                   | dec                 esp
            //   8bec                 | lea                 eax, dword ptr [esp + 0x48]
            //   8b4508               | inc                 ecx
            //   57                   | lea                 edx, dword ptr [ecx + 8]
            //   8d3c85c8f47300       | inc                 ecx

        $sequence_31 = { e9???????? 894ddc c745e0d8ba6e00 e9???????? }
            // n = 4, score = 100
            //   e9????????           |                     
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   c745e0d8ba6e00       | mov                 dword ptr [ebp - 0x20], 0x6ebad8
            //   e9????????           |                     

        $sequence_32 = { 8d4101 f7d8 1bc0 23c1 eb55 8b1c9d24727300 }
            // n = 6, score = 100
            //   8d4101               | mov                 byte ptr [esp + 0xa4], al
            //   f7d8                 | dec                 eax
            //   1bc0                 | mov                 dword ptr [esp + 0x10], ebx
            //   23c1                 | dec                 eax
            //   eb55                 | mov                 dword ptr [esp + 0x18], edi
            //   8b1c9d24727300       | push                ebp

        $sequence_33 = { 8bec 8b550c 83ec20 33c9 8bc1 3914c5d8c36e00 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   83ec20               | sub                 esp, 0x20
            //   33c9                 | xor                 ecx, ecx
            //   8bc1                 | mov                 eax, ecx
            //   3914c5d8c36e00       | cmp                 dword ptr [eax*8 + 0x6ec3d8], edx

        $sequence_34 = { 8b5c2454 85db 894c2404 7463 8b442450 55 }
            // n = 6, score = 100
            //   8b5c2454             | mov                 ebx, dword ptr [esp + 0x54]
            //   85db                 | test                ebx, ebx
            //   894c2404             | mov                 dword ptr [esp + 4], ecx
            //   7463                 | je                  0x65
            //   8b442450             | mov                 eax, dword ptr [esp + 0x50]
            //   55                   | push                ebp

        $sequence_35 = { 0fb6348537977300 8bf9 8985a4f8ffff c1e702 57 8d0431 }
            // n = 6, score = 100
            //   0fb6348537977300     | dec                 eax
            //   8bf9                 | lea                 edx, dword ptr [esp + 0x40]
            //   8985a4f8ffff         | dec                 eax
            //   c1e702               | lea                 eax, dword ptr [esp + 0x40]
            //   57                   | inc                 ecx
            //   8d0431               | mov                 ecx, 4

        $sequence_36 = { d1c2 c1c605 33c7 8954245c }
            // n = 4, score = 100
            //   d1c2                 | rol                 edx, 1
            //   c1c605               | rol                 esi, 5
            //   33c7                 | xor                 eax, edi
            //   8954245c             | mov                 dword ptr [esp + 0x5c], edx

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules