SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2021-02-25} } Lazarus targets defense industry with ThreatNeedle
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } How to communicate between RAT infected devices (White paper)
Volgmer
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? }
            // n = 5, score = 300
            //   48897c2418           | and                 ecx, 0x3f
            //   55                   | sar                 eax, 6
            //   488d6c24b0           | imul                ecx, ecx, 0x30
            //   4881ec50010000       | mov                 eax, dword ptr [eax*4 + 0x73f180]
            //   488b05????????       |                     

        $sequence_1 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 }
            // n = 7, score = 300
            //   488b4d40             | movzx               eax, byte ptr [eax + ecx + 0x28]
            //   4833cc               | and                 eax, 0x40
            //   e8????????           |                     
            //   4c8d9c2450010000     | je                  0x45
            //   498b5b18             | sub                 eax, 1
            //   498b7b20             | jne                 0x107
            //   498be3               | mov                 dword ptr [ebp - 0x20], 0x73bae4

        $sequence_2 = { 4889742418 57 4881ec70020000 488b05???????? 4833c4 4889842460020000 }
            // n = 6, score = 200
            //   4889742418           | dec                 eax
            //   57                   | xor                 eax, esp
            //   4881ec70020000       | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | mov                 ecx, edi
            //   4889842460020000     | test                eax, eax

        $sequence_3 = { 41ffd4 488b9500060000 488d442458 4889442430 }
            // n = 4, score = 200
            //   41ffd4               | dec                 ecx
            //   488b9500060000       | mov                 edi, dword ptr [ebx + 0x20]
            //   488d442458           | dec                 ecx
            //   4889442430           | mov                 esp, ebx

        $sequence_4 = { 488bdf 0f1f00 48ffc3 803c1e00 75f7 0f1f8000000000 48ffc7 }
            // n = 7, score = 200
            //   488bdf               | mov                 dword ptr [esp + 0x18], edi
            //   0f1f00               | push                ebp
            //   48ffc3               | dec                 eax
            //   803c1e00             | lea                 ebp, [esp - 0x50]
            //   75f7                 | dec                 eax
            //   0f1f8000000000       | sub                 esp, 0x150
            //   48ffc7               | dec                 eax

        $sequence_5 = { 7405 488bcf ffd6 488b7c2448 4983fcff 7405 }
            // n = 6, score = 200
            //   7405                 | dec                 eax
            //   488bcf               | mov                 dword ptr [ebp + 0x40], eax
            //   ffd6                 | dec                 esp
            //   488b7c2448           | lea                 ebx, [esp + 0x150]
            //   4983fcff             | dec                 ecx
            //   7405                 | mov                 ebx, dword ptr [ebx + 0x18]

        $sequence_6 = { 488bcf ff15???????? 85c0 7414 488d542420 }
            // n = 5, score = 200
            //   488bcf               | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | lea                 ebp, [esp - 0x428]
            //   7414                 | dec                 eax
            //   488d542420           | sub                 esp, 0x528

        $sequence_7 = { c705????????01000000 ffd5 3935???????? 7418 }
            // n = 4, score = 200
            //   c705????????01000000     |     
            //   ffd5                 | dec                 eax
            //   3935????????         |                     
            //   7418                 | xor                 eax, esp

        $sequence_8 = { 4155 4156 488dac24d8fbffff 4881ec28050000 488b05???????? 4833c4 }
            // n = 6, score = 200
            //   4155                 | movzx               eax, word ptr [esi + ecx]
            //   4156                 | inc                 ecx
            //   488dac24d8fbffff     | push                ebp
            //   4881ec28050000       | inc                 ecx
            //   488b05????????       |                     
            //   4833c4               | push                esi

        $sequence_9 = { 4489842490000000 0f1f440000 488b4e18 4c8d4c2420 488bd5 41ffd5 }
            // n = 6, score = 200
            //   4489842490000000     | mov                 dword ptr [esp + 0x18], edi
            //   0f1f440000           | push                ebp
            //   488b4e18             | dec                 eax
            //   4c8d4c2420           | lea                 ebp, [esp - 0x50]
            //   488bd5               | dec                 eax
            //   41ffd5               | sub                 esp, 0x150

        $sequence_10 = { 74b6 33d2 f644246010 41b806020000 }
            // n = 4, score = 200
            //   74b6                 | dec                 eax
            //   33d2                 | sub                 esp, 0x270
            //   f644246010           | dec                 eax
            //   41b806020000         | xor                 eax, esp

        $sequence_11 = { 754e 41b902000000 eb50 e8???????? 4533db 488d442440 4c895c2438 }
            // n = 7, score = 200
            //   754e                 | je                  0x16
            //   41b902000000         | dec                 eax
            //   eb50                 | lea                 edx, [esp + 0x20]
            //   e8????????           |                     
            //   4533db               | dec                 eax
            //   488d442440           | mov                 dword ptr [esp + 0x18], esi
            //   4c895c2438           | push                edi

        $sequence_12 = { 8957fe 488dbdb0010000 66f2af 33c9 6690 0fb7040e }
            // n = 6, score = 200
            //   8957fe               | mov                 dword ptr [edi - 2], edx
            //   488dbdb0010000       | dec                 eax
            //   66f2af               | lea                 edi, [ebp + 0x1b0]
            //   33c9                 | repne scasd         eax, dword ptr es:[edi]
            //   6690                 | xor                 ecx, ecx
            //   0fb7040e             | nop                 

        $sequence_13 = { ff15???????? 0f1005???????? 33d2 41b8d4000000 0f100d???????? }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   0f1005????????       |                     
            //   33d2                 | dec                 eax
            //   41b8d4000000         | xor                 ecx, esp
            //   0f100d????????       |                     

        $sequence_14 = { e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_15 = { 837b0c00 8985a4f3ffff 0f840d010000 8d8318030000 }
            // n = 4, score = 100
            //   837b0c00             | jne                 0x50
            //   8985a4f3ffff         | inc                 ecx
            //   0f840d010000         | mov                 ecx, 2
            //   8d8318030000         | jmp                 0x52

        $sequence_16 = { 6bc830 8b049580f16e00 f644082801 7421 57 e8???????? }
            // n = 6, score = 100
            //   6bc830               | imul                ecx, eax, 0x30
            //   8b049580f16e00       | mov                 eax, dword ptr [edx*4 + 0x6ef180]
            //   f644082801           | test                byte ptr [eax + ecx + 0x28], 1
            //   7421                 | je                  0x23
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_17 = { f6450801 740e 68280f0000 56 e8???????? }
            // n = 5, score = 100
            //   f6450801             | lea                 eax, [ebx + 0x318]
            //   740e                 | push                dword ptr [edi + 8]
            //   68280f0000           | call                dword ptr [ebp - 0xc1c]
            //   56                   | cmp                 dword ptr [edi + 0x14], 0x800000
            //   e8????????           |                     

        $sequence_18 = { eb07 8b0cc5dcc36e00 894de4 85c9 7455 }
            // n = 5, score = 100
            //   eb07                 | jmp                 9
            //   8b0cc5dcc36e00       | mov                 ecx, dword ptr [eax*8 + 0x6ec3dc]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   85c9                 | test                ecx, ecx
            //   7455                 | je                  0x57

        $sequence_19 = { 8db394010000 33d2 66f3a7 751c 8b1b 85db 7432 }
            // n = 7, score = 100
            //   8db394010000         | dec                 eax
            //   33d2                 | mov                 dword ptr [esp + 0x10], ebx
            //   66f3a7               | dec                 eax
            //   751c                 | mov                 dword ptr [esp + 0x18], edi
            //   8b1b                 | push                ebp
            //   85db                 | dec                 eax
            //   7432                 | lea                 ebp, [esp - 0x50]

        $sequence_20 = { ff7708 ff95e4f3ffff 817f1400008000 89470c 751c 6a04 }
            // n = 6, score = 100
            //   ff7708               | inc                 ebp
            //   ff95e4f3ffff         | xor                 ebx, ebx
            //   817f1400008000       | dec                 eax
            //   89470c               | lea                 eax, [esp + 0x40]
            //   751c                 | dec                 esp
            //   6a04                 | mov                 dword ptr [esp + 0x38], ebx

        $sequence_21 = { 83c40c 3bc8 760d 6830750000 ff15???????? }
            // n = 5, score = 100
            //   83c40c               | lea                 ebp, [esp - 0x50]
            //   3bc8                 | dec                 eax
            //   760d                 | sub                 esp, 0x150
            //   6830750000           | dec                 eax
            //   ff15????????         |                     

        $sequence_22 = { 53 33ff c745d000000000 53 897dd8 c7458490ca6e00 897d88 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   33ff                 | xor                 edi, edi
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   53                   | push                ebx
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   c7458490ca6e00       | mov                 dword ptr [ebp - 0x7c], 0x6eca90
            //   897d88               | mov                 dword ptr [ebp - 0x78], edi

        $sequence_23 = { 68???????? 50 ff15???????? 837e0c00 8bf8 0f84a2000000 8d8e18030000 }
            // n = 7, score = 100
            //   68????????           |                     
            //   50                   | mov                 dword ptr [edi + 0xc], eax
            //   ff15????????         |                     
            //   837e0c00             | jne                 0x28
            //   8bf8                 | push                4
            //   0f84a2000000         | lea                 eax, [ebp - 0xc08]
            //   8d8e18030000         | push                eax

        $sequence_24 = { 55 6a00 6a00 8d442410 6a1a }
            // n = 5, score = 100
            //   55                   | mov                 ebx, dword ptr [ebx + 0x18]
            //   6a00                 | dec                 ecx
            //   6a00                 | mov                 edi, dword ptr [ebx + 0x20]
            //   8d442410             | dec                 ecx
            //   6a1a                 | mov                 esp, ebx

        $sequence_25 = { 8b45f8 8bce 83e63f c1f906 6bf630 8b0c8d80f16e00 80643128fd }
            // n = 7, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8bce                 | mov                 ecx, esi
            //   83e63f               | and                 esi, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bf630               | imul                esi, esi, 0x30
            //   8b0c8d80f16e00       | mov                 ecx, dword ptr [ecx*4 + 0x6ef180]
            //   80643128fd           | and                 byte ptr [ecx + esi + 0x28], 0xfd

        $sequence_26 = { 8b4508 57 8d3c85c8f46e00 8b0f 85c9 }
            // n = 5, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   8d3c85c8f46e00       | lea                 edi, [eax*4 + 0x6ef4c8]
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   85c9                 | test                ecx, ecx

        $sequence_27 = { 7443 83e801 0f8501010000 c745e0e4ba7300 8b4508 }
            // n = 5, score = 100
            //   7443                 | cmp                 al, 0xc4
            //   83e801               | cmp                 al, 0xd1
            //   0f8501010000         | cmp                 al, 0x9f
            //   c745e0e4ba7300       | test                byte ptr [ebp + 8], 1
            //   8b4508               | je                  0x14

        $sequence_28 = { 74ba 83f807 77c5 ff2485d1a86d00 8bce }
            // n = 5, score = 100
            //   74ba                 | je                  0xffffffbc
            //   83f807               | cmp                 eax, 7
            //   77c5                 | ja                  0xffffffc7
            //   ff2485d1a86d00       | jmp                 dword ptr [eax*4 + 0x6da8d1]
            //   8bce                 | mov                 ecx, esi

        $sequence_29 = { 83c408 3bc6 7404 66897002 8d54240c 52 ff15???????? }
            // n = 7, score = 100
            //   83c408               | dec                 eax
            //   3bc6                 | sub                 esp, 0x150
            //   7404                 | dec                 eax
            //   66897002             | xor                 eax, esp
            //   8d54240c             | push                ebp
            //   52                   | dec                 eax
            //   ff15????????         |                     

        $sequence_30 = { 6af6 ff15???????? 8b04bd80f16e00 834c0318ff }
            // n = 4, score = 100
            //   6af6                 | push                -0xa
            //   ff15????????         |                     
            //   8b04bd80f16e00       | mov                 eax, dword ptr [edi*4 + 0x6ef180]
            //   834c0318ff           | or                  dword ptr [ebx + eax + 0x18], 0xffffffff

        $sequence_31 = { 6a14 68???????? e8???????? 55 e8???????? 83c418 5f }
            // n = 7, score = 100
            //   6a14                 | mov                 esp, ebx
            //   68????????           |                     
            //   e8????????           |                     
            //   55                   | dec                 esp
            //   e8????????           |                     
            //   83c418               | lea                 ebx, [esp + 0x150]
            //   5f                   | dec                 ecx

        $sequence_32 = { 6aff 6857ff0000 8b0d???????? e8???????? 8bf0 }
            // n = 5, score = 100
            //   6aff                 | dec                 ecx
            //   6857ff0000           | mov                 edi, dword ptr [ebx + 0x20]
            //   8b0d????????         |                     
            //   e8????????           |                     
            //   8bf0                 | dec                 ecx

        $sequence_33 = { 83e13f c1f806 6bc930 8b048580f17300 0fb6440828 83e040 }
            // n = 6, score = 100
            //   83e13f               | push                eax
            //   c1f806               | push                3
            //   6bc930               | lea                 eax, [edi + 0x41c]
            //   8b048580f17300       | push                eax
            //   0fb6440828           | cmp                 al, 0xb5
            //   83e040               | cmp                 al, 0xbd

        $sequence_34 = { 3cb5 3cbd 3cc4 3cd1 3c9f }
            // n = 5, score = 100
            //   3cb5                 | mov                 edi, dword ptr [esp + 0x40]
            //   3cbd                 | jmp                 0x34
            //   3cc4                 | cmp                 dword ptr [ebx + 0xc], 0
            //   3cd1                 | mov                 dword ptr [ebp - 0xc5c], eax
            //   3c9f                 | je                  0x113

        $sequence_35 = { 3c5a 770f 0fbec1 0fb688887a6e00 83e10f eb02 }
            // n = 6, score = 100
            //   3c5a                 | cmp                 al, 0x5a
            //   770f                 | ja                  0x11
            //   0fbec1               | movsx               eax, cl
            //   0fb688887a6e00       | movzx               ecx, byte ptr [eax + 0x6e7a88]
            //   83e10f               | and                 ecx, 0xf
            //   eb02                 | jmp                 4

        $sequence_36 = { 8d85f8f3ffff 50 50 6a03 8d871c040000 50 }
            // n = 6, score = 100
            //   8d85f8f3ffff         | je                  0xffffffb8
            //   50                   | xor                 edx, edx
            //   50                   | test                byte ptr [esp + 0x60], 0x10
            //   6a03                 | inc                 ecx
            //   8d871c040000         | mov                 eax, 0x206
            //   50                   | dec                 eax

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules