SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2021-02-25} } Lazarus targets defense industry with ThreatNeedle
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } How to communicate between RAT infected devices (White paper)
Volgmer
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20210616 | Detects win.volgmer.)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.volgmer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? }
            // n = 5, score = 300
            //   48897c2418           | dec                 eax
            //   55                   | mov                 edx, ebx
            //   488d6c24b0           | test                al, al
            //   4881ec50010000       | je                  0x26
            //   488b05????????       |                     

        $sequence_1 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 }
            // n = 7, score = 300
            //   488b4d40             | dec                 eax
            //   4833cc               | lea                 ecx, dword ptr [esp + 0x30]
            //   e8????????           |                     
            //   4c8d9c2450010000     | dec                 eax
            //   498b5b18             | mov                 edx, ebx
            //   498b7b20             | test                eax, eax
            //   498be3               | dec                 eax

        $sequence_2 = { e8???????? 488d8db0010000 488bd3 482bcb }
            // n = 4, score = 200
            //   e8????????           |                     
            //   488d8db0010000       | dec                 eax
            //   488bd3               | lea                 ecx, dword ptr [ebp + 0x1b0]
            //   482bcb               | dec                 eax

        $sequence_3 = { e8???????? 84c0 7424 488d4c2430 488bd3 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   84c0                 | je                  7
            //   7424                 | inc                 esp
            //   488d4c2430           | mov                 esp, esi
            //   488bd3               | inc                 ecx

        $sequence_4 = { e8???????? 8905???????? 85c0 7543 488b7c2440 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8905????????         |                     
            //   85c0                 | cmp                 ebp, 2
            //   7543                 | jne                 0x19
            //   488b7c2440           | dec                 ecx

        $sequence_5 = { 488d9500050000 ff55a0 498bcf ff542448 498bcc ff542450 448b442440 }
            // n = 7, score = 200
            //   488d9500050000       | mov                 dword ptr [esp + 0x10], ebx
            //   ff55a0               | dec                 eax
            //   498bcf               | mov                 dword ptr [esp + 0x18], edi
            //   ff542448             | push                ebp
            //   498bcc               | dec                 eax
            //   ff542450             | lea                 ebp, dword ptr [esp - 0x50]
            //   448b442440           | dec                 eax

        $sequence_6 = { c744242880000000 4533c0 ba00000040 c744242004000000 498bcf ff542450 4c8bf8 }
            // n = 7, score = 200
            //   c744242880000000     | mov                 dword ptr [esp + 0x18], edi
            //   4533c0               | push                ebp
            //   ba00000040           | dec                 eax
            //   c744242004000000     | lea                 ebp, dword ptr [esp - 0x50]
            //   498bcf               | dec                 eax
            //   ff542450             | sub                 esp, 0x150
            //   4c8bf8               | dec                 eax

        $sequence_7 = { e8???????? 448d4606 6689742434 488d542430 c744243036180000 488bcb e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   448d4606             | mov                 dword ptr [esp + 0x10], ebx
            //   6689742434           | dec                 eax
            //   488d542430           | mov                 dword ptr [esp + 0x18], edi
            //   c744243036180000     | push                ebp
            //   488bcb               | dec                 eax
            //   e8????????           |                     

        $sequence_8 = { e8???????? 488b4db3 4189442404 e8???????? }
            // n = 4, score = 200
            //   e8????????           |                     
            //   488b4db3             | test                eax, eax
            //   4189442404           | jne                 0x45
            //   e8????????           |                     

        $sequence_9 = { 7e1b 440fbfc0 488d5566 458bcc 488bcb e8???????? 85c0 }
            // n = 7, score = 200
            //   7e1b                 | mov                 dword ptr [esp + 0x18], edi
            //   440fbfc0             | push                ebp
            //   488d5566             | dec                 eax
            //   458bcc               | lea                 ebp, dword ptr [esp - 0x50]
            //   488bcb               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | sub                 esp, 0x150

        $sequence_10 = { 488b9c2460040000 488bbc2450040000 488b8c2440040000 4833cc e8???????? 4881c458040000 c3 }
            // n = 7, score = 200
            //   488b9c2460040000     | lea                 ebp, dword ptr [esp - 0x50]
            //   488bbc2450040000     | dec                 eax
            //   488b8c2440040000     | sub                 esp, 0x150
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   4881c458040000       | mov                 dword ptr [esp + 0x10], ebx
            //   c3                   | dec                 eax

        $sequence_11 = { ff15???????? 85c0 7507 b800000100 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   85c0                 | inc                 esp
            //   7507                 | mov                 esp, esi
            //   b800000100           | inc                 ecx

        $sequence_12 = { e8???????? e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_13 = { e8???????? 84c0 7403 448be6 4183fd02 7510 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   84c0                 | mov                 edx, ebx
            //   7403                 | dec                 eax
            //   448be6               | sub                 ecx, ebx
            //   4183fd02             | test                al, al
            //   7510                 | je                  5

        $sequence_14 = { 4889430c ff15???????? 66ffc0 488d4b16 488d55dc 66894314 ff15???????? }
            // n = 7, score = 200
            //   4889430c             | push                ebp
            //   ff15????????         |                     
            //   66ffc0               | dec                 eax
            //   488d4b16             | lea                 ebp, dword ptr [esp - 0x50]
            //   488d55dc             | dec                 eax
            //   66894314             | sub                 esp, 0x150
            //   ff15????????         |                     

        $sequence_15 = { e8???????? 8a4c2448 8d442448 84c9 5f 741a }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8a4c2448             | mov                 cl, byte ptr [esp + 0x48]
            //   8d442448             | lea                 eax, dword ptr [esp + 0x48]
            //   84c9                 | test                cl, cl
            //   5f                   | pop                 edi
            //   741a                 | je                  0x1c

        $sequence_16 = { 68d0070000 ff048530f67300 ff95ccf5ffff 8b8dc8f5ffff 41 }
            // n = 5, score = 100
            //   68d0070000           | dec                 eax
            //   ff048530f67300       | sub                 esp, 0x150
            //   ff95ccf5ffff         | dec                 eax
            //   8b8dc8f5ffff         | mov                 dword ptr [esp + 0x10], ebx
            //   41                   | dec                 eax

        $sequence_17 = { 8bd0 c1c205 89542410 8b542414 8bda }
            // n = 5, score = 100
            //   8bd0                 | mov                 edx, eax
            //   c1c205               | rol                 edx, 5
            //   89542410             | mov                 dword ptr [esp + 0x10], edx
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   8bda                 | mov                 ebx, edx

        $sequence_18 = { c1e002 50 8b85b4f8ffff 0fb7048534977300 8d0485308e7300 }
            // n = 5, score = 100
            //   c1e002               | dec                 eax
            //   50                   | mov                 dword ptr [esp + 0x18], edi
            //   8b85b4f8ffff         | push                ebp
            //   0fb7048534977300     | dec                 eax
            //   8d0485308e7300       | lea                 ebp, dword ptr [esp - 0x50]

        $sequence_19 = { 837e0c00 7458 68???????? ffd3 }
            // n = 4, score = 100
            //   837e0c00             | call                esi
            //   7458                 | dec                 eax
            //   68????????           |                     
            //   ffd3                 | mov                 dword ptr [edi + 0x18], ebx

        $sequence_20 = { 8a87bce16e00 08441619 42 0fb64101 3bd0 76e5 }
            // n = 6, score = 100
            //   8a87bce16e00         | mov                 al, byte ptr [edi + 0x6ee1bc]
            //   08441619             | or                  byte ptr [esi + edx + 0x19], al
            //   42                   | inc                 edx
            //   0fb64101             | movzx               eax, byte ptr [ecx + 1]
            //   3bd0                 | cmp                 edx, eax
            //   76e5                 | jbe                 0xffffffe7

        $sequence_21 = { 7515 8b45fc 817848b8e47300 7409 ff7048 }
            // n = 5, score = 100
            //   7515                 | dec                 eax
            //   8b45fc               | mov                 dword ptr [ebx + 0xc], eax
            //   817848b8e47300       | inc                 ax
            //   7409                 | dec                 eax
            //   ff7048               | lea                 ecx, dword ptr [ebx + 0x16]

        $sequence_22 = { 33ff 8bc7 8bcf 83e03f c1f906 6bf030 03348d80f16e00 }
            // n = 7, score = 100
            //   33ff                 | xor                 edi, edi
            //   8bc7                 | mov                 eax, edi
            //   8bcf                 | mov                 ecx, edi
            //   83e03f               | and                 eax, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bf030               | imul                esi, eax, 0x30
            //   03348d80f16e00       | add                 esi, dword ptr [ecx*4 + 0x6ef180]

        $sequence_23 = { 85c9 0f84d3000000 8b048dcc977300 89859cf8ffff 85c0 0f8498000000 }
            // n = 6, score = 100
            //   85c9                 | xor                 ebx, ebx
            //   0f84d3000000         | dec                 eax
            //   8b048dcc977300       | mov                 esi, eax
            //   89859cf8ffff         | dec                 eax
            //   85c0                 | test                ecx, ecx
            //   0f8498000000         | je                  0x10

        $sequence_24 = { c1f906 53 6bd830 56 8b048d80f16e00 57 }
            // n = 6, score = 100
            //   c1f906               | sar                 ecx, 6
            //   53                   | push                ebx
            //   6bd830               | imul                ebx, eax, 0x30
            //   56                   | push                esi
            //   8b048d80f16e00       | mov                 eax, dword ptr [ecx*4 + 0x6ef180]
            //   57                   | push                edi

        $sequence_25 = { 6a40 bea8ffffff ff15???????? 6808020000 6a40 8bd8 }
            // n = 6, score = 100
            //   6a40                 | push                0x40
            //   bea8ffffff           | mov                 esi, 0xffffffa8
            //   ff15????????         |                     
            //   6808020000           | push                0x208
            //   6a40                 | push                0x40
            //   8bd8                 | mov                 ebx, eax

        $sequence_26 = { 57 33ff 8bcf 8bc7 894de4 3998c0e17300 0f84ea000000 }
            // n = 7, score = 100
            //   57                   | dec                 eax
            //   33ff                 | lea                 edx, dword ptr [ebp + 0x66]
            //   8bcf                 | inc                 ebp
            //   8bc7                 | mov                 ecx, esp
            //   894de4               | dec                 eax
            //   3998c0e17300         | mov                 ecx, ebx
            //   0f84ea000000         | test                eax, eax

        $sequence_27 = { d9c9 d9f1 833d????????00 0f859c190000 8d0d90b86e00 }
            // n = 5, score = 100
            //   d9c9                 | fxch                st(1)
            //   d9f1                 | fyl2x               
            //   833d????????00       |                     
            //   0f859c190000         | jne                 0x19a2
            //   8d0d90b86e00         | lea                 ecx, dword ptr [0x6eb890]

        $sequence_28 = { c745e0d8ba7300 e9???????? c745e0d4ba7300 eba2 894ddc c745e0d4ba7300 }
            // n = 6, score = 100
            //   c745e0d8ba7300       | dec                 eax
            //   e9????????           |                     
            //   c745e0d4ba7300       | lea                 edx, dword ptr [ebp - 0x24]
            //   eba2                 | mov                 word ptr [ebx + 0x14], ax
            //   894ddc               | dec                 eax
            //   c745e0d4ba7300       | mov                 ecx, dword ptr [edi + 0x18]

        $sequence_29 = { be???????? c745ecf07d6e00 57 8d3c85fcffffff 8975cc 8d041f }
            // n = 6, score = 100
            //   be????????           |                     
            //   c745ecf07d6e00       | mov                 dword ptr [ebp - 0x14], 0x6e7df0
            //   57                   | push                edi
            //   8d3c85fcffffff       | lea                 edi, dword ptr [eax*4 - 4]
            //   8975cc               | mov                 dword ptr [ebp - 0x34], esi
            //   8d041f               | lea                 eax, dword ptr [edi + ebx]

        $sequence_30 = { 83e110 80f910 7508 c70333ff0000 }
            // n = 4, score = 100
            //   83e110               | and                 ecx, 0x10
            //   80f910               | cmp                 cl, 0x10
            //   7508                 | jne                 0xa
            //   c70333ff0000         | mov                 dword ptr [ebx], 0xff33

        $sequence_31 = { 56 8985ecf3ffff ff15???????? 68???????? 56 8985e8f3ffff ff15???????? }
            // n = 7, score = 100
            //   56                   | dec                 ecx
            //   8985ecf3ffff         | mov                 ecx, edi
            //   ff15????????         |                     
            //   68????????           |                     
            //   56                   | call                dword ptr [esp + 0x50]
            //   8985e8f3ffff         | dec                 esp
            //   ff15????????         |                     

        $sequence_32 = { 0fb60c8536976e00 0fb6348537976e00 8bf9 8985a4f8ffff c1e702 }
            // n = 5, score = 100
            //   0fb60c8536976e00     | movzx               ecx, byte ptr [eax*4 + 0x6e9736]
            //   0fb6348537976e00     | movzx               esi, byte ptr [eax*4 + 0x6e9737]
            //   8bf9                 | mov                 edi, ecx
            //   8985a4f8ffff         | mov                 dword ptr [ebp - 0x75c], eax
            //   c1e702               | shl                 edi, 2

        $sequence_33 = { a3???????? eb42 8b0d???????? 8b490c e8???????? 6a00 }
            // n = 6, score = 100
            //   a3????????           |                     
            //   eb42                 | jmp                 0x44
            //   8b0d????????         |                     
            //   8b490c               | mov                 ecx, dword ptr [ecx + 0xc]
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_34 = { c745e0e0ba6e00 e9???????? 83e80f 7451 }
            // n = 4, score = 100
            //   c745e0e0ba6e00       | mov                 dword ptr [ebp - 0x20], 0x6ebae0
            //   e9????????           |                     
            //   83e80f               | sub                 eax, 0xf
            //   7451                 | je                  0x53

        $sequence_35 = { e8???????? 8bf0 85f6 753a e9???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   753a                 | jne                 0x3c
            //   e9????????           |                     

        $sequence_36 = { 0f8580000000 8b4508 dd00 ebc6 c745e0e8ba6e00 }
            // n = 5, score = 100
            //   0f8580000000         | jne                 0x86
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   dd00                 | fld                 qword ptr [eax]
            //   ebc6                 | jmp                 0xffffffc8
            //   c745e0e8ba6e00       | mov                 dword ptr [ebp - 0x20], 0x6ebae8

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules