SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 488d6c24b0 4881ec50010000 488b05???????? }
            // n = 4, score = 300
            //   55                   | push                edi
            //   488d6c24b0           | call                dword ptr [ebp - 0x15a8]
            //   4881ec50010000       | mov                 ecx, dword ptr [ebp - 4]
            //   488b05????????       |                     

        $sequence_1 = { 4833cc e8???????? 4c8d9c2450010000 498b5b18 }
            // n = 4, score = 300
            //   4833cc               | je                  9
            //   e8????????           |                     
            //   4c8d9c2450010000     | cmp                 eax, 0x3840
            //   498b5b18             | jle                 0xb

        $sequence_2 = { 8985ecfbffff 6a10 e8???????? 85c0 0f84f3030000 51 6838180000 }
            // n = 7, score = 200
            //   8985ecfbffff         | mov                 dword ptr [ebp - 0x414], eax
            //   6a10                 | push                0x10
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84f3030000         | je                  0x3f9
            //   51                   | push                ecx
            //   6838180000           | push                0x1838

        $sequence_3 = { 8b35???????? 8985f0fbffff ffd6 68???????? 57 8985c0fbffff }
            // n = 6, score = 200
            //   8b35????????         |                     
            //   8985f0fbffff         | mov                 dword ptr [ebp - 0x410], eax
            //   ffd6                 | call                esi
            //   68????????           |                     
            //   57                   | push                edi
            //   8985c0fbffff         | mov                 dword ptr [ebp - 0x440], eax

        $sequence_4 = { 488d95b0010000 66f2af 33c9 0f1f440000 0fb7040a }
            // n = 5, score = 200
            //   488d95b0010000       | dec                 eax
            //   66f2af               | lea                 edx, [ebp + 0x1b0]
            //   33c9                 | repne scasd         eax, dword ptr es:[edi]
            //   0f1f440000           | xor                 ecx, ecx
            //   0fb7040a             | nop                 dword ptr [eax + eax]

        $sequence_5 = { 488b9c2498020000 488b8c2450020000 4833cc e8???????? 4881c460020000 5f 5e }
            // n = 7, score = 200
            //   488b9c2498020000     | mov                 esi, dword ptr [esp + 0x50]
            //   488b8c2450020000     | inc                 ecx
            //   4833cc               | rol                 eax, 0x1e
            //   e8????????           |                     
            //   4881c460020000       | inc                 ebp
            //   5f                   | lea                 edx, [edx + ecx + 0x5a827999]
            //   5e                   | inc                 ecx

        $sequence_6 = { ff15???????? 33f6 488d8dc00f0000 33d2 488945a0 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   33f6                 | sub                 esp, 0x150
            //   488d8dc00f0000       | dec                 esp
            //   33d2                 | lea                 ebx, [esp + 0x150]
            //   488945a0             | dec                 ecx

        $sequence_7 = { 0f8493000000 488d542430 488bcf 41ffd4 85c0 7576 }
            // n = 6, score = 200
            //   0f8493000000         | dec                 ecx
            //   488d542430           | mov                 edi, dword ptr [ebx + 0x20]
            //   488bcf               | dec                 ecx
            //   41ffd4               | mov                 esp, ebx
            //   85c0                 | dec                 eax
            //   7576                 | xor                 ecx, esp

        $sequence_8 = { 4103c9 c1c31e 41d1c5 448d8c11dcbc1b8f }
            // n = 4, score = 200
            //   4103c9               | movzx               eax, word ptr [edx + ecx]
            //   c1c31e               | inc                 ecx
            //   41d1c5               | add                 ecx, ecx
            //   448d8c11dcbc1b8f     | rol                 ebx, 0x1e

        $sequence_9 = { 81ec24060000 a1???????? 33c5 8945fc a1???????? 53 56 }
            // n = 7, score = 200
            //   81ec24060000         | sub                 esp, 0x624
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   a1????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_10 = { 750e 84c9 750a b800000004 e9???????? 488d4c2430 488bd3 }
            // n = 7, score = 200
            //   750e                 | mov                 ecx, eax
            //   84c9                 | xor                 ecx, edx
            //   750a                 | dec                 eax
            //   b800000004           | mov                 ebx, dword ptr [esp + 0x298]
            //   e9????????           |                     
            //   488d4c2430           | dec                 eax
            //   488bd3               | mov                 ecx, dword ptr [esp + 0x250]

        $sequence_11 = { e8???????? e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_12 = { 50 e8???????? 6800040000 23c6 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   6800040000           | push                0x400
            //   23c6                 | and                 eax, esi

        $sequence_13 = { 41c1c01e 458d940a9979825a 418bc8 33ca }
            // n = 4, score = 200
            //   41c1c01e             | mov                 word ptr [edi + ecx - 4], ax
            //   458d940a9979825a     | test                ax, ax
            //   418bc8               | jne                 0xfffffff0
            //   33ca                 | dec                 eax

        $sequence_14 = { 85ff 740f e9???????? c78574f4ffff00000000 8b9d78f4ffff 53 }
            // n = 6, score = 200
            //   85ff                 | test                edi, edi
            //   740f                 | je                  0x11
            //   e9????????           |                     
            //   c78574f4ffff00000000     | mov    dword ptr [ebp - 0xb8c], 0
            //   8b9d78f4ffff         | mov                 ebx, dword ptr [ebp - 0xb88]
            //   53                   | push                ebx

        $sequence_15 = { 8bd6 c68435800b000000 488d8d800b0000 e8???????? }
            // n = 4, score = 200
            //   8bd6                 | dec                 ecx
            //   c68435800b000000     | mov                 esp, ebx
            //   488d8d800b0000       | dec                 eax
            //   e8????????           |                     

        $sequence_16 = { 6689440ffc 6685c0 75ee 488b742450 }
            // n = 4, score = 200
            //   6689440ffc           | inc                 ecx
            //   6685c0               | rol                 ebp, 1
            //   75ee                 | inc                 esp
            //   488b742450           | lea                 ecx, [ecx + edx - 0x70e44324]

        $sequence_17 = { 75f3 8b0d???????? 8806 85c9 7410 8b01 6a01 }
            // n = 7, score = 200
            //   75f3                 | jne                 0xfffffff5
            //   8b0d????????         |                     
            //   8806                 | mov                 byte ptr [esi], al
            //   85c9                 | test                ecx, ecx
            //   7410                 | je                  0x12
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   6a01                 | push                1

        $sequence_18 = { 488bce ff15???????? 4883cfff 488d4c2460 488bc7 48ffc0 }
            // n = 6, score = 200
            //   488bce               | mov                 dword ptr [esp + 0x18], edi
            //   ff15????????         |                     
            //   4883cfff             | push                ebp
            //   488d4c2460           | dec                 eax
            //   488bc7               | lea                 ebp, [esp - 0x50]
            //   48ffc0               | dec                 eax

        $sequence_19 = { 68???????? ffd7 68???????? 50 ff15???????? }
            // n = 5, score = 200
            //   68????????           |                     
            //   ffd7                 | call                edi
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_20 = { 898534fbffff ffd3 8bf0 85f6 7509 68???????? ffd3 }
            // n = 7, score = 200
            //   898534fbffff         | mov                 dword ptr [ebp - 0x4cc], eax
            //   ffd3                 | call                ebx
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7509                 | jne                 0xb
            //   68????????           |                     
            //   ffd3                 | call                ebx

        $sequence_21 = { e8???????? 8bd7 c6843c0005000000 488d8c2400050000 e8???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   8bd7                 | lea                 ebx, [esp + 0x150]
            //   c6843c0005000000     | dec                 ecx
            //   488d8c2400050000     | mov                 ebx, dword ptr [ebx + 0x18]
            //   e8????????           |                     

        $sequence_22 = { e8???????? 448bc8 4863d7 488d8560030000 4883c9ff 48ffc1 803c0800 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   448bc8               | dec                 esp
            //   4863d7               | lea                 ebx, [esp + 0x150]
            //   488d8560030000       | dec                 ecx
            //   4883c9ff             | mov                 ebx, dword ptr [ebx + 0x18]
            //   48ffc1               | dec                 ecx
            //   803c0800             | mov                 edi, dword ptr [ebx + 0x20]

        $sequence_23 = { f7df eb02 33ff 8d442418 50 e8???????? }
            // n = 6, score = 100
            //   f7df                 | dec                 eax
            //   eb02                 | xor                 ecx, esp
            //   33ff                 | dec                 esp
            //   8d442418             | lea                 ebx, [esp + 0x150]
            //   50                   | dec                 ecx
            //   e8????????           |                     

        $sequence_24 = { 8b7c2414 23f3 33f7 8b7c2410 }
            // n = 4, score = 100
            //   8b7c2414             | mov                 dword ptr [esp + 0x18], edi
            //   23f3                 | push                ebp
            //   33f7                 | dec                 eax
            //   8b7c2410             | lea                 ebp, [esp - 0x50]

        $sequence_25 = { 8b442424 c1c01e 89442424 8bc6 33c3 8b9c24a8000000 33c3 }
            // n = 7, score = 100
            //   8b442424             | lea                 ebx, [esp + 0x150]
            //   c1c01e               | dec                 ecx
            //   89442424             | mov                 ebx, dword ptr [ebx + 0x18]
            //   8bc6                 | dec                 ecx
            //   33c3                 | mov                 edi, dword ptr [ebx + 0x20]
            //   8b9c24a8000000       | dec                 eax
            //   33c3                 | mov                 dword ptr [esp + 0x10], ebx

        $sequence_26 = { 56 57 8b7c240c 6a17 6a1e 6a00 }
            // n = 6, score = 100
            //   56                   | dec                 eax
            //   57                   | mov                 dword ptr [esp + 0x18], edi
            //   8b7c240c             | push                ebp
            //   6a17                 | dec                 eax
            //   6a1e                 | lea                 ebp, [esp - 0x50]
            //   6a00                 | dec                 eax

        $sequence_27 = { 8dbc07a1ebd96e 8b44244c 895c2420 8b5c2458 }
            // n = 4, score = 100
            //   8dbc07a1ebd96e       | mov                 ebx, dword ptr [ebx + 0x18]
            //   8b44244c             | dec                 ecx
            //   895c2420             | mov                 edi, dword ptr [ebx + 0x20]
            //   8b5c2458             | dec                 eax

        $sequence_28 = { 89442410 8b442414 8bf8 23c2 0bfa }
            // n = 5, score = 100
            //   89442410             | dec                 eax
            //   8b442414             | sub                 esp, 0x150
            //   8bf8                 | dec                 eax
            //   23c2                 | xor                 ecx, esp
            //   0bfa                 | dec                 esp

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules