SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2021-09-07LIFARSVlad Pasca
@techreport{pasca:20210907:detailed:2e29866, author = {Vlad Pasca}, title = {{A Detailed Analysis of Lazarus’ RAT Called FALLCHILL}}, date = {2021-09-07}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf}, language = {English}, urldate = {2022-01-20} } A Detailed Analysis of Lazarus’ RAT Called FALLCHILL
Volgmer
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2021-02-25} } Lazarus targets defense industry with ThreatNeedle
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } How to communicate between RAT infected devices (White paper)
Volgmer
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20221125 | Detects win.volgmer.)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.volgmer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? 4833c4 48894540 }
            // n = 7, score = 300
            //   48897c2418           | inc                 ecx
            //   55                   | mov                 dword ptr [esp + 4], eax
            //   488d6c24b0           | inc                 ecx
            //   4881ec50010000       | mov                 dword ptr [esp + 8], eax
            //   488b05????????       |                     
            //   4833c4               | dec                 ebp
            //   48894540             | test                edi, edi

        $sequence_1 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 }
            // n = 7, score = 300
            //   488b4d40             | je                  0x34
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   4c8d9c2450010000     | mov                 ecx, dword ptr [ebp - 0x3d]
            //   498b5b18             | inc                 ecx
            //   498b7b20             | mov                 dword ptr [esp], eax
            //   498be3               | dec                 eax

        $sequence_2 = { e8???????? 488d95a0050000 488bce ff15???????? 4c8bf8 ff15???????? 4c63442444 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488d95a0050000       | dec                 eax
            //   488bce               | mov                 ecx, ebx
            //   ff15????????         |                     
            //   4c8bf8               | inc                 ecx
            //   ff15????????         |                     
            //   4c63442444           | cmp                 ebp, 1

        $sequence_3 = { e8???????? 488b4db3 4189442404 e8???????? 4189442408 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   488b4db3             | dec                 eax
            //   4189442404           | lea                 eax, [esp + 0x40]
            //   e8????????           |                     
            //   4189442408           | dec                 esp

        $sequence_4 = { eb50 e8???????? 4533db 488d442440 }
            // n = 4, score = 200
            //   eb50                 | mov                 edx, ebx
            //   e8????????           |                     
            //   4533db               | dec                 eax
            //   488d442440           | sub                 ecx, ebx

        $sequence_5 = { 488bbc24e00e0000 488bb424e80e0000 eb02 33c0 488b8dc00d0000 4833cc e8???????? }
            // n = 7, score = 200
            //   488bbc24e00e0000     | dec                 eax
            //   488bb424e80e0000     | lea                 ebp, [esp - 0x50]
            //   eb02                 | dec                 eax
            //   33c0                 | sub                 esp, 0x150
            //   488b8dc00d0000       | dec                 eax
            //   4833cc               | mov                 dword ptr [esp + 0x18], edi
            //   e8????????           |                     

        $sequence_6 = { 7f3a 6685c0 7e1a 440fbfc0 488d95f6000000 448bce 498bcd }
            // n = 7, score = 200
            //   7f3a                 | mov                 dword ptr [esp + 0x18], edi
            //   6685c0               | push                ebp
            //   7e1a                 | dec                 eax
            //   440fbfc0             | lea                 ebp, [esp - 0x50]
            //   488d95f6000000       | dec                 eax
            //   448bce               | sub                 esp, 0x150
            //   498bcd               | dec                 eax

        $sequence_7 = { c744242000000000 e8???????? 85c0 742a 41b888210000 488d542430 488bcb }
            // n = 7, score = 200
            //   c744242000000000     | xor                 eax, esp
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   742a                 | mov                 dword ptr [ebp + 0x40], eax
            //   41b888210000         | jne                 0x12
            //   488d542430           | dec                 ecx
            //   488bcb               | mov                 edx, esi

        $sequence_8 = { ff15???????? 85c0 7507 b800000100 eb26 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, dword ptr [ebp - 0x4d]
            //   7507                 | inc                 ecx
            //   b800000100           | mov                 dword ptr [esp + 4], eax
            //   eb26                 | inc                 ecx

        $sequence_9 = { e8???????? 488b4dc3 41890424 e8???????? }
            // n = 4, score = 200
            //   e8????????           |                     
            //   488b4dc3             | mov                 dword ptr [esp + 0x38], ebx
            //   41890424             | dec                 esp
            //   e8????????           |                     

        $sequence_10 = { e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_11 = { 458bc7 89442460 488bcb 8bf8 418bf7 418d510a e8???????? }
            // n = 7, score = 200
            //   458bc7               | push                ebp
            //   89442460             | dec                 eax
            //   488bcb               | lea                 ebp, [esp - 0x50]
            //   8bf8                 | dec                 eax
            //   418bf7               | sub                 esp, 0x150
            //   418d510a             | dec                 eax
            //   e8????????           |                     

        $sequence_12 = { 4533c0 ff5588 ba20400000 b940000000 ff5590 4c8bf8 4885c0 }
            // n = 7, score = 200
            //   4533c0               | xor                 eax, esp
            //   ff5588               | push                ebp
            //   ba20400000           | dec                 eax
            //   b940000000           | lea                 ebp, [esp - 0x50]
            //   ff5590               | dec                 eax
            //   4c8bf8               | sub                 esp, 0x150
            //   4885c0               | dec                 eax

        $sequence_13 = { e8???????? 488d8db0010000 488bd3 482bcb }
            // n = 4, score = 200
            //   e8????????           |                     
            //   488d8db0010000       | dec                 eax
            //   488bd3               | lea                 ecx, [ebp + 0x1b0]
            //   482bcb               | dec                 eax

        $sequence_14 = { e9???????? 48899c2498020000 488b5908 33d2 }
            // n = 4, score = 200
            //   e9????????           |                     
            //   48899c2498020000     | dec                 eax
            //   488b5908             | mov                 ecx, dword ptr [ebp - 0x4d]
            //   33d2                 | inc                 ecx

        $sequence_15 = { e8???????? 6800040000 8985ccf5ffff 0f57c0 8d85d0f9ffff c645d000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   6800040000           | mov                 dword ptr [esp + 0x18], edi
            //   8985ccf5ffff         | push                ebp
            //   0f57c0               | dec                 eax
            //   8d85d0f9ffff         | lea                 ebp, [esp - 0x50]
            //   c645d000             | dec                 eax

        $sequence_16 = { 85c0 745f 8d542448 68???????? 52 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   745f                 | je                  0x61
            //   8d542448             | lea                 edx, [esp + 0x48]
            //   68????????           |                     
            //   52                   | push                edx

        $sequence_17 = { 56 33f6 8b8680f16e00 85c0 }
            // n = 4, score = 100
            //   56                   | dec                 eax
            //   33f6                 | mov                 dword ptr [esp + 0x10], ebx
            //   8b8680f16e00         | dec                 eax
            //   85c0                 | mov                 dword ptr [esp + 0x18], edi

        $sequence_18 = { ff15???????? 50 e9???????? 81ffffffff7f }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   50                   | push                eax
            //   e9????????           |                     
            //   81ffffffff7f         | cmp                 edi, 0x7fffffff

        $sequence_19 = { 8b0c9580f16e00 8844192e 8b049580f16e00 804c182d04 ff4604 eb08 }
            // n = 6, score = 100
            //   8b0c9580f16e00       | sub                 esp, 0x150
            //   8844192e             | dec                 eax
            //   8b049580f16e00       | xor                 eax, esp
            //   804c182d04           | dec                 eax
            //   ff4604               | mov                 dword ptr [ebp + 0x40], eax
            //   eb08                 | dec                 eax

        $sequence_20 = { 8b8da8f8ffff 85c9 0f84d3000000 8b048dcc976e00 89859cf8ffff 85c0 }
            // n = 6, score = 100
            //   8b8da8f8ffff         | push                ebp
            //   85c9                 | dec                 eax
            //   0f84d3000000         | lea                 ebp, [esp - 0x50]
            //   8b048dcc976e00       | dec                 eax
            //   89859cf8ffff         | sub                 esp, 0x150
            //   85c0                 | dec                 eax

        $sequence_21 = { 6bc830 894de0 8b049d80f16e00 0fb6440828 83e001 }
            // n = 5, score = 100
            //   6bc830               | mov                 edi, dword ptr [esp + 0xee0]
            //   894de0               | dec                 eax
            //   8b049d80f16e00       | mov                 esi, dword ptr [esp + 0xee8]
            //   0fb6440828           | jmp                 0xc
            //   83e001               | xor                 eax, eax

        $sequence_22 = { 50 8b04bd80f16e00 ff743018 ff15???????? 85c0 }
            // n = 5, score = 100
            //   50                   | dec                 eax
            //   8b04bd80f16e00       | mov                 ecx, dword ptr [ebp + 0xdc0]
            //   ff743018             | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | xor                 ecx, esp

        $sequence_23 = { 7527 ff15???????? 83f87a 0f85e9000000 8b4c240c }
            // n = 5, score = 100
            //   7527                 | jne                 0x29
            //   ff15????????         |                     
            //   83f87a               | cmp                 eax, 0x7a
            //   0f85e9000000         | jne                 0xef
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]

        $sequence_24 = { 83c40c 6b45e430 8945e0 8d80d0e17300 8945e4 }
            // n = 5, score = 100
            //   83c40c               | dec                 ecx
            //   6b45e430             | mov                 ebx, dword ptr [ebx + 0x18]
            //   8945e0               | dec                 ecx
            //   8d80d0e17300         | mov                 edi, dword ptr [ebx + 0x20]
            //   8945e4               | dec                 ecx

        $sequence_25 = { 3a17 3a31 3a9a3aa43ab2 3ab73ac33ad2 }
            // n = 4, score = 100
            //   3a17                 | dec                 eax
            //   3a31                 | mov                 dword ptr [ebp + 0x40], eax
            //   3a9a3aa43ab2         | dec                 eax
            //   3ab73ac33ad2         | mov                 ecx, dword ptr [ebp + 0x40]

        $sequence_26 = { 03fe 8bb42484000000 03fe 8b742424 c1c31e 8db43e9979825a 8b7814 }
            // n = 7, score = 100
            //   03fe                 | add                 edi, esi
            //   8bb42484000000       | mov                 esi, dword ptr [esp + 0x84]
            //   03fe                 | add                 edi, esi
            //   8b742424             | mov                 esi, dword ptr [esp + 0x24]
            //   c1c31e               | rol                 ebx, 0x1e
            //   8db43e9979825a       | lea                 esi, [esi + edi + 0x5a827999]
            //   8b7814               | mov                 edi, dword ptr [eax + 0x14]

        $sequence_27 = { 6a26 58 0fb60c8536976e00 0fb6348537976e00 8bf9 8985a4f8ffff c1e702 }
            // n = 7, score = 100
            //   6a26                 | xor                 eax, esp
            //   58                   | dec                 eax
            //   0fb60c8536976e00     | mov                 dword ptr [esp + 0x18], edi
            //   0fb6348537976e00     | push                ebp
            //   8bf9                 | dec                 eax
            //   8985a4f8ffff         | lea                 ebp, [esp - 0x50]
            //   c1e702               | dec                 eax

        $sequence_28 = { 8bf8 8b8580f6ffff 83780c00 74ab 8d8818030000 51 }
            // n = 6, score = 100
            //   8bf8                 | lea                 ebp, [esp - 0x50]
            //   8b8580f6ffff         | dec                 eax
            //   83780c00             | sub                 esp, 0x150
            //   74ab                 | dec                 eax
            //   8d8818030000         | mov                 dword ptr [esp + 0x10], ebx
            //   51                   | dec                 eax

        $sequence_29 = { 3c9f 3da43dab3d b13d cd3d 3a3e 44 3e4b }
            // n = 7, score = 100
            //   3c9f                 | sub                 esp, 0x150
            //   3da43dab3d           | dec                 eax
            //   b13d                 | mov                 dword ptr [esp + 0x10], ebx
            //   cd3d                 | dec                 eax
            //   3a3e                 | mov                 dword ptr [esp + 0x18], edi
            //   44                   | push                ebp
            //   3e4b                 | dec                 eax

        $sequence_30 = { c644241806 c64424190b c644241ade c644241b2b c644241c7c }
            // n = 5, score = 100
            //   c644241806           | mov                 byte ptr [esp + 0x18], 6
            //   c64424190b           | mov                 byte ptr [esp + 0x19], 0xb
            //   c644241ade           | mov                 byte ptr [esp + 0x1a], 0xde
            //   c644241b2b           | mov                 byte ptr [esp + 0x1b], 0x2b
            //   c644241c7c           | mov                 byte ptr [esp + 0x1c], 0x7c

        $sequence_31 = { 0f95c3 8945c8 4b b8???????? c745e4e47d6e00 }
            // n = 5, score = 100
            //   0f95c3               | sub                 esp, 0x150
            //   8945c8               | dec                 eax
            //   4b                   | xor                 eax, esp
            //   b8????????           |                     
            //   c745e4e47d6e00       | dec                 eax

        $sequence_32 = { 6800080000 8d831c040000 6a00 50 e8???????? }
            // n = 5, score = 100
            //   6800080000           | dec                 eax
            //   8d831c040000         | xor                 ecx, esp
            //   6a00                 | dec                 esp
            //   50                   | lea                 ebx, [esp + 0x150]
            //   e8????????           |                     

        $sequence_33 = { 64a300000000 f2c3 8b4de4 33cd f2e87c08ffff }
            // n = 5, score = 100
            //   64a300000000         | mov                 esp, ebx
            //   f2c3                 | dec                 eax
            //   8b4de4               | mov                 dword ptr [esp + 0x18], edi
            //   33cd                 | push                ebp
            //   f2e87c08ffff         | dec                 eax

        $sequence_34 = { 50 e8???????? 6800010000 8d8318030000 }
            // n = 4, score = 100
            //   50                   | lea                 ebp, [esp - 0x50]
            //   e8????????           |                     
            //   6800010000           | dec                 eax
            //   8d8318030000         | sub                 esp, 0x150

        $sequence_35 = { 83e03f 6bd030 895de4 8b049d80f16e00 8945d4 8955e8 }
            // n = 6, score = 100
            //   83e03f               | mov                 dword ptr [esp + 0x18], edi
            //   6bd030               | push                ebp
            //   895de4               | dec                 eax
            //   8b049d80f16e00       | lea                 ebp, [esp - 0x50]
            //   8945d4               | dec                 eax
            //   8955e8               | sub                 esp, 0x150

        $sequence_36 = { 8b5c2424 d1c0 89442464 8b442420 }
            // n = 4, score = 100
            //   8b5c2424             | mov                 ebx, dword ptr [esp + 0x24]
            //   d1c0                 | rol                 eax, 1
            //   89442464             | mov                 dword ptr [esp + 0x64], eax
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules