SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2021-09-07LIFARSVlad Pasca
@techreport{pasca:20210907:detailed:2e29866, author = {Vlad Pasca}, title = {{A Detailed Analysis of Lazarus’ RAT Called FALLCHILL}}, date = {2021-09-07}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf}, language = {English}, urldate = {2022-01-20} } A Detailed Analysis of Lazarus’ RAT Called FALLCHILL
Volgmer
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2021-02-25} } Lazarus targets defense industry with ThreatNeedle
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } How to communicate between RAT infected devices (White paper)
Volgmer
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20230125 | Detects win.volgmer.)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.volgmer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? }
            // n = 5, score = 300
            //   48897c2418           | xor                 edx, edx
            //   55                   | dec                 eax
            //   488d6c24b0           | lea                 ecx, [esp + 0x40]
            //   4881ec50010000       | inc                 ecx
            //   488b05????????       |                     

        $sequence_1 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 }
            // n = 7, score = 300
            //   488b4d40             | mov                 dword ptr [esp + 0x30], ebx
            //   4833cc               | dec                 esp
            //   e8????????           |                     
            //   4c8d9c2450010000     | lea                 eax, [esp + 0x58]
            //   498b5b18             | xor                 edx, edx
            //   498b7b20             | xor                 ecx, ecx
            //   498be3               | mov                 dword ptr [esp + 0x28], 0x10

        $sequence_2 = { e8???????? e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_3 = { 488dbdd0050000 66f2af 4883c9ff 8957fe 488dbdd0050000 488d95b0010000 66f2af }
            // n = 7, score = 200
            //   488dbdd0050000       | dec                 eax
            //   66f2af               | xor                 ecx, esp
            //   4883c9ff             | dec                 eax
            //   8957fe               | add                 esp, 0x528
            //   488dbdd0050000       | inc                 ecx
            //   488d95b0010000       | pop                 esi
            //   66f2af               | inc                 ecx

        $sequence_4 = { eb14 41b904000000 4533c0 488bd3 488bce }
            // n = 5, score = 200
            //   eb14                 | pop                 ebp
            //   41b904000000         | dec                 eax
            //   4533c0               | lea                 edi, [ebp + 0x5d0]
            //   488bd3               | repne scasd         eax, dword ptr es:[edi]
            //   488bce               | dec                 eax

        $sequence_5 = { 4c8bbc2410050000 488b8d00040000 4833cc e8???????? 4881c428050000 415e 415d }
            // n = 7, score = 200
            //   4c8bbc2410050000     | inc                 ebp
            //   488b8d00040000       | test                bh, bh
            //   4833cc               | dec                 esp
            //   e8????????           |                     
            //   4881c428050000       | mov                 edi, dword ptr [esp + 0x510]
            //   415e                 | dec                 eax
            //   415d                 | mov                 ecx, dword ptr [ebp + 0x400]

        $sequence_6 = { 895c2448 8d4b40 8bfb ff542450 488bd8 4885c0 7507 }
            // n = 7, score = 200
            //   895c2448             | dec                 eax
            //   8d4b40               | lea                 ebp, [esp - 0x50]
            //   8bfb                 | dec                 eax
            //   ff542450             | sub                 esp, 0x150
            //   488bd8               | dec                 eax
            //   4885c0               | xor                 eax, esp
            //   7507                 | dec                 eax

        $sequence_7 = { 4833cc e8???????? 4881c428160000 415f 415e 415d 415c }
            // n = 7, score = 200
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   4881c428160000       | mov                 dword ptr [ebp + 0x40], eax
            //   415f                 | dec                 eax
            //   415e                 | mov                 dword ptr [esp + 0x18], edi
            //   415d                 | push                ebp
            //   415c                 | dec                 eax

        $sequence_8 = { e8???????? 85c0 7503 458bf7 418bc6 e9???????? 4533c9 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   85c0                 | add                 eax, ebp
            //   7503                 | add                 ecx, eax
            //   458bf7               | dec                 eax
            //   418bc6               | mov                 dword ptr [esp + 0x18], edi
            //   e9????????           |                     
            //   4533c9               | push                ebp

        $sequence_9 = { 385401fe 7505 c644242000 33f6 448d6608 4584ff }
            // n = 6, score = 200
            //   385401fe             | cmp                 byte ptr [ecx + eax - 2], dl
            //   7505                 | jne                 7
            //   c644242000           | mov                 byte ptr [esp + 0x20], 0
            //   33f6                 | xor                 esi, esi
            //   448d6608             | inc                 esp
            //   4584ff               | lea                 esp, [esi + 8]

        $sequence_10 = { e8???????? c7442420271a16ab 4533d2 c74424246d7a900e 418bc2 c7442428f3fa677d 488bcf }
            // n = 7, score = 200
            //   e8????????           |                     
            //   c7442420271a16ab     | inc                 ecx
            //   4533d2               | mov                 eax, edx
            //   c74424246d7a900e     | inc                 ecx
            //   418bc2               | and                 ecx, ecx
            //   c7442428f3fa677d     | rol                 eax, 5
            //   488bcf               | xor                 ecx, edx

        $sequence_11 = { 74b7 33d2 488d4c2444 41b804040000 e8???????? 6644897c2444 c744244037180000 }
            // n = 7, score = 200
            //   74b7                 | lea                 ebp, [esp - 0x50]
            //   33d2                 | dec                 eax
            //   488d4c2444           | sub                 esp, 0x150
            //   41b804040000         | dec                 eax
            //   e8????????           |                     
            //   6644897c2444         | xor                 eax, esp
            //   c744244037180000     | xor                 ecx, edx

        $sequence_12 = { b800000800 e9???????? 48899c2498020000 488b5908 33d2 488d4c2440 }
            // n = 6, score = 200
            //   b800000800           | or                  ecx, 0xffffffff
            //   e9????????           |                     
            //   48899c2498020000     | mov                 dword ptr [edi - 2], edx
            //   488b5908             | dec                 eax
            //   33d2                 | lea                 edi, [ebp + 0x5d0]
            //   488d4c2440           | dec                 eax

        $sequence_13 = { 8b05???????? 8905???????? e8???????? 85c0 7450 488b0d???????? e8???????? }
            // n = 7, score = 200
            //   8b05????????         |                     
            //   8905????????         |                     
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [ebp + 0x40], eax
            //   7450                 | dec                 eax
            //   488b0d????????       |                     
            //   e8????????           |                     

        $sequence_14 = { e8???????? e9???????? 4183fd01 750d 498bd6 488bcb }
            // n = 6, score = 200
            //   e8????????           |                     
            //   e9????????           |                     
            //   4183fd01             | lea                 edx, [ebp + 0x1b0]
            //   750d                 | repne scasd         eax, dword ptr es:[edi]
            //   498bd6               | jmp                 0x16
            //   488bcb               | inc                 ecx

        $sequence_15 = { 6a00 50 e8???????? 83c40c c785e0f3ffff00040000 8d85e0f3ffff 50 }
            // n = 7, score = 100
            //   6a00                 | dec                 ecx
            //   50                   | mov                 esp, ebx
            //   e8????????           |                     
            //   83c40c               | dec                 eax
            //   c785e0f3ffff00040000     | mov    dword ptr [esp + 0x18], edi
            //   8d85e0f3ffff         | push                ebp
            //   50                   | dec                 eax

        $sequence_16 = { 8bf8 7452 8d8e18030000 51 8d85f4fbffff 68???????? 50 }
            // n = 7, score = 100
            //   8bf8                 | dec                 eax
            //   7452                 | xor                 eax, esp
            //   8d8e18030000         | dec                 eax
            //   51                   | mov                 dword ptr [ebp + 0x40], eax
            //   8d85f4fbffff         | dec                 eax
            //   68????????           |                     
            //   50                   | mov                 dword ptr [esp + 0x18], edi

        $sequence_17 = { c745e0e0ba7300 e9???????? 83e80f 7451 83e809 7443 }
            // n = 6, score = 100
            //   c745e0e0ba7300       | lea                 ebp, [esp - 0x50]
            //   e9????????           |                     
            //   83e80f               | dec                 eax
            //   7451                 | sub                 esp, 0x150
            //   83e809               | dec                 eax
            //   7443                 | mov                 dword ptr [esp + 0x10], ebx

        $sequence_18 = { 59 83cfff 897de4 8365fc00 8b049d80f17300 }
            // n = 5, score = 100
            //   59                   | dec                 eax
            //   83cfff               | mov                 dword ptr [esp + 0x18], edi
            //   897de4               | push                ebp
            //   8365fc00             | dec                 eax
            //   8b049d80f17300       | lea                 ebp, [esp - 0x50]

        $sequence_19 = { 83f8ff 89442404 7508 ff15???????? eb29 8d4c2404 }
            // n = 6, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   7508                 | jne                 0xa
            //   ff15????????         |                     
            //   eb29                 | jmp                 0x2b
            //   8d4c2404             | lea                 ecx, [esp + 4]

        $sequence_20 = { d9f1 833d????????00 0f859c190000 8d0d90b86e00 ba1b000000 e9???????? }
            // n = 6, score = 100
            //   d9f1                 | xor                 edx, edx
            //   833d????????00       |                     
            //   0f859c190000         | mov                 dword ptr [esp + 0x24], 0xe907a6d
            //   8d0d90b86e00         | inc                 ecx
            //   ba1b000000           | mov                 eax, edx
            //   e9????????           |                     

        $sequence_21 = { 395c2410 0f8450020000 3bfb 0f8448020000 50 6804010000 }
            // n = 6, score = 100
            //   395c2410             | cmp                 dword ptr [esp + 0x10], ebx
            //   0f8450020000         | je                  0x256
            //   3bfb                 | cmp                 edi, ebx
            //   0f8448020000         | je                  0x24e
            //   50                   | push                eax
            //   6804010000           | push                0x104

        $sequence_22 = { eba2 894ddc c745e0d4ba6e00 e9???????? c745dc03000000 c745e0e0ba6e00 e9???????? }
            // n = 7, score = 100
            //   eba2                 | dec                 eax
            //   894ddc               | mov                 dword ptr [esp + 0x10], ebx
            //   c745e0d4ba6e00       | dec                 eax
            //   e9????????           |                     
            //   c745dc03000000       | mov                 dword ptr [esp + 0x18], edi
            //   c745e0e0ba6e00       | push                ebp
            //   e9????????           |                     

        $sequence_23 = { 746a 83e805 7456 83e801 0f859b010000 c745e0d8ba6e00 8b4508 }
            // n = 7, score = 100
            //   746a                 | push                ebp
            //   83e805               | dec                 eax
            //   7456                 | lea                 ebp, [esp - 0x50]
            //   83e801               | dec                 eax
            //   0f859b010000         | sub                 esp, 0x150
            //   c745e0d8ba6e00       | dec                 eax
            //   8b4508               | xor                 eax, esp

        $sequence_24 = { 746b 56 8d442408 57 50 53 }
            // n = 6, score = 100
            //   746b                 | je                  0x6d
            //   56                   | push                esi
            //   8d442408             | lea                 eax, [esp + 8]
            //   57                   | push                edi
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_25 = { 8d4101 f7d8 1bc0 23c1 eb57 53 8b1c85d8887300 }
            // n = 7, score = 100
            //   8d4101               | dec                 eax
            //   f7d8                 | sub                 esp, 0x150
            //   1bc0                 | push                ebp
            //   23c1                 | dec                 eax
            //   eb57                 | lea                 ebp, [esp - 0x50]
            //   53                   | dec                 eax
            //   8b1c85d8887300       | sub                 esp, 0x150

        $sequence_26 = { 57 8975fc e8???????? 99 b90a000000 f7f9 81c618030000 }
            // n = 7, score = 100
            //   57                   | push                ebp
            //   8975fc               | dec                 eax
            //   e8????????           |                     
            //   99                   | lea                 ebp, [esp - 0x50]
            //   b90a000000           | dec                 eax
            //   f7f9                 | sub                 esp, 0x150
            //   81c618030000         | dec                 eax

        $sequence_27 = { 56 8b048580f17300 33db 8b7508 57 }
            // n = 5, score = 100
            //   56                   | dec                 eax
            //   8b048580f17300       | sub                 esp, 0x150
            //   33db                 | dec                 eax
            //   8b7508               | mov                 ecx, dword ptr [ebp + 0x40]
            //   57                   | dec                 eax

        $sequence_28 = { c74048b8e46e00 8b4508 6689486c 8b4508 66898872010000 }
            // n = 5, score = 100
            //   c74048b8e46e00       | inc                 sp
            //   8b4508               | mov                 dword ptr [esp + 0x44], edi
            //   6689486c             | mov                 dword ptr [esp + 0x40], 0x1837
            //   8b4508               | mov                 dword ptr [esp + 0x20], 0xab161a27
            //   66898872010000       | inc                 ebp

        $sequence_29 = { 7603 6a26 58 0fb60c8536977300 0fb6348537977300 8bf9 8985b4f8ffff }
            // n = 7, score = 100
            //   7603                 | xor                 ecx, esp
            //   6a26                 | dec                 esp
            //   58                   | lea                 ebx, [esp + 0x150]
            //   0fb60c8536977300     | dec                 ecx
            //   0fb6348537977300     | mov                 ebx, dword ptr [ebx + 0x18]
            //   8bf9                 | dec                 ecx
            //   8985b4f8ffff         | mov                 edi, dword ptr [ebx + 0x20]

        $sequence_30 = { 6a26 58 0fb60c8536976e00 0fb6348537976e00 8bf9 8985a4f8ffff c1e702 }
            // n = 7, score = 100
            //   6a26                 | xor                 eax, esp
            //   58                   | dec                 eax
            //   0fb60c8536976e00     | xor                 ecx, esp
            //   0fb6348537976e00     | dec                 eax
            //   8bf9                 | add                 esp, 0x1628
            //   8985a4f8ffff         | inc                 ecx
            //   c1e702               | pop                 edi

        $sequence_31 = { c644244239 c644244342 c644244483 c64424458e 88542446 c644244796 }
            // n = 6, score = 100
            //   c644244239           | mov                 byte ptr [esp + 0x42], 0x39
            //   c644244342           | mov                 byte ptr [esp + 0x43], 0x42
            //   c644244483           | mov                 byte ptr [esp + 0x44], 0x83
            //   c64424458e           | mov                 byte ptr [esp + 0x45], 0x8e
            //   88542446             | mov                 byte ptr [esp + 0x46], dl
            //   c644244796           | mov                 byte ptr [esp + 0x47], 0x96

        $sequence_32 = { 8b1c9d24726e00 56 6800080000 6a00 53 }
            // n = 5, score = 100
            //   8b1c9d24726e00       | pop                 esp
            //   56                   | je                  0xffffffb9
            //   6800080000           | xor                 edx, edx
            //   6a00                 | dec                 eax
            //   53                   | lea                 ecx, [esp + 0x44]

        $sequence_33 = { 8b9c2484000000 33d3 8b5c247c 33d3 8bdf }
            // n = 5, score = 100
            //   8b9c2484000000       | mov                 ebx, dword ptr [esp + 0x84]
            //   33d3                 | xor                 edx, ebx
            //   8b5c247c             | mov                 ebx, dword ptr [esp + 0x7c]
            //   33d3                 | xor                 edx, ebx
            //   8bdf                 | mov                 ebx, edi

        $sequence_34 = { e9???????? c745e0f0ba6e00 e9???????? c745e0f8ba6e00 e9???????? }
            // n = 5, score = 100
            //   e9????????           |                     
            //   c745e0f0ba6e00       | inc                 ecx
            //   e9????????           |                     
            //   c745e0f8ba6e00       | mov                 eax, 0x404
            //   e9????????           |                     

        $sequence_35 = { 7507 c74634047b6e00 57 ff7634 e8???????? 59 }
            // n = 6, score = 100
            //   7507                 | dec                 eax
            //   c74634047b6e00       | lea                 ebp, [esp - 0x50]
            //   57                   | dec                 eax
            //   ff7634               | sub                 esp, 0x150
            //   e8????????           |                     
            //   59                   | dec                 eax

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules