SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48895c2410 48897c2418 55 488d6c24b0 }
            // n = 4, score = 300
            //   48895c2410           | sub                 esp, 0x150
            //   48897c2418           | dec                 eax
            //   55                   | xor                 eax, esp
            //   488d6c24b0           | dec                 eax

        $sequence_1 = { 55 488d6c24b0 4881ec50010000 488b05???????? 4833c4 }
            // n = 5, score = 300
            //   55                   | mov                 dword ptr [esi + 0x34], 0x737b04
            //   488d6c24b0           | mov                 dword ptr [esi + 0x38], 6
            //   4881ec50010000       | mov                 byte ptr [esi + 0x3c], 0
            //   488b05????????       |                     
            //   4833c4               | pop                 edi

        $sequence_2 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 }
            // n = 6, score = 300
            //   488b4d40             | inc                 eax
            //   4833cc               | mov                 dword ptr [ebp - 0x14], 0x729bc8
            //   e8????????           |                     
            //   4c8d9c2450010000     | mov                 dword ptr [ebp - 8], ecx
            //   498b5b18             | mov                 dword ptr [esi + 0x38], eax
            //   498b7b20             | jmp                 0x13

        $sequence_3 = { ff15???????? 85c0 7527 ff15???????? 83f87a }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esp + 0x10], ebx
            //   7527                 | dec                 eax
            //   ff15????????         |                     
            //   83f87a               | mov                 dword ptr [esp + 0x18], edi

        $sequence_4 = { 488d8de0080000 e8???????? 8bd6 c68435e008000000 488d8de0080000 }
            // n = 5, score = 200
            //   488d8de0080000       | dec                 ecx
            //   e8????????           |                     
            //   8bd6                 | mov                 edi, dword ptr [ebx + 0x20]
            //   c68435e008000000     | dec                 ecx
            //   488d8de0080000       | mov                 esp, ebx

        $sequence_5 = { 4183c9ff 33d2 33c9 c744242806020000 4889442420 ff15???????? }
            // n = 6, score = 200
            //   4183c9ff             | lea                 ecx, [ebp + 0x1b0]
            //   33d2                 | dec                 eax
            //   33c9                 | mov                 edx, ebx
            //   c744242806020000     | dec                 eax
            //   4889442420           | sub                 ecx, ebx
            //   ff15????????         |                     

        $sequence_6 = { b903000000 66f3a7 488b7c2440 74b6 }
            // n = 4, score = 200
            //   b903000000           | mov                 ecx, 3
            //   66f3a7               | repe cmpsd          dword ptr [esi], dword ptr es:[edi]
            //   488b7c2440           | dec                 eax
            //   74b6                 | mov                 edi, dword ptr [esp + 0x40]

        $sequence_7 = { 891d???????? e9???????? 891d???????? e9???????? e8???????? }
            // n = 5, score = 200
            //   891d????????         |                     
            //   e9????????           |                     
            //   891d????????         |                     
            //   e9????????           |                     
            //   e8????????           |                     

        $sequence_8 = { ff15???????? 4c8be8 4885c0 0f84ec080000 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   4c8be8               | dec                 esp
            //   4885c0               | lea                 ebx, [esp + 0x150]
            //   0f84ec080000         | dec                 ecx

        $sequence_9 = { 85c0 74b7 33d2 488d4c2444 41b804040000 e8???????? 6644897c2444 }
            // n = 7, score = 200
            //   85c0                 | dec                 eax
            //   74b7                 | mov                 dword ptr [esp + 0x18], edi
            //   33d2                 | push                ebp
            //   488d4c2444           | dec                 eax
            //   41b804040000         | lea                 ebp, [esp - 0x50]
            //   e8????????           |                     
            //   6644897c2444         | dec                 eax

        $sequence_10 = { ffc0 4898 41ffc0 49ffc2 }
            // n = 4, score = 200
            //   ffc0                 | inc                 ecx
            //   4898                 | mov                 eax, ecx
            //   41ffc0               | and                 eax, 0x8000000f
            //   49ffc2               | jge                 0x20

        $sequence_11 = { 4883c9ff 488dbdc0030000 66f2af 8b05???????? 4883c9ff }
            // n = 5, score = 200
            //   4883c9ff             | dec                 eax
            //   488dbdc0030000       | or                  eax, 0xfffffff0
            //   66f2af               | inc                 eax
            //   8b05????????         |                     
            //   4883c9ff             | dec                 eax

        $sequence_12 = { 33d2 41b806020000 6689bdd0050000 e8???????? 488d8db0010000 488bd3 482bcb }
            // n = 7, score = 200
            //   33d2                 | je                  0xffffffb8
            //   41b806020000         | xor                 edx, edx
            //   6689bdd0050000       | inc                 ecx
            //   e8????????           |                     
            //   488d8db0010000       | mov                 eax, 0x206
            //   488bd3               | mov                 word ptr [ebp + 0x5d0], di
            //   482bcb               | dec                 eax

        $sequence_13 = { 410f104810 4d8d8080000000 0f114080 410f1040a0 0f114890 }
            // n = 5, score = 200
            //   410f104810           | mov                 ebx, dword ptr [ebx + 0x18]
            //   4d8d8080000000       | dec                 ecx
            //   0f114080             | mov                 edi, dword ptr [ebx + 0x20]
            //   410f1040a0           | dec                 ecx
            //   0f114890             | mov                 esp, ebx

        $sequence_14 = { 4c8d4c2448 488d5308 498bce 440f42c7 ff55a0 8b4c2448 33c0 }
            // n = 7, score = 200
            //   4c8d4c2448           | sub                 esp, 0x150
            //   488d5308             | dec                 eax
            //   498bce               | xor                 eax, esp
            //   440f42c7             | dec                 esp
            //   ff55a0               | lea                 ebx, [esp + 0x150]
            //   8b4c2448             | dec                 ecx
            //   33c0                 | mov                 ebx, dword ptr [ebx + 0x18]

        $sequence_15 = { 418bc1 250f000080 7d07 ffc8 83c8f0 ffc0 4898 }
            // n = 7, score = 200
            //   418bc1               | inc                 ecx
            //   250f000080           | or                  ecx, 0xffffffff
            //   7d07                 | xor                 edx, edx
            //   ffc8                 | xor                 ecx, ecx
            //   83c8f0               | mov                 dword ptr [esp + 0x28], 0x206
            //   ffc0                 | dec                 eax
            //   4898                 | mov                 dword ptr [esp + 0x20], eax

        $sequence_16 = { e8???????? e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_17 = { 6bd030 8b45fc 03148d80f16e00 8b00 }
            // n = 4, score = 100
            //   6bd030               | imul                edx, eax, 0x30
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   03148d80f16e00       | add                 edx, dword ptr [ecx*4 + 0x6ef180]
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_18 = { 89542418 50 51 52 }
            // n = 4, score = 100
            //   89542418             | dec                 eax
            //   50                   | sub                 esp, 0x150
            //   51                   | dec                 eax
            //   52                   | xor                 ecx, esp

        $sequence_19 = { 50 8d8574f5ffff 8d8e200c0000 50 51 e8???????? }
            // n = 6, score = 100
            //   50                   | and                 eax, 0x3f
            //   8d8574f5ffff         | sar                 ecx, 6
            //   8d8e200c0000         | imul                edx, eax, 0x30
            //   50                   | mov                 eax, dword ptr [ebp - 4]
            //   51                   | add                 edx, dword ptr [ecx*4 + 0x73f180]
            //   e8????????           |                     

        $sequence_20 = { 6a40 ff15???????? 8bd8 bea8ffffff }
            // n = 4, score = 100
            //   6a40                 | push                ebp
            //   ff15????????         |                     
            //   8bd8                 | dec                 eax
            //   bea8ffffff           | lea                 ebp, [esp - 0x50]

        $sequence_21 = { 89442420 8b442414 c1c01e 89442414 }
            // n = 4, score = 100
            //   89442420             | dec                 esp
            //   8b442414             | lea                 ebx, [esp + 0x150]
            //   c1c01e               | dec                 ecx
            //   89442414             | mov                 ebx, dword ptr [ebx + 0x18]

        $sequence_22 = { 6bd830 8b04bd80f16e00 f644032801 7444 837c0318ff 743d e8???????? }
            // n = 7, score = 100
            //   6bd830               | imul                ebx, eax, 0x30
            //   8b04bd80f16e00       | mov                 eax, dword ptr [edi*4 + 0x6ef180]
            //   f644032801           | test                byte ptr [ebx + eax + 0x28], 1
            //   7444                 | je                  0x46
            //   837c0318ff           | cmp                 dword ptr [ebx + eax + 0x18], -1
            //   743d                 | je                  0x3f
            //   e8????????           |                     

        $sequence_23 = { d1c0 89442448 8bc6 c1c005 89442410 8b442414 }
            // n = 6, score = 100
            //   d1c0                 | push                ebp
            //   89442448             | dec                 eax
            //   8bc6                 | lea                 ebp, [esp - 0x50]
            //   c1c005               | dec                 eax
            //   89442410             | sub                 esp, 0x150
            //   8b442414             | dec                 eax

        $sequence_24 = { ff95ecf3ffff 33c0 50 6689845df8f3ffff 0fb7871c0c0000 50 8d85f8f3ffff }
            // n = 7, score = 100
            //   ff95ecf3ffff         | rol                 eax, 0x1e
            //   33c0                 | inc                 ebp
            //   50                   | lea                 edx, [edx + ecx + 0x5a827999]
            //   6689845df8f3ffff     | inc                 ecx
            //   0fb7871c0c0000       | mov                 ecx, eax
            //   50                   | xor                 ecx, edx
            //   8d85f8f3ffff         | lea                 esi, [edi + 0x118]

        $sequence_25 = { 894638 eb0e c74634047b7300 c7463806000000 c6463c00 5f }
            // n = 6, score = 100
            //   894638               | xor                 eax, eax
            //   eb0e                 | push                eax
            //   c74634047b7300       | mov                 word ptr [ebp + ebx*2 - 0xc08], ax
            //   c7463806000000       | movzx               eax, word ptr [edi + 0xc1c]
            //   c6463c00             | push                eax
            //   5f                   | lea                 eax, [ebp - 0xc08]

        $sequence_26 = { 8db718010000 ff15???????? 68???????? 50 ff15???????? }
            // n = 5, score = 100
            //   8db718010000         | inc                 eax
            //   ff15????????         |                     
            //   68????????           |                     
            //   50                   | dec                 ecx
            //   ff15????????         |                     

        $sequence_27 = { 8945f0 8b450c 8945f4 8b4514 40 c745ecc89b7200 894df8 }
            // n = 7, score = 100
            //   8945f0               | push                eax
            //   8b450c               | mov                 eax, dword ptr [edi*4 + 0x73f180]
            //   8945f4               | push                dword ptr [eax + esi + 0x18]
            //   8b4514               | test                eax, eax
            //   40                   | setne               al
            //   c745ecc89b7200       | pop                 edi
            //   894df8               | call                dword ptr [ebp - 0xc14]

        $sequence_28 = { 83e63f c1f906 6bf630 8b0c8d80f16e00 80643128fd 5f }
            // n = 6, score = 100
            //   83e63f               | and                 esi, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bf630               | imul                esi, esi, 0x30
            //   8b0c8d80f16e00       | mov                 ecx, dword ptr [ecx*4 + 0x6ef180]
            //   80643128fd           | and                 byte ptr [ecx + esi + 0x28], 0xfd
            //   5f                   | pop                 edi

        $sequence_29 = { 59 e9???????? c745dc03000000 eb7c c745e0e0ba6e00 ebbb }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   e9????????           |                     
            //   c745dc03000000       | mov                 dword ptr [ebp - 0x24], 3
            //   eb7c                 | jmp                 0x7e
            //   c745e0e0ba6e00       | mov                 dword ptr [ebp - 0x20], 0x6ebae0
            //   ebbb                 | jmp                 0xffffffbd

        $sequence_30 = { 740e 50 e8???????? 83a680f16e0000 59 83c604 81fe00020000 }
            // n = 7, score = 100
            //   740e                 | je                  0x10
            //   50                   | push                eax
            //   e8????????           |                     
            //   83a680f16e0000       | and                 dword ptr [esi + 0x6ef180], 0
            //   59                   | pop                 ecx
            //   83c604               | add                 esi, 4
            //   81fe00020000         | cmp                 esi, 0x200

        $sequence_31 = { ff2485d1a86d00 8bce e8???????? eb45 834e28ff }
            // n = 5, score = 100
            //   ff2485d1a86d00       | jmp                 dword ptr [eax*4 + 0x6da8d1]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   eb45                 | jmp                 0x47
            //   834e28ff             | or                  dword ptr [esi + 0x28], 0xffffffff

        $sequence_32 = { 50 8b04bd80f17300 ff743018 ff15???????? 85c0 0f95c0 5f }
            // n = 7, score = 100
            //   50                   | lea                 edi, [ebp + 0x3c0]
            //   8b04bd80f17300       | repne scasd         eax, dword ptr es:[edi]
            //   ff743018             | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | or                  ecx, 0xffffffff
            //   0f95c0               | add                 ecx, eax
            //   5f                   | inc                 ecx

        $sequence_33 = { 8b34cd40a96e00 8b4d08 6a5a 2bce 5b 0fb70431 663bc7 }
            // n = 7, score = 100
            //   8b34cd40a96e00       | mov                 esi, dword ptr [ecx*8 + 0x6ea940]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a5a                 | push                0x5a
            //   2bce                 | sub                 ecx, esi
            //   5b                   | pop                 ebx
            //   0fb70431             | movzx               eax, word ptr [ecx + esi]
            //   663bc7               | cmp                 ax, di

        $sequence_34 = { 83e03f c1f906 6bd030 8b45fc 03148d80f17300 }
            // n = 5, score = 100
            //   83e03f               | push                eax
            //   c1f906               | push                ecx
            //   6bd030               | push                edi
            //   8b45fc               | lea                 ecx, [ebp - 0x230]
            //   03148d80f17300       | push                ecx

        $sequence_35 = { 8b7c2410 03df 8bbc2494000000 03df 8b7c2418 c1c21e 8dbc1f9979825a }
            // n = 7, score = 100
            //   8b7c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   03df                 | dec                 eax
            //   8bbc2494000000       | mov                 dword ptr [esp + 0x18], edi
            //   03df                 | push                ebp
            //   8b7c2418             | dec                 eax
            //   c1c21e               | lea                 ebp, [esp - 0x50]
            //   8dbc1f9979825a       | dec                 eax

        $sequence_36 = { 8b048dd4926d00 ffe0 f7c703000000 7413 8a06 8807 }
            // n = 6, score = 100
            //   8b048dd4926d00       | mov                 eax, dword ptr [ecx*4 + 0x6d92d4]
            //   ffe0                 | jmp                 eax
            //   f7c703000000         | test                edi, 3
            //   7413                 | je                  0x15
            //   8a06                 | mov                 al, byte ptr [esi]
            //   8807                 | mov                 byte ptr [edi], al

        $sequence_37 = { 51 57 8d8dd0fdffff 51 }
            // n = 4, score = 100
            //   51                   | inc                 edx
            //   57                   | dec                 eax
            //   8d8dd0fdffff         | or                  ecx, 0xffffffff
            //   51                   | dec                 eax

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules