SYMBOLCOMMON_NAMEaka. SYNONYMS
win.volgmer (Back to overview)

Volgmer

aka: FALLCHILL, Manuscrypt

Actor(s): Lazarus Group


There is no description at this point.

References
2021-09-07LIFARSVlad Pasca
@techreport{pasca:20210907:detailed:2e29866, author = {Vlad Pasca}, title = {{A Detailed Analysis of Lazarus’ RAT Called FALLCHILL}}, date = {2021-09-07}, institution = {LIFARS}, url = {https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf}, language = {English}, urldate = {2022-01-20} } A Detailed Analysis of Lazarus’ RAT Called FALLCHILL
Volgmer
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-threatneedle/100803/}, language = {English}, urldate = {2021-02-25} } Lazarus targets defense industry with ThreatNeedle
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:analysis:d2bb250, author = {Sojun Ryu}, title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74}, language = {English}, urldate = {2021-01-27} } Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Volgmer
2021-01-27S2W LAB Inc.Sojun Ryu
@online{ryu:20210127:how:7dcce24, author = {Sojun Ryu}, title = {{How to communicate between RAT infected devices (White paper)}}, date = {2021-01-27}, organization = {S2W LAB Inc.}, url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view}, language = {English}, urldate = {2021-01-27} } How to communicate between RAT infected devices (White paper)
Volgmer
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
Yara Rules
[TLP:WHITE] win_volgmer_auto (20220516 | Detects win.volgmer.)
rule win_volgmer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.volgmer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? }
            // n = 5, score = 300
            //   48897c2418           | dec                 eax
            //   55                   | mov                 dword ptr [esp + 0x18], edi
            //   488d6c24b0           | push                ebp
            //   4881ec50010000       | dec                 eax
            //   488b05????????       |                     

        $sequence_1 = { 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 }
            // n = 6, score = 300
            //   4833cc               | xor                 eax, esp
            //   e8????????           |                     
            //   4c8d9c2450010000     | dec                 eax
            //   498b5b18             | mov                 dword ptr [esp + 0x18], edi
            //   498b7b20             | push                ebp
            //   498be3               | dec                 eax

        $sequence_2 = { e8???????? e8???????? e8???????? e8???????? c705????????04000000 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   c705????????04000000     |     

        $sequence_3 = { e8???????? 488bd8 eb03 488bdf 488d056efeffff }
            // n = 5, score = 200
            //   e8????????           |                     
            //   488bd8               | dec                 eax
            //   eb03                 | mov                 dword ptr [esp + 0x18], edi
            //   488bdf               | push                ebp
            //   488d056efeffff       | dec                 eax

        $sequence_4 = { 8885c9020000 8bc1 c1f808 8885ca020000 }
            // n = 4, score = 200
            //   8885c9020000         | dec                 eax
            //   8bc1                 | mov                 dword ptr [esp + 0x18], edi
            //   c1f808               | push                ebp
            //   8885ca020000         | dec                 eax

        $sequence_5 = { 8885ca020000 8bc1 c1f918 c1f810 }
            // n = 4, score = 200
            //   8885ca020000         | lea                 ebx, [esp + 0x150]
            //   8bc1                 | dec                 ecx
            //   c1f918               | mov                 ebx, dword ptr [ebx + 0x18]
            //   c1f810               | dec                 ecx

        $sequence_6 = { 498bcd ff15???????? 33d2 488d8dd0060000 41b804010000 488bf8 e8???????? }
            // n = 7, score = 200
            //   498bcd               | lea                 edi, [ebp + 0x3c0]
            //   ff15????????         |                     
            //   33d2                 | repne scasd         eax, dword ptr es:[edi]
            //   488d8dd0060000       | test                ax, ax
            //   41b804010000         | jne                 0xfffffff1
            //   488bf8               | xor                 eax, eax
            //   e8????????           |                     

        $sequence_7 = { 6685c0 75ef 33c0 4883c9ff 488dbdc0030000 }
            // n = 5, score = 200
            //   6685c0               | dec                 eax
            //   75ef                 | mov                 ebx, edi
            //   33c0                 | dec                 eax
            //   4883c9ff             | lea                 eax, [0xfffffe6e]
            //   488dbdc0030000       | mov                 byte ptr [ebp + 0x2c9], al

        $sequence_8 = { 4533c9 44897c2420 458bc4 488bcb 418d5106 85c0 0f84a0000000 }
            // n = 7, score = 200
            //   4533c9               | dec                 eax
            //   44897c2420           | or                  ecx, 0xffffffff
            //   458bc4               | dec                 eax
            //   488bcb               | lea                 edi, [ebp + 0x3c0]
            //   418d5106             | repne scasd         eax, dword ptr es:[edi]
            //   85c0                 | rol                 ecx, 5
            //   0f84a0000000         | add                 eax, esi

        $sequence_9 = { 6685c0 75ee 488b742450 4885f6 }
            // n = 4, score = 200
            //   6685c0               | dec                 eax
            //   75ee                 | sub                 esp, 0x150
            //   488b742450           | dec                 eax
            //   4885f6               | mov                 dword ptr [esp + 0x10], ebx

        $sequence_10 = { 4532d2 0f1f4000 450fb608 8bc2 250f000080 7d07 ffc8 }
            // n = 7, score = 200
            //   4532d2               | mov                 dword ptr [esp + 0x18], edi
            //   0f1f4000             | push                ebp
            //   450fb608             | dec                 eax
            //   8bc2                 | lea                 ebp, [esp - 0x50]
            //   250f000080           | dec                 eax
            //   7d07                 | sub                 esp, 0x150
            //   ffc8                 | dec                 eax

        $sequence_11 = { c6843dc00f000000 488d8dc00f0000 e8???????? 488b4c2440 488d95c00f0000 ff15???????? 0fb63d???????? }
            // n = 7, score = 200
            //   c6843dc00f000000     | mov                 dword ptr [esp + 4], esi
            //   488d8dc00f0000       | add                 eax, ebx
            //   e8????????           |                     
            //   488b4c2440           | inc                 ecx
            //   488d95c00f0000       | cmp                 ebp, 1
            //   ff15????????         |                     
            //   0fb63d????????       |                     

        $sequence_12 = { 418bc0 4883c438 c3 e8???????? 448bc0 4883c438 c3 }
            // n = 7, score = 200
            //   418bc0               | jne                 0xf
            //   4883c438             | dec                 ecx
            //   c3                   | mov                 edx, esi
            //   e8????????           |                     
            //   448bc0               | dec                 eax
            //   4883c438             | mov                 dword ptr [esp + 0x10], ebx
            //   c3                   | dec                 eax

        $sequence_13 = { c1c105 03c5 4103c0 41c1c21e }
            // n = 4, score = 200
            //   c1c105               | dec                 eax
            //   03c5                 | mov                 dword ptr [ebp + 0x40], eax
            //   4103c0               | dec                 esp
            //   41c1c21e             | lea                 ebx, [esp + 0x150]

        $sequence_14 = { 75f7 488d442430 89742428 4c8bcb 4889442420 4c8bc7 33d2 }
            // n = 7, score = 200
            //   75f7                 | mov                 dword ptr [esp + 0x18], edi
            //   488d442430           | push                ebp
            //   89742428             | dec                 eax
            //   4c8bcb               | lea                 ebp, [esp - 0x50]
            //   4889442420           | dec                 eax
            //   4c8bc7               | sub                 esp, 0x150
            //   33d2                 | dec                 eax

        $sequence_15 = { 03de 8b700c 03de 89b42480000000 8b7010 8d941a9979825a 89b42484000000 }
            // n = 7, score = 100
            //   03de                 | add                 ebx, esi
            //   8b700c               | mov                 esi, dword ptr [eax + 0xc]
            //   03de                 | add                 ebx, esi
            //   89b42480000000       | mov                 dword ptr [esp + 0x80], esi
            //   8b7010               | mov                 esi, dword ptr [eax + 0x10]
            //   8d941a9979825a       | lea                 edx, [edx + ebx + 0x5a827999]
            //   89b42484000000       | mov                 dword ptr [esp + 0x84], esi

        $sequence_16 = { c3 e8???????? 85c0 0f8466370000 }
            // n = 4, score = 100
            //   c3                   | mov                 dword ptr [esp + 0x20], eax
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   0f8466370000         | mov                 eax, edi

        $sequence_17 = { 8985acf8ffff 0f85bafcffff 8b8da8f8ffff 85c9 0f84d3000000 8b048dcc976e00 89859cf8ffff }
            // n = 7, score = 100
            //   8985acf8ffff         | xor                 eax, esp
            //   0f85bafcffff         | dec                 eax
            //   8b8da8f8ffff         | mov                 dword ptr [ebp + 0x40], eax
            //   85c9                 | dec                 esp
            //   0f84d3000000         | lea                 ebx, [esp + 0x150]
            //   8b048dcc976e00       | dec                 ecx
            //   89859cf8ffff         | mov                 ebx, dword ptr [ebx + 0x18]

        $sequence_18 = { 8b742414 0bd8 23de 8b74241c }
            // n = 4, score = 100
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   0bd8                 | or                  ebx, eax
            //   23de                 | and                 ebx, esi
            //   8b74241c             | mov                 esi, dword ptr [esp + 0x1c]

        $sequence_19 = { 89880cec6e00 68???????? e8???????? 8be5 }
            // n = 4, score = 100
            //   89880cec6e00         | dec                 eax
            //   68????????           |                     
            //   e8????????           |                     
            //   8be5                 | sub                 esp, 0x150

        $sequence_20 = { 33c0 66f3a7 74e4 8d8b94010000 8b9394010000 }
            // n = 5, score = 100
            //   33c0                 | xor                 eax, eax
            //   66f3a7               | repe cmpsd          dword ptr [esi], dword ptr es:[edi]
            //   74e4                 | je                  0xffffffe6
            //   8d8b94010000         | lea                 ecx, [ebx + 0x194]
            //   8b9394010000         | mov                 edx, dword ptr [ebx + 0x194]

        $sequence_21 = { 33c9 8bc1 3914c5d8c36e00 7408 }
            // n = 4, score = 100
            //   33c9                 | dec                 ecx
            //   8bc1                 | mov                 edi, dword ptr [ebx + 0x20]
            //   3914c5d8c36e00       | dec                 ecx
            //   7408                 | mov                 esp, ebx

        $sequence_22 = { 83e03f c1f906 53 6bd830 56 8b048d80f16e00 }
            // n = 6, score = 100
            //   83e03f               | dec                 eax
            //   c1f906               | xor                 eax, esp
            //   53                   | dec                 eax
            //   6bd830               | mov                 dword ptr [ebp + 0x40], eax
            //   56                   | dec                 eax
            //   8b048d80f16e00       | mov                 dword ptr [esp + 0x10], ebx

        $sequence_23 = { 6bf030 03348d80f16e00 837e18ff 740c 837e18fe 7406 }
            // n = 6, score = 100
            //   6bf030               | dec                 eax
            //   03348d80f16e00       | mov                 dword ptr [esp + 0x18], edi
            //   837e18ff             | push                ebp
            //   740c                 | dec                 eax
            //   837e18fe             | lea                 ebp, [esp - 0x50]
            //   7406                 | dec                 eax

        $sequence_24 = { 660f2815???????? f20f59db 660f282d???????? 660f59f5 660f28aa40b96e00 660f54e5 660f58fe }
            // n = 7, score = 100
            //   660f2815????????     |                     
            //   f20f59db             | dec                 eax
            //   660f282d????????     |                     
            //   660f59f5             | mov                 dword ptr [esp + 0x18], edi
            //   660f28aa40b96e00     | push                ebp
            //   660f54e5             | dec                 eax
            //   660f58fe             | lea                 ebp, [esp - 0x50]

        $sequence_25 = { 8b04bd80f16e00 807c302900 7504 32c0 eb1a 8d45fc 50 }
            // n = 7, score = 100
            //   8b04bd80f16e00       | dec                 eax
            //   807c302900           | mov                 dword ptr [esp + 0x18], edi
            //   7504                 | push                ebp
            //   32c0                 | dec                 eax
            //   eb1a                 | lea                 ebp, [esp - 0x50]
            //   8d45fc               | dec                 eax
            //   50                   | mov                 dword ptr [esp + 0x10], ebx

        $sequence_26 = { 8bc2 99 f7f9 0fb6843a240e0000 8b55fc 02c3 }
            // n = 6, score = 100
            //   8bc2                 | xor                 edx, edx
            //   99                   | test                eax, eax
            //   f7f9                 | je                  0x12c
            //   0fb6843a240e0000     | inc                 ebp
            //   8b55fc               | xor                 eax, eax
            //   02c3                 | dec                 eax

        $sequence_27 = { 68???????? 50 ff15???????? 837e0c00 8bf8 0f840a010000 8d8e18030000 }
            // n = 7, score = 100
            //   68????????           |                     
            //   50                   | lea                 edx, [ebp - 0x6a]
            //   ff15????????         |                     
            //   837e0c00             | dec                 eax
            //   8bf8                 | mov                 ecx, ebx
            //   0f840a010000         | test                eax, eax
            //   8d8e18030000         | mulsd               xmm3, xmm3

        $sequence_28 = { 8b85c4f5ffff 68d0070000 ff048530f67300 ff95ccf5ffff }
            // n = 4, score = 100
            //   8b85c4f5ffff         | add                 esp, 0x38
            //   68d0070000           | ret                 
            //   ff048530f67300       | inc                 ebp
            //   ff95ccf5ffff         | xor                 dl, dl

        $sequence_29 = { ff15???????? 68???????? 50 ff15???????? 8bd6 8985ecf3ffff 8d5a01 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   68????????           |                     
            //   50                   | and                 eax, 0x8000000f
            //   ff15????????         |                     
            //   8bd6                 | jge                 0x14
            //   8985ecf3ffff         | dec                 eax
            //   8d5a01               | jne                 0xfffffff9

        $sequence_30 = { 68???????? 50 e8???????? 8d8dd0f5ffff 83c40c }
            // n = 5, score = 100
            //   68????????           |                     
            //   50                   | dec                 eax
            //   e8????????           |                     
            //   8d8dd0f5ffff         | lea                 eax, [esp + 0x30]
            //   83c40c               | mov                 dword ptr [esp + 0x28], esi

        $sequence_31 = { 75f3 8d85d0f9ffff 68???????? 50 }
            // n = 4, score = 100
            //   75f3                 | dec                 esp
            //   8d85d0f9ffff         | mov                 ecx, ebx
            //   68????????           |                     
            //   50                   | dec                 eax

        $sequence_32 = { 59 85c0 7810 3de4000000 7309 8b04c520986e00 5d }
            // n = 7, score = 100
            //   59                   | sub                 esp, 0x150
            //   85c0                 | push                ebp
            //   7810                 | dec                 eax
            //   3de4000000           | lea                 ebp, [esp - 0x50]
            //   7309                 | dec                 eax
            //   8b04c520986e00       | sub                 esp, 0x150
            //   5d                   | dec                 eax

        $sequence_33 = { 3bca 7d15 8d3449 2bd1 8d34b590294100 832600 83c60c }
            // n = 7, score = 100
            //   3bca                 | cmp                 ecx, edx
            //   7d15                 | jge                 0x17
            //   8d3449               | lea                 esi, [ecx + ecx*2]
            //   2bd1                 | sub                 edx, ecx
            //   8d34b590294100       | lea                 esi, [esi*4 + 0x412990]
            //   832600               | and                 dword ptr [esi], 0
            //   83c60c               | add                 esi, 0xc

        $sequence_34 = { 50 ff7508 8d83200c0000 50 e8???????? }
            // n = 5, score = 100
            //   50                   | nop                 dword ptr [eax]
            //   ff7508               | inc                 ebp
            //   8d83200c0000         | movzx               ecx, byte ptr [eax]
            //   50                   | mov                 eax, edx
            //   e8????????           |                     

        $sequence_35 = { c6442441c4 c6442443dc c6442444aa c644244567 }
            // n = 4, score = 100
            //   c6442441c4           | mov                 byte ptr [esp + 0x41], 0xc4
            //   c6442443dc           | mov                 byte ptr [esp + 0x43], 0xdc
            //   c6442444aa           | mov                 byte ptr [esp + 0x44], 0xaa
            //   c644244567           | mov                 byte ptr [esp + 0x45], 0x67

        $sequence_36 = { 6aff 8d442424 684bff0000 50 e8???????? 8bf0 }
            // n = 6, score = 100
            //   6aff                 | push                -1
            //   8d442424             | lea                 eax, [esp + 0x24]
            //   684bff0000           | push                0xff4b
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

    condition:
        7 of them and filesize < 393216
}
Download all Yara Rules