SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobra (Back to overview)

Cobra Carbon System

aka: Carbon

Actor(s): Turla Group

URLhaus    

There is no description at this point.

References
2020-09-25Github (sisoma2)Marc
@online{marc:20200925:turla:06db824, author = {Marc}, title = {{Turla Carbon System}}, date = {2020-09-25}, organization = {Github (sisoma2)}, url = {https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon}, language = {English}, urldate = {2020-10-02} } Turla Carbon System
Cobra Carbon System
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-04-19Github (hfiref0x)hfiref0x
@online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } TDL (Turla Driver Loader) Repository
Cobra Carbon System
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-03-30ESET ResearchESET Research
@online{research:20170330:carbon:928505a, author = {ESET Research}, title = {{Carbon Paper: Peering into Turla’s second stage backdoor}}, date = {2017-03-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/}, language = {English}, urldate = {2019-11-14} } Carbon Paper: Peering into Turla’s second stage backdoor
Cobra Carbon System Turla Group
2016-05-23MELANI GovCERTGovCERT.ch
@techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2019-12-17} } APT Case RUAG - Technical Report
Cobra Carbon System
2016-01-14SymantecSecurity Response
@techreport{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf}, language = {English}, urldate = {2020-04-21} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot Turla Group
2015-01-20G DataG Data
@online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } Analysis of Project Cobra
Cobra Carbon System
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2019-12-20} } The Epic Turla Operation
Cobra Carbon System Turla Group
2014circl.luCIRCL
@online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
Cobra Carbon System Uroburos Turla Group
Yara Rules
[TLP:WHITE] win_cobra_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cobra_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5e 5b c3 85db 7405 83fb03 }
            // n = 6, score = 2500
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85db                 | test                ebx, ebx
            //   7405                 | je                  7
            //   83fb03               | cmp                 ebx, 3

        $sequence_1 = { 5b c3 85ff 7418 }
            // n = 4, score = 2500
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85ff                 | test                edi, edi
            //   7418                 | je                  0x1a

        $sequence_2 = { 8b05???????? 85c0 0f8e8c000000 83e801 8905???????? }
            // n = 5, score = 2500
            //   8b05????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8e8c000000         | jle                 0x92
            //   83e801               | sub                 eax, 1
            //   8905????????         |                     

        $sequence_3 = { 85c0 750e 33ff 8bc7 }
            // n = 4, score = 2500
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   33ff                 | xor                 edi, edi
            //   8bc7                 | mov                 eax, edi

        $sequence_4 = { e8???????? 8bf8 83fb01 751d 85ff }
            // n = 5, score = 2500
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83fb01               | cmp                 ebx, 1
            //   751d                 | jne                 0x1f
            //   85ff                 | test                edi, edi

        $sequence_5 = { 751c 8bcf ff15???????? 8d8fe8030000 8bf9 }
            // n = 5, score = 2500
            //   751c                 | jne                 0x1e
            //   8bcf                 | mov                 ecx, edi
            //   ff15????????         |                     
            //   8d8fe8030000         | lea                 ecx, [edi + 0x3e8]
            //   8bf9                 | mov                 edi, ecx

        $sequence_6 = { 8b442438 85c0 757f 8b05???????? }
            // n = 4, score = 2500
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   85c0                 | test                eax, eax
            //   757f                 | jne                 0x81
            //   8b05????????         |                     

        $sequence_7 = { 5e 5b c3 83fb01 7405 83fb02 7537 }
            // n = 7, score = 2500
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   83fb01               | cmp                 ebx, 1
            //   7405                 | je                  7
            //   83fb02               | cmp                 ebx, 2
            //   7537                 | jne                 0x39

        $sequence_8 = { 7511 e8???????? 85c0 7508 ff15???????? }
            // n = 5, score = 2200
            //   7511                 | jne                 0x13
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   ff15????????         |                     

        $sequence_9 = { 33d2 b9e8030000 f7f1 83f805 }
            // n = 4, score = 1600
            //   33d2                 | xor                 edx, edx
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   f7f1                 | div                 ecx
            //   83f805               | cmp                 eax, 5

        $sequence_10 = { 7407 33c0 e9???????? ff15???????? e9???????? }
            // n = 5, score = 1500
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_11 = { 85c0 a3???????? 7504 33c0 eb68 832000 a1???????? }
            // n = 7, score = 1300
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb68                 | jmp                 0x6a
            //   832000               | and                 dword ptr [eax], 0
            //   a1????????           |                     

        $sequence_12 = { 85c0 750e 3905???????? 7e2c }
            // n = 4, score = 1300
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   3905????????         |                     
            //   7e2c                 | jle                 0x2e

        $sequence_13 = { ff25???????? 53 56 57 8bd9 33f6 }
            // n = 6, score = 1300
            //   ff25????????         |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bd9                 | mov                 ebx, ecx
            //   33f6                 | xor                 esi, esi

        $sequence_14 = { 890d???????? 753c b980000000 e8???????? 85c0 a3???????? 7504 }
            // n = 7, score = 1300
            //   890d????????         |                     
            //   753c                 | jne                 0x3e
            //   b980000000           | mov                 ecx, 0x80
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7504                 | jne                 6

        $sequence_15 = { eb6d e8???????? 85c0 7564 }
            // n = 4, score = 1200
            //   eb6d                 | jmp                 0x6f
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7564                 | jne                 0x66

        $sequence_16 = { b801000000 f00fc105???????? 83c001 83f801 }
            // n = 4, score = 1200
            //   b801000000           | mov                 eax, 1
            //   f00fc105????????     |                     
            //   83c001               | add                 eax, 1
            //   83f801               | cmp                 eax, 1

        $sequence_17 = { 85c0 7f07 e8???????? eb26 }
            // n = 4, score = 1200
            //   85c0                 | test                eax, eax
            //   7f07                 | jg                  9
            //   e8????????           |                     
            //   eb26                 | jmp                 0x28

        $sequence_18 = { 7406 83430401 eb04 834b08ff }
            // n = 4, score = 1200
            //   7406                 | je                  8
            //   83430401             | add                 dword ptr [ebx + 4], 1
            //   eb04                 | jmp                 6
            //   834b08ff             | or                  dword ptr [ebx + 8], 0xffffffff

        $sequence_19 = { e8???????? 33db 3bc3 741a }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   3bc3                 | cmp                 eax, ebx
            //   741a                 | je                  0x1c

        $sequence_20 = { ff15???????? 8b4304 217b08 85c0 }
            // n = 4, score = 1200
            //   ff15????????         |                     
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   217b08               | and                 dword ptr [ebx + 8], edi
            //   85c0                 | test                eax, eax

        $sequence_21 = { 5d c3 8bc5 ebe4 }
            // n = 4, score = 1200
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bc5                 | mov                 eax, ebp
            //   ebe4                 | jmp                 0xffffffe6

        $sequence_22 = { 8b03 85c0 7e0b 213b }
            // n = 4, score = 1200
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   85c0                 | test                eax, eax
            //   7e0b                 | jle                 0xd
            //   213b                 | and                 dword ptr [ebx], edi

        $sequence_23 = { 80fb64 7507 33c0 e9???????? }
            // n = 4, score = 1200
            //   80fb64               | cmp                 bl, 0x64
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_24 = { 3c22 7404 3c27 7505 }
            // n = 4, score = 1200
            //   3c22                 | cmp                 al, 0x22
            //   7404                 | je                  6
            //   3c27                 | cmp                 al, 0x27
            //   7505                 | jne                 7

        $sequence_25 = { 45 ff15???????? 8b4604 217e08 }
            // n = 4, score = 1000
            //   45                   | inc                 ebp
            //   ff15????????         |                     
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   217e08               | and                 dword ptr [esi + 8], edi

        $sequence_26 = { ff7518 ff7514 ff7510 ff7508 e8???????? 83c414 5d }
            // n = 7, score = 1000
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   5d                   | pop                 ebp

        $sequence_27 = { 03c7 50 ff760c ff15???????? }
            // n = 4, score = 1000
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   ff760c               | push                dword ptr [esi + 0xc]
            //   ff15????????         |                     

        $sequence_28 = { 83781400 750a b865005921 e9???????? }
            // n = 4, score = 900
            //   83781400             | ret                 
            //   750a                 | test                edi, edi
            //   b865005921           | je                  0x1d
            //   e9????????           |                     

        $sequence_29 = { ff15???????? 83f87a 740b 3d230000c0 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   83f87a               | cmp                 eax, 0x7a
            //   740b                 | je                  0xd
            //   3d230000c0           | cmp                 eax, 0xc0000023

        $sequence_30 = { 6689440ffc 6685c0 75ee f685c003000010 }
            // n = 4, score = 800
            //   6689440ffc           | mov                 word ptr [edi + ecx - 4], ax
            //   6685c0               | test                ax, ax
            //   75ee                 | jne                 0xfffffff0
            //   f685c003000010       | test                byte ptr [ebp + 0x3c0], 0x10

        $sequence_31 = { 4c8bf1 488bda 488d8d10060000 33d2 }
            // n = 4, score = 700
            //   4c8bf1               | dec                 esp
            //   488bda               | mov                 esi, ecx
            //   488d8d10060000       | dec                 eax
            //   33d2                 | mov                 ebx, edx

        $sequence_32 = { 4154 4156 4157 488dac24b8f3ffff }
            // n = 4, score = 700
            //   4154                 | mov                 edx, 0xc0000000
            //   4156                 | mov                 dword ptr [esp + 0x28], 0x80
            //   4157                 | mov                 dword ptr [esp + 0x20], 3
            //   488dac24b8f3ffff     | dec                 eax

        $sequence_33 = { 4883f8ff 741e 4c8d8dd4030000 4533c0 33d2 488bc8 }
            // n = 6, score = 700
            //   4883f8ff             | dec                 eax
            //   741e                 | or                  ecx, 0xffffffff
            //   4c8d8dd4030000       | dec                 eax
            //   4533c0               | lea                 edi, [ebp + 0x1b0]
            //   33d2                 | repne scasd         eax, dword ptr es:[edi]
            //   488bc8               | dec                 eax

        $sequence_34 = { 4889bc24880d0000 4c89ac24400d0000 ff15???????? 418bd4 0fb7841510060000 4883c202 }
            // n = 6, score = 700
            //   4889bc24880d0000     | xor                 edx, edx
            //   4c89ac24400d0000     | dec                 eax
            //   ff15????????         |                     
            //   418bd4               | mov                 ecx, eax
            //   0fb7841510060000     | inc                 ebp
            //   4883c202             | xor                 ecx, ecx

        $sequence_35 = { 75e7 33c0 4883c9ff 488dbdb0010000 66f2af }
            // n = 5, score = 700
            //   75e7                 | dec                 eax
            //   33c0                 | lea                 ecx, [ebp + 0x610]
            //   4883c9ff             | xor                 edx, edx
            //   488dbdb0010000       | jne                 0xffffffe9
            //   66f2af               | xor                 eax, eax

        $sequence_36 = { 4533c9 ba000000c0 c744242880000000 c744242003000000 ff15???????? 488bf8 4883f8ff }
            // n = 7, score = 700
            //   4533c9               | cmp                 eax, -1
            //   ba000000c0           | je                  0x24
            //   c744242880000000     | dec                 esp
            //   c744242003000000     | lea                 ecx, [ebp + 0x3d4]
            //   ff15????????         |                     
            //   488bf8               | inc                 ebp
            //   4883f8ff             | xor                 eax, eax

        $sequence_37 = { 6a18 8d45e8 50 6a00 6aff e8???????? 85c0 }
            // n = 7, score = 500
            //   6a18                 | sub                 eax, 1
            //   8d45e8               | pop                 edi
            //   50                   | pop                 esi
            //   6a00                 | pop                 ebx
            //   6aff                 | ret                 
            //   e8????????           |                     
            //   85c0                 | test                ebx, ebx

        $sequence_38 = { 33c0 6808020000 8d8c24000b0000 53 51 8944245c 89442460 }
            // n = 7, score = 400
            //   33c0                 | xor                 eax, eax
            //   6808020000           | push                0x208
            //   8d8c24000b0000       | lea                 ecx, [esp + 0xb00]
            //   53                   | push                ebx
            //   51                   | push                ecx
            //   8944245c             | mov                 dword ptr [esp + 0x5c], eax
            //   89442460             | mov                 dword ptr [esp + 0x60], eax

        $sequence_39 = { 7507 32c0 e9???????? c745b818000000 }
            // n = 4, score = 400
            //   7507                 | push                -1
            //   32c0                 | test                eax, eax
            //   e9????????           |                     
            //   c745b818000000       | je                  0xe

        $sequence_40 = { ff15???????? eb03 8b7d0c 3bfb 740f }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   eb03                 | jmp                 5
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   3bfb                 | cmp                 edi, ebx
            //   740f                 | je                  0x11

        $sequence_41 = { 52 ff15???????? 83f801 0f845afeffff ff15???????? }
            // n = 5, score = 400
            //   52                   | push                edx
            //   ff15????????         |                     
            //   83f801               | cmp                 eax, 1
            //   0f845afeffff         | je                  0xfffffe60
            //   ff15????????         |                     

        $sequence_42 = { 75f5 2bce d1f9 7419 3bc3 7615 8b4c2420 }
            // n = 7, score = 400
            //   75f5                 | jne                 0xfffffff7
            //   2bce                 | sub                 ecx, esi
            //   d1f9                 | sar                 ecx, 1
            //   7419                 | je                  0x1b
            //   3bc3                 | cmp                 eax, ebx
            //   7615                 | jbe                 0x17
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]

        $sequence_43 = { e8???????? 85c0 740a b8050000c0 e9???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   85c0                 | push                -1
            //   740a                 | test                eax, eax
            //   b8050000c0           | je                  9
            //   e9????????           |                     

        $sequence_44 = { 668cc8 c3 53 50 }
            // n = 4, score = 200
            //   668cc8               | push                eax
            //   c3                   | push                0
            //   53                   | push                -1
            //   50                   | test                eax, eax

        $sequence_45 = { 733f 8b4df4 034df8 8139???????? 752f }
            // n = 5, score = 100
            //   733f                 | push                ecx
            //   8b4df4               | push                eax
            //   034df8               | test                eax, eax
            //   8139????????         |                     
            //   752f                 | je                  0xc

        $sequence_46 = { 85c0 740c c745fcffffffff e9???????? 6a04 8d4db0 51 }
            // n = 7, score = 100
            //   85c0                 | mov                 eax, 0xc0000005
            //   740c                 | mov                 ax, cs
            //   c745fcffffffff       | ret                 
            //   e9????????           |                     
            //   6a04                 | push                ebx
            //   8d4db0               | push                eax
            //   51                   | test                eax, eax

        $sequence_47 = { 894590 e9???????? 33c9 0f8489000000 8b5594 8b4260 83e824 }
            // n = 7, score = 100
            //   894590               | je                  0xc
            //   e9????????           |                     
            //   33c9                 | mov                 eax, 0xc0000005
            //   0f8489000000         | test                eax, eax
            //   8b5594               | je                  0xc
            //   8b4260               | mov                 eax, 0xc0000005
            //   83e824               | ret                 

    condition:
        7 of them and filesize < 1368064
}
[TLP:WHITE] win_cobra_w0   (20170512 | No description)
rule win_cobra_w0 {
    meta:
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s1 = "ModStart"
        $s2 = "ModuleStart"
        $t1 = "STOP|OK"
        $t2 = "STOP|KILL"

    condition:
        (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}
[TLP:WHITE] win_cobra_w1   (20170512 | No description)
import "pe"

rule win_cobra_w1 {
    meta:
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    condition:
        (pe.version_info["InternalName"] contains "SERVICE.EXE" or
        pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or
        pe.version_info["InternalName"] contains "MSXIML.DLL")
        and pe.version_info["CompanyName"] contains "Microsoft Corporation"
}
Download all Yara Rules