SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobra (Back to overview)

Cobra Carbon System

aka: Carbon

Actor(s): Turla

URLhaus    

There is no description at this point.

References
2023-05-09CISACISA
@online{cisa:20230509:hunting:eee110d, author = {CISA}, title = {{Hunting Russian Intelligence “Snake” Malware}}, date = {2023-05-09}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a}, language = {English}, urldate = {2023-05-10} } Hunting Russian Intelligence “Snake” Malware
Agent.BTZ Cobra Carbon System Uroburos
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-25Github (sisoma2)Marc
@online{marc:20200925:turla:06db824, author = {Marc}, title = {{Turla Carbon System}}, date = {2020-09-25}, organization = {Github (sisoma2)}, url = {https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon}, language = {English}, urldate = {2020-10-02} } Turla Carbon System
Cobra Carbon System
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla
2019-04-19Github (hfiref0x)hfiref0x
@online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } TDL (Turla Driver Loader) Repository
Cobra Carbon System
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2023-01-10} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Agent.BTZ Cobra Carbon System Gazer Meterpreter Mosquito Skipper
2017-03-30ESET ResearchESET Research
@online{research:20170330:carbon:928505a, author = {ESET Research}, title = {{Carbon Paper: Peering into Turla’s second stage backdoor}}, date = {2017-03-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/}, language = {English}, urldate = {2019-11-14} } Carbon Paper: Peering into Turla’s second stage backdoor
Cobra Carbon System Turla
2016-05-23MELANI GovCERTGovCERT.ch
@techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2022-08-05} } APT Case RUAG - Technical Report
Cobra Carbon System
2016-01-14SymantecSecurity Response
@online{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/waterbug-attack-group}, language = {English}, urldate = {2022-04-25} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot
2015-01-20G DataG Data
@online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } Analysis of Project Cobra
Cobra Carbon System
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2021-07-02} } The Epic Turla Operation
Cobra Carbon System Uroburos Wipbot Turla
2014circl.luCIRCL
@online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
Cobra Carbon System Uroburos Turla
Yara Rules
[TLP:WHITE] win_cobra_auto (20230407 | Detects win.cobra.)
rule win_cobra_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-29"
        version = "1"
        description = "Detects win.cobra."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? }
            // n = 5, score = 2900
            //   7511                 | mov                 ecx, edi
            //   e8????????           |                     
            //   85c0                 | inc                 ecx
            //   7508                 | mov                 bh, 1
            //   ff15????????         |                     

        $sequence_1 = { 5e 5b c3 85ff 7418 }
            // n = 5, score = 2500
            //   5e                   | sub                 eax, 1
            //   5b                   | test                eax, eax
            //   c3                   | jne                 0x83
            //   85ff                 | test                eax, eax
            //   7418                 | jle                 0x98

        $sequence_2 = { ff25???????? 53 56 57 8bd9 33f6 }
            // n = 6, score = 2500
            //   ff25????????         |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bd9                 | mov                 ebx, ecx
            //   33f6                 | xor                 esi, esi

        $sequence_3 = { 85db 7514 391d???????? 754d }
            // n = 4, score = 2500
            //   85db                 | push                0
            //   7514                 | push                ecx
            //   391d????????         |                     
            //   754d                 | xor                 eax, eax

        $sequence_4 = { 890d???????? 753c b980000000 e8???????? 85c0 a3???????? 7504 }
            // n = 7, score = 2500
            //   890d????????         |                     
            //   753c                 | jne                 0x3e
            //   b980000000           | mov                 ecx, 0x80
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7504                 | jne                 6

        $sequence_5 = { 85c0 a3???????? 7504 33c0 eb68 832000 a1???????? }
            // n = 7, score = 2500
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb68                 | jmp                 0x6a
            //   832000               | and                 dword ptr [eax], 0
            //   a1????????           |                     

        $sequence_6 = { 5b c3 83fb01 7405 }
            // n = 4, score = 2500
            //   5b                   | test                eax, eax
            //   c3                   | jne                 0x83
            //   83fb01               | test                eax, eax
            //   7405                 | jle                 0x98

        $sequence_7 = { 85c0 750e 3905???????? 7e2c }
            // n = 4, score = 2500
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   3905????????         |                     
            //   7e2c                 | jle                 0x2e

        $sequence_8 = { e8???????? 85c0 750e 33ff 8bc7 }
            // n = 5, score = 2500
            //   e8????????           |                     
            //   85c0                 | jne                 0x12
            //   750e                 | jle                 0x32
            //   33ff                 | mov                 ecx, 0x80
            //   8bc7                 | test                eax, eax

        $sequence_9 = { 83f801 75f1 b900010000 e8???????? }
            // n = 4, score = 2500
            //   83f801               | test                eax, eax
            //   75f1                 | jne                 0x83
            //   b900010000           | test                eax, eax
            //   e8????????           |                     

        $sequence_10 = { 83fb01 7405 83fb02 7537 }
            // n = 4, score = 2500
            //   83fb01               | mov                 eax, dword ptr [esp + 0x38]
            //   7405                 | test                eax, eax
            //   83fb02               | jne                 0x83
            //   7537                 | test                eax, eax

        $sequence_11 = { 5b c3 85db 7405 83fb03 }
            // n = 5, score = 2500
            //   5b                   | push                edi
            //   c3                   | mov                 ebx, ecx
            //   85db                 | xor                 esi, esi
            //   7405                 | mov                 eax, dword ptr [esp + 8]
            //   83fb03               | test                eax, eax

        $sequence_12 = { 85c0 757f 8b05???????? 85c0 0f8e8c000000 83e801 }
            // n = 6, score = 2500
            //   85c0                 | jne                 8
            //   757f                 | xor                 eax, eax
            //   8b05????????         |                     
            //   85c0                 | push                edi
            //   0f8e8c000000         | push                ecx
            //   83e801               | push                0

        $sequence_13 = { f7f9 8b7e08 2bea 2bfd 6a10 }
            // n = 5, score = 1900
            //   f7f9                 | idiv                ecx
            //   8b7e08               | mov                 edi, dword ptr [esi + 8]
            //   2bea                 | sub                 ebp, edx
            //   2bfd                 | sub                 edi, ebp
            //   6a10                 | push                0x10

        $sequence_14 = { ffd5 6a00 ff7620 8bf8 ff5628 59 59 }
            // n = 7, score = 1900
            //   ffd5                 | call                ebp
            //   6a00                 | push                0
            //   ff7620               | push                dword ptr [esi + 0x20]
            //   8bf8                 | mov                 edi, eax
            //   ff5628               | call                dword ptr [esi + 0x28]
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_15 = { ffd5 8944241c 8d442418 50 }
            // n = 4, score = 1900
            //   ffd5                 | call                ebp
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax

        $sequence_16 = { 7407 33c0 e9???????? ff15???????? e9???????? }
            // n = 5, score = 1900
            //   7407                 | je                  9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   ff15????????         |                     
            //   e9????????           |                     

        $sequence_17 = { 7f07 e8???????? eb26 83c0ff }
            // n = 4, score = 1200
            //   7f07                 | jg                  9
            //   e8????????           |                     
            //   eb26                 | jmp                 0x28
            //   83c0ff               | add                 eax, -1

        $sequence_18 = { eb6d e8???????? 85c0 7564 }
            // n = 4, score = 1200
            //   eb6d                 | jmp                 0x6f
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7564                 | jne                 0x66

        $sequence_19 = { e8???????? 33db 3bc3 741a }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   3bc3                 | cmp                 eax, ebx
            //   741a                 | je                  0x1c

        $sequence_20 = { 85c0 7564 488b0b 488b01 83385c 7e4b }
            // n = 6, score = 1100
            //   85c0                 | mov                 ecx, edi
            //   7564                 | xor                 ebx, ebx
            //   488b0b               | cmp                 eax, ebx
            //   488b01               | je                  0x28
            //   83385c               | dec                 eax
            //   7e4b                 | mov                 ecx, dword ptr [edi]

        $sequence_21 = { e8???????? 498bce e8???????? 4c8b1e 418bd4 498b03 488bce }
            // n = 7, score = 1100
            //   e8????????           |                     
            //   498bce               | dec                 ecx
            //   e8????????           |                     
            //   4c8b1e               | mov                 ecx, esi
            //   418bd4               | dec                 esp
            //   498b03               | mov                 ebx, dword ptr [esi]
            //   488bce               | inc                 ecx

        $sequence_22 = { e8???????? 8bf8 488b0b 4883c108 e8???????? }
            // n = 5, score = 1100
            //   e8????????           |                     
            //   8bf8                 | and                 dword ptr [ebp], 0
            //   488b0b               | mov                 eax, esi
            //   4883c108             | jmp                 0x12
            //   e8????????           |                     

        $sequence_23 = { 83650000 8bc6 eb0e 4883c108 e8???????? }
            // n = 5, score = 1100
            //   83650000             | dec                 ecx
            //   8bc6                 | mov                 ecx, esi
            //   eb0e                 | dec                 esp
            //   4883c108             | mov                 ebx, dword ptr [esi]
            //   e8????????           |                     

        $sequence_24 = { e8???????? b801005921 488b5c2430 488b6c2438 488b742440 488b7c2448 }
            // n = 6, score = 1100
            //   e8????????           |                     
            //   b801005921           | and                 dword ptr [ebp], 0
            //   488b5c2430           | mov                 eax, esi
            //   488b6c2438           | jmp                 0x10
            //   488b742440           | dec                 eax
            //   488b7c2448           | add                 ecx, 8

        $sequence_25 = { 83781400 750a b865005921 e9???????? }
            // n = 4, score = 900
            //   83781400             | mov                 eax, dword ptr [esp + 8]
            //   750a                 | test                eax, eax
            //   b865005921           | jne                 0x12
            //   e9????????           |                     

        $sequence_26 = { 51 6a00 6a00 56 ff15???????? 56 8bf8 }
            // n = 7, score = 800
            //   51                   | ret                 
            //   6a00                 | cmp                 ebx, 1
            //   6a00                 | je                  0xb
            //   56                   | xor                 eax, eax
            //   ff15????????         |                     
            //   56                   | pop                 esi
            //   8bf8                 | pop                 ebp

        $sequence_27 = { 6a03 68000000c0 50 ff15???????? 8bf0 83feff 7505 }
            // n = 7, score = 800
            //   6a03                 | push                0
            //   68000000c0           | push                0
            //   50                   | push                esi
            //   ff15????????         |                     
            //   8bf0                 | mov                 ecx, dword ptr [ebp + 8]
            //   83feff               | push                edi
            //   7505                 | push                ecx

        $sequence_28 = { 33c0 5e 5d c3 8b4d08 57 51 }
            // n = 7, score = 800
            //   33c0                 | jmp                 0x6e
            //   5e                   | mov                 ecx, 0x80
            //   5d                   | test                eax, eax
            //   c3                   | jne                 8
            //   8b4d08               | cmp                 dword ptr [eax + ecx], 0x4550
            //   57                   | jne                 5
            //   51                   | xor                 eax, eax

        $sequence_29 = { 6689440ffc 6685c0 75ee f685c003000010 }
            // n = 4, score = 800
            //   6689440ffc           | mov                 ebx, dword ptr [esp + 0x58]
            //   6685c0               | test                ebx, ebx
            //   75ee                 | jne                 0x1c
            //   f685c003000010       | jne                 0x57

        $sequence_30 = { 8b0d???????? 895004 894808 33c0 }
            // n = 4, score = 800
            //   8b0d????????         |                     
            //   895004               | sub                 ecx, edx
            //   894808               | lea                 eax, [edi + edx]
            //   33c0                 | sub                 esi, edi

        $sequence_31 = { ff15???????? 83f87a 740b 3d230000c0 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   83f87a               | mov                 ebx, dword ptr [esp + 0x58]
            //   740b                 | test                ebx, ebx
            //   3d230000c0           | jne                 0x1c

        $sequence_32 = { 83c0fe 668b4802 83c002 663bcb 75f4 8b15???????? 8b0d???????? }
            // n = 7, score = 800
            //   83c0fe               | ret                 
            //   668b4802             | je                  9
            //   83c002               | xor                 eax, eax
            //   663bcb               | cmp                 eax, -1
            //   75f4                 | je                  9
            //   8b15????????         |                     
            //   8b0d????????         |                     

        $sequence_33 = { 83c002 663bcb 75f4 8b0d???????? 8b15???????? 8908 8b0d???????? }
            // n = 7, score = 800
            //   83c002               | mov                 dword ptr [eax], edx
            //   663bcb               | mov                 ecx, dword ptr [ebp + 8]
            //   75f4                 | push                edi
            //   8b0d????????         |                     
            //   8b15????????         |                     
            //   8908                 | push                ecx
            //   8b0d????????         |                     

        $sequence_34 = { 56 6a00 6880000000 6a03 6a00 6a03 68000000c0 }
            // n = 7, score = 800
            //   56                   | mov                 dword ptr [eax], ecx
            //   6a00                 | pop                 esi
            //   6880000000           | pop                 ebp
            //   6a03                 | ret                 
            //   6a00                 | mov                 ecx, dword ptr [ebp + 8]
            //   6a03                 | push                edi
            //   68000000c0           | push                ecx

        $sequence_35 = { 68???????? 51 ffd6 83c40c 6a28 }
            // n = 5, score = 800
            //   68????????           |                     
            //   51                   | push                0
            //   ffd6                 | push                0
            //   83c40c               | push                esi
            //   6a28                 | mov                 dword ptr [eax], ecx

        $sequence_36 = { 8d45e8 50 6a00 6aff e8???????? 85c0 }
            // n = 6, score = 800
            //   8d45e8               | mov                 ebx, ecx
            //   50                   | xor                 esi, esi
            //   6a00                 | cmp                 dword ptr [eax + ecx], 0x4550
            //   6aff                 | jne                 5
            //   e8????????           |                     
            //   85c0                 | xor                 eax, eax

        $sequence_37 = { 5d c3 4585e4 75e8 }
            // n = 4, score = 700
            //   5d                   | mov                 edx, edi
            //   c3                   | mov                 ecx, 0x14
            //   4585e4               | test                al, al
            //   75e8                 | cmovne              edi, ecx

        $sequence_38 = { 75ea 33c0 4883c9ff 488d7da0 }
            // n = 4, score = 700
            //   75ea                 | test                eax, eax
            //   33c0                 | dec                 esp
            //   4883c9ff             | mov                 dword ptr [esp + 0x48], esp
            //   488d7da0             | dec                 eax

        $sequence_39 = { ff15???????? 488bcf ff15???????? 41b701 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   488bcf               | dec                 eax
            //   ff15????????         |                     
            //   41b701               | mov                 ecx, esi

        $sequence_40 = { 8d8588feffff 68???????? 50 ff15???????? 83c42c }
            // n = 5, score = 700
            //   8d8588feffff         | lea                 eax, [ebp - 0x178]
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c42c               | add                 esp, 0x2c

        $sequence_41 = { b914000000 84c0 0f45f9 488bce 8bd7 }
            // n = 5, score = 700
            //   b914000000           | test                eax, eax
            //   84c0                 | jne                 0xc
            //   0f45f9               | jne                 0x13
            //   488bce               | test                eax, eax
            //   8bd7                 | jne                 0xc

        $sequence_42 = { 48894c2450 4c89642448 488d4c2468 48894c2440 }
            // n = 4, score = 700
            //   48894c2450           | mov                 ebx, dword ptr [esp + 0x58]
            //   4c89642448           | test                ebx, ebx
            //   488d4c2468           | jne                 0x1c
            //   48894c2440           | jne                 0x57

        $sequence_43 = { 488bce 8bd7 ff15???????? 85c0 }
            // n = 4, score = 700
            //   488bce               | mov                 dword ptr [esp + 0x40], ecx
            //   8bd7                 | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esp + 0x50], ecx

        $sequence_44 = { 7507 32c0 e9???????? c745b818000000 }
            // n = 4, score = 600
            //   7507                 | push                eax
            //   32c0                 | push                0
            //   e9????????           |                     
            //   c745b818000000       | push                -1

        $sequence_45 = { 6685c9 75f5 2bc2 d1f8 66837c43fe5c }
            // n = 5, score = 500
            //   6685c9               | test                cx, cx
            //   75f5                 | jne                 0xfffffff7
            //   2bc2                 | sub                 eax, edx
            //   d1f8                 | sar                 eax, 1
            //   66837c43fe5c         | cmp                 word ptr [ebx + eax*2 - 2], 0x5c

        $sequence_46 = { 33f6 03c2 13ce 51 }
            // n = 4, score = 500
            //   33f6                 | test                eax, eax
            //   03c2                 | je                  0xe
            //   13ce                 | push                0
            //   51                   | push                -1

        $sequence_47 = { 0f8456feffff 807c241301 6800080000 0f8544020000 }
            // n = 4, score = 300
            //   0f8456feffff         | je                  0xfffffe5c
            //   807c241301           | cmp                 byte ptr [esp + 0x13], 1
            //   6800080000           | push                0x800
            //   0f8544020000         | jne                 0x24a

        $sequence_48 = { 05a1000000 50 8d84249c0d0000 68???????? }
            // n = 4, score = 300
            //   05a1000000           | add                 eax, 0xa1
            //   50                   | push                eax
            //   8d84249c0d0000       | lea                 eax, [esp + 0xd9c]
            //   68????????           |                     

        $sequence_49 = { 05a2000000 50 8d8c249c0d0000 68???????? }
            // n = 4, score = 300
            //   05a2000000           | add                 eax, 0xa2
            //   50                   | push                eax
            //   8d8c249c0d0000       | lea                 ecx, [esp + 0xd9c]
            //   68????????           |                     

        $sequence_50 = { 0f84100f0000 6800080000 57 56 }
            // n = 4, score = 300
            //   0f84100f0000         | je                  0xf16
            //   6800080000           | push                0x800
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_51 = { 05a2000000 50 8d94249c0d0000 68???????? }
            // n = 4, score = 300
            //   05a2000000           | add                 eax, 0xa2
            //   50                   | push                eax
            //   8d94249c0d0000       | lea                 edx, [esp + 0xd9c]
            //   68????????           |                     

        $sequence_52 = { 0f8431ffffff 8b4d08 5f 8931 }
            // n = 4, score = 300
            //   0f8431ffffff         | je                  0xffffff37
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   5f                   | pop                 edi
            //   8931                 | mov                 dword ptr [ecx], esi

        $sequence_53 = { 85c0 740a b8050000c0 e9???????? }
            // n = 4, score = 200
            //   85c0                 | push                -1
            //   740a                 | test                eax, eax
            //   b8050000c0           | push                0x18
            //   e9????????           |                     

        $sequence_54 = { 668cc8 c3 53 50 }
            // n = 4, score = 200
            //   668cc8               | test                eax, eax
            //   c3                   | je                  0xd
            //   53                   | push                eax
            //   50                   | push                0

        $sequence_55 = { c745bc00000000 b9???????? ff15???????? 8845ff }
            // n = 4, score = 100
            //   c745bc00000000       | push                eax
            //   b9????????           |                     
            //   ff15????????         |                     
            //   8845ff               | xor                 esi, esi

    condition:
        7 of them and filesize < 1368064
}
[TLP:WHITE] win_cobra_w0   (20170512 | No description)
rule win_cobra_w0 {
    meta:
        author = "ESET Research"
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $s1 = "ModStart"
        $s2 = "ModuleStart"
        $t1 = "STOP|OK"
        $t2 = "STOP|KILL"

    condition:
        (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}
[TLP:WHITE] win_cobra_w1   (20170512 | No description)
import "pe"

rule win_cobra_w1 {
    meta:
        author = "ESET Research"
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    condition:
        (pe.version_info["InternalName"] contains "SERVICE.EXE" or
        pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or
        pe.version_info["InternalName"] contains "MSXIML.DLL")
        and pe.version_info["CompanyName"] contains "Microsoft Corporation"
}
Download all Yara Rules