SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobra (Back to overview)

Cobra Carbon System

aka: Carbon

Actor(s): Turla Group

URLhaus    

There is no description at this point.

References
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-25Github (sisoma2)Marc
@online{marc:20200925:turla:06db824, author = {Marc}, title = {{Turla Carbon System}}, date = {2020-09-25}, organization = {Github (sisoma2)}, url = {https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon}, language = {English}, urldate = {2020-10-02} } Turla Carbon System
Cobra Carbon System
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-04-19Github (hfiref0x)hfiref0x
@online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } TDL (Turla Driver Loader) Repository
Cobra Carbon System
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-03-30ESET ResearchESET Research
@online{research:20170330:carbon:928505a, author = {ESET Research}, title = {{Carbon Paper: Peering into Turla’s second stage backdoor}}, date = {2017-03-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/}, language = {English}, urldate = {2019-11-14} } Carbon Paper: Peering into Turla’s second stage backdoor
Cobra Carbon System Turla Group
2016-05-23MELANI GovCERTGovCERT.ch
@techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2019-12-17} } APT Case RUAG - Technical Report
Cobra Carbon System
2016-01-14SymantecSecurity Response
@techreport{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, institution = {Symantec}, url = {https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf}, language = {English}, urldate = {2020-04-21} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot Turla Group
2015-01-20G DataG Data
@online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } Analysis of Project Cobra
Cobra Carbon System
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2021-07-02} } The Epic Turla Operation
Cobra Carbon System Uroburos Wipbot Turla Group
2014circl.luCIRCL
@online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
Cobra Carbon System Uroburos Turla Group
Yara Rules
[TLP:WHITE] win_cobra_auto (20210616 | Detects win.cobra.)
rule win_cobra_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.cobra."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? }
            // n = 5, score = 2900
            //   7511                 | jne                 0x13
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   ff15????????         |                     

        $sequence_1 = { c3 83f801 75f1 b900010000 }
            // n = 4, score = 2500
            //   c3                   | ret                 
            //   83f801               | cmp                 eax, 1
            //   75f1                 | jne                 0xfffffff3
            //   b900010000           | mov                 ecx, 0x100

        $sequence_2 = { 8b5c2458 85db 7514 391d???????? 754d 33c0 }
            // n = 6, score = 2500
            //   8b5c2458             | mov                 ebx, dword ptr [esp + 0x58]
            //   85db                 | test                ebx, ebx
            //   7514                 | jne                 0x16
            //   391d????????         |                     
            //   754d                 | jne                 0x4f
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 8bf8 83fb01 751d 85ff }
            // n = 4, score = 2500
            //   8bf8                 | mov                 edi, eax
            //   83fb01               | cmp                 ebx, 1
            //   751d                 | jne                 0x1f
            //   85ff                 | test                edi, edi

        $sequence_4 = { 8b442438 85c0 757f 8b05???????? 85c0 }
            // n = 5, score = 2500
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   85c0                 | test                eax, eax
            //   757f                 | jne                 0x81
            //   8b05????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { 8b442408 85c0 750e 3905???????? 7e2c ff0d???????? }
            // n = 6, score = 2500
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   3905????????         |                     
            //   7e2c                 | jle                 0x2e
            //   ff0d????????         |                     

        $sequence_6 = { 8b09 890d???????? 753c b980000000 e8???????? 85c0 }
            // n = 6, score = 2500
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   890d????????         |                     
            //   753c                 | jne                 0x3e
            //   b980000000           | mov                 ecx, 0x80
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_7 = { 5e 5b c3 83fb01 7405 83fb02 }
            // n = 6, score = 2500
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   83fb01               | cmp                 ebx, 1
            //   7405                 | je                  7
            //   83fb02               | cmp                 ebx, 2

        $sequence_8 = { 5f 5e 5b c3 85ff 7418 }
            // n = 6, score = 2500
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85ff                 | test                edi, edi
            //   7418                 | je                  0x1a

        $sequence_9 = { b980000000 e8???????? 85c0 a3???????? 7504 33c0 }
            // n = 6, score = 2500
            //   b980000000           | mov                 ecx, 0x80
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   a3????????           |                     
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_10 = { 5e 5b c3 85db 7405 83fb03 753b }
            // n = 7, score = 2500
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85db                 | test                ebx, ebx
            //   7405                 | je                  7
            //   83fb03               | cmp                 ebx, 3
            //   753b                 | jne                 0x3d

        $sequence_11 = { c20c00 ff25???????? 53 56 57 8bd9 33f6 }
            // n = 7, score = 2500
            //   c20c00               | ret                 0xc
            //   ff25????????         |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bd9                 | mov                 ebx, ecx
            //   33f6                 | xor                 esi, esi

        $sequence_12 = { 751c 8bcf ff15???????? 8d8fe8030000 }
            // n = 4, score = 2500
            //   751c                 | jne                 0x1e
            //   8bcf                 | mov                 ecx, edi
            //   ff15????????         |                     
            //   8d8fe8030000         | lea                 ecx, dword ptr [edi + 0x3e8]

        $sequence_13 = { 33d2 b9e8030000 f7f1 83f805 }
            // n = 4, score = 2300
            //   33d2                 | xor                 edx, edx
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   f7f1                 | div                 ecx
            //   83f805               | cmp                 eax, 5

        $sequence_14 = { 57 ff15???????? 83f8ff 7435 53 8d45f8 }
            // n = 6, score = 1900
            //   57                   | push                edi
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   7435                 | je                  0x37
            //   53                   | push                ebx
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]

        $sequence_15 = { 80fb64 7507 33c0 e9???????? }
            // n = 4, score = 1900
            //   80fb64               | cmp                 bl, 0x64
            //   7507                 | jne                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_16 = { 7517 8d45f8 50 6a28 }
            // n = 4, score = 1900
            //   7517                 | jne                 0x19
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   6a28                 | push                0x28

        $sequence_17 = { 8a1401 3217 47 8810 40 4e 75f4 }
            // n = 7, score = 1900
            //   8a1401               | mov                 dl, byte ptr [ecx + eax]
            //   3217                 | xor                 dl, byte ptr [edi]
            //   47                   | inc                 edi
            //   8810                 | mov                 byte ptr [eax], dl
            //   40                   | inc                 eax
            //   4e                   | dec                 esi
            //   75f4                 | jne                 0xfffffff6

        $sequence_18 = { 85c0 7f07 e8???????? eb26 }
            // n = 4, score = 1200
            //   85c0                 | jne                 0x3e
            //   7f07                 | mov                 ecx, 0x80
            //   e8????????           |                     
            //   eb26                 | test                eax, eax

        $sequence_19 = { 894c2450 740f 034810 894c2450 }
            // n = 4, score = 1200
            //   894c2450             | mov                 ecx, dword ptr [ecx]
            //   740f                 | jne                 0x40
            //   034810               | mov                 ecx, 0x80
            //   894c2450             | test                eax, eax

        $sequence_20 = { e8???????? 33db 3bc3 741a }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   33db                 | mov                 ecx, 0x80
            //   3bc3                 | test                eax, eax
            //   741a                 | jne                 8

        $sequence_21 = { 894304 eb11 8b03 85c0 7e0b 213b }
            // n = 6, score = 1200
            //   894304               | jmp                 0x6e
            //   eb11                 | and                 dword ptr [eax], 0
            //   8b03                 | mov                 ecx, dword ptr [ecx]
            //   85c0                 | jne                 0x40
            //   7e0b                 | mov                 ecx, 0x80
            //   213b                 | test                eax, eax

        $sequence_22 = { 5e 5d c3 8bc5 ebe4 }
            // n = 5, score = 1200
            //   5e                   | jne                 0x13
            //   5d                   | test                eax, eax
            //   c3                   | jne                 0xa
            //   8bc5                 | jne                 0x13
            //   ebe4                 | test                eax, eax

        $sequence_23 = { 7406 83430401 eb04 834b08ff }
            // n = 4, score = 1200
            //   7406                 | div                 ecx
            //   83430401             | cmp                 eax, 5
            //   eb04                 | cmp                 dword ptr [eax + ecx], 0x4550
            //   834b08ff             | jne                 5

        $sequence_24 = { 83781400 750a b865005921 e9???????? }
            // n = 4, score = 900
            //   83781400             | cmp                 dword ptr [eax + 0x14], 0
            //   750a                 | jne                 0xc
            //   b865005921           | mov                 eax, 0x21590065
            //   e9????????           |                     

        $sequence_25 = { 8908 8b0d???????? 895004 894808 33c0 }
            // n = 5, score = 800
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b0d????????         |                     
            //   895004               | mov                 dword ptr [eax + 4], edx
            //   894808               | mov                 dword ptr [eax + 8], ecx
            //   33c0                 | xor                 eax, eax

        $sequence_26 = { 56 6a00 6880000000 6a03 6a00 6a03 68000000c0 }
            // n = 7, score = 800
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   68000000c0           | push                0xc0000000

        $sequence_27 = { 668b4802 83c002 663bcb 75f4 8b15???????? }
            // n = 5, score = 800
            //   668b4802             | mov                 cx, word ptr [eax + 2]
            //   83c002               | add                 eax, 2
            //   663bcb               | cmp                 cx, bx
            //   75f4                 | jne                 0xfffffff6
            //   8b15????????         |                     

        $sequence_28 = { ff15???????? 83f87a 740b 3d230000c0 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   83f87a               | cmp                 eax, 0x7a
            //   740b                 | je                  0xd
            //   3d230000c0           | cmp                 eax, 0xc0000023

        $sequence_29 = { 68000000c0 50 ff15???????? 8bf0 83feff 7505 }
            // n = 6, score = 800
            //   68000000c0           | push                0xc0000000
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7505                 | jne                 7

        $sequence_30 = { 8d45e8 50 6a00 6aff e8???????? 85c0 }
            // n = 6, score = 800
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6aff                 | push                -1
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_31 = { 8b7d0c 3bc3 7508 3bfb }
            // n = 4, score = 800
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   3bc3                 | cmp                 eax, ebx
            //   7508                 | jne                 0xa
            //   3bfb                 | cmp                 edi, ebx

        $sequence_32 = { 8b4d08 57 51 6a00 6a00 56 }
            // n = 6, score = 800
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   56                   | push                esi

        $sequence_33 = { 53 56 33db 57 6808020000 }
            // n = 5, score = 800
            //   53                   | push                ebx
            //   56                   | push                esi
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   6808020000           | push                0x208

        $sequence_34 = { 663bcb 75f4 8b0d???????? 8b15???????? 8908 8b0d???????? }
            // n = 6, score = 800
            //   663bcb               | cmp                 cx, bx
            //   75f4                 | jne                 0xfffffff6
            //   8b0d????????         |                     
            //   8b15????????         |                     
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b0d????????         |                     

        $sequence_35 = { 6689440ffc 6685c0 75ee f685c003000010 }
            // n = 4, score = 800
            //   6689440ffc           | mov                 word ptr [edi + ecx - 4], ax
            //   6685c0               | test                ax, ax
            //   75ee                 | jne                 0xfffffff0
            //   f685c003000010       | test                byte ptr [ebp + 0x3c0], 0x10

        $sequence_36 = { 4585e4 75e8 85f6 74e4 }
            // n = 4, score = 700
            //   4585e4               | jne                 0xffffffec
            //   75e8                 | xor                 eax, eax
            //   85f6                 | dec                 eax
            //   74e4                 | or                  ecx, 0xffffffff

        $sequence_37 = { 415c 5e 5b 5d c3 4585e4 75e8 }
            // n = 7, score = 700
            //   415c                 | xor                 esp, esp
            //   5e                   | dec                 esp
            //   5b                   | mov                 esi, ecx
            //   5d                   | dec                 eax
            //   c3                   | mov                 ebx, edx
            //   4585e4               | dec                 eax
            //   75e8                 | lea                 ecx, dword ptr [ebp + 0x610]

        $sequence_38 = { 6685c0 75e7 33c0 4883c9ff 488dbdb0010000 }
            // n = 5, score = 700
            //   6685c0               | xor                 edx, edx
            //   75e7                 | dec                 eax
            //   33c0                 | sub                 esp, 0xd48
            //   4883c9ff             | inc                 ebp
            //   488dbdb0010000       | xor                 esp, esp

        $sequence_39 = { 4881ec480d0000 4533e4 4c8bf1 488bda 488d8d10060000 33d2 }
            // n = 6, score = 700
            //   4881ec480d0000       | mov                 ecx, ebp
            //   4533e4               | cmp                 eax, 0x12
            //   4c8bf1               | inc                 ecx
            //   488bda               | cmove               eax, esp
            //   488d8d10060000       | inc                 esp
            //   33d2                 | mov                 esp, eax

        $sequence_40 = { 4154 4156 4157 488dac24b8f3ffff 4881ec480d0000 4533e4 }
            // n = 6, score = 700
            //   4154                 | xor                 edx, edx
            //   4156                 | inc                 ecx
            //   4157                 | mov                 eax, 0x208
            //   488dac24b8f3ffff     | inc                 ecx
            //   4881ec480d0000       | pop                 esp
            //   4533e4               | pop                 esi

        $sequence_41 = { ff15???????? 83f812 410f44c4 448be0 498bcd }
            // n = 5, score = 700
            //   ff15????????         |                     
            //   83f812               | cmp                 eax, 0x12
            //   410f44c4             | inc                 ecx
            //   448be0               | cmove               eax, esp
            //   498bcd               | inc                 esp

        $sequence_42 = { 7507 32c0 e9???????? c745b818000000 }
            // n = 4, score = 600
            //   7507                 | jne                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     
            //   c745b818000000       | mov                 dword ptr [ebp - 0x48], 0x18

        $sequence_43 = { 668cc8 c3 53 50 }
            // n = 4, score = 200
            //   668cc8               | mov                 ax, cs
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   50                   | push                eax

        $sequence_44 = { 85c0 740a b8050000c0 e9???????? }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   b8050000c0           | mov                 eax, 0xc0000005
            //   e9????????           |                     

        $sequence_45 = { c744020800000000 8b45dc 69c018020000 8b4dbc }
            // n = 4, score = 100
            //   c744020800000000     | mov                 dword ptr [edx + eax + 8], 0
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   69c018020000         | imul                eax, eax, 0x218
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]

        $sequence_46 = { c7426801000000 8b4514 8b4d10 894878 8b5514 8b4508 }
            // n = 6, score = 100
            //   c7426801000000       | mov                 dword ptr [edx + 0x68], 1
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   894878               | mov                 dword ptr [eax + 0x78], ecx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 1368064
}
[TLP:WHITE] win_cobra_w0   (20170512 | No description)
rule win_cobra_w0 {
    meta:
        author = "ESET Research"
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $s1 = "ModStart"
        $s2 = "ModuleStart"
        $t1 = "STOP|OK"
        $t2 = "STOP|KILL"

    condition:
        (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}
[TLP:WHITE] win_cobra_w1   (20170512 | No description)
import "pe"

rule win_cobra_w1 {
    meta:
        author = "ESET Research"
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    condition:
        (pe.version_info["InternalName"] contains "SERVICE.EXE" or
        pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or
        pe.version_info["InternalName"] contains "MSXIML.DLL")
        and pe.version_info["CompanyName"] contains "Microsoft Corporation"
}
Download all Yara Rules