SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cobra (Back to overview)

Cobra Carbon System

aka: Carbon

Actor(s): Turla Group

URLhaus    

There is no description at this point.

References
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-25Github (sisoma2)Marc
@online{marc:20200925:turla:06db824, author = {Marc}, title = {{Turla Carbon System}}, date = {2020-09-25}, organization = {Github (sisoma2)}, url = {https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon}, language = {English}, urldate = {2020-10-02} } Turla Carbon System
Cobra Carbon System
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-04-19Github (hfiref0x)hfiref0x
@online{hfiref0x:20190419:tdl:31ca191, author = {hfiref0x}, title = {{TDL (Turla Driver Loader) Repository}}, date = {2019-04-19}, organization = {Github (hfiref0x)}, url = {https://github.com/hfiref0x/TDL}, language = {English}, urldate = {2020-01-08} } TDL (Turla Driver Loader) Repository
Cobra Carbon System
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-03-30ESET ResearchESET Research
@online{research:20170330:carbon:928505a, author = {ESET Research}, title = {{Carbon Paper: Peering into Turla’s second stage backdoor}}, date = {2017-03-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/}, language = {English}, urldate = {2019-11-14} } Carbon Paper: Peering into Turla’s second stage backdoor
Cobra Carbon System Turla Group
2016-05-23MELANI GovCERTGovCERT.ch
@techreport{govcertch:20160523:case:b6612e9, author = {GovCERT.ch}, title = {{APT Case RUAG - Technical Report}}, date = {2016-05-23}, institution = {MELANI GovCERT}, url = {https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf}, language = {English}, urldate = {2019-12-17} } APT Case RUAG - Technical Report
Cobra Carbon System
2016-01-14SymantecSecurity Response
@online{response:20160114:waterbug:9dbc59e, author = {Security Response}, title = {{The Waterbug attack group}}, date = {2016-01-14}, organization = {Symantec}, url = {https://docs.broadcom.com/doc/waterbug-attack-group}, language = {English}, urldate = {2022-04-25} } The Waterbug attack group
Agent.BTZ Cobra Carbon System Wipbot Turla Group
2015-01-20G DataG Data
@online{data:20150120:analysis:2fe6cf2, author = {G Data}, title = {{Analysis of Project Cobra}}, date = {2015-01-20}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra}, language = {English}, urldate = {2020-01-05} } Analysis of Project Cobra
Cobra Carbon System
2014-08-07Kaspersky LabsGReAT
@online{great:20140807:epic:f8b0803, author = {GReAT}, title = {{The Epic Turla Operation}}, date = {2014-08-07}, organization = {Kaspersky Labs}, url = {https://securelist.com/analysis/publications/65545/the-epic-turla-operation/}, language = {English}, urldate = {2021-07-02} } The Epic Turla Operation
Cobra Carbon System Uroburos Wipbot Turla Group
2014circl.luCIRCL
@online{circl:2014:tr25:97f9b0e, author = {CIRCL}, title = {{TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos}}, date = {2014}, organization = {circl.lu}, url = {https://www.circl.lu/pub/tr-25/}, language = {English}, urldate = {2020-07-01} } TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
Cobra Carbon System Uroburos Turla Group
Yara Rules
[TLP:WHITE] win_cobra_auto (20220411 | Detects win.cobra.)
rule win_cobra_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.cobra."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? }
            // n = 5, score = 2900
            //   7511                 | mov                 edi, dword ptr [esp + 0xd88]
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7508                 | test                ebx, ebx
            //   ff15????????         |                     

        $sequence_1 = { c3 83f801 75f1 b900010000 e8???????? }
            // n = 5, score = 2500
            //   c3                   | ret                 
            //   83f801               | cmp                 eax, 1
            //   75f1                 | jne                 0xfffffff3
            //   b900010000           | mov                 ecx, 0x100
            //   e8????????           |                     

        $sequence_2 = { 890d???????? 753c b980000000 e8???????? 85c0 a3???????? 7504 }
            // n = 7, score = 2500
            //   890d????????         |                     
            //   753c                 | mov                 ecx, esi
            //   b980000000           | dec                 ecx
            //   e8????????           |                     
            //   85c0                 | mov                 ecx, esi
            //   a3????????           |                     
            //   7504                 | test                eax, eax

        $sequence_3 = { 5e 5b c3 83fb01 7405 83fb02 7537 }
            // n = 7, score = 2500
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   83fb01               | cmp                 ebx, 1
            //   7405                 | je                  7
            //   83fb02               | cmp                 ebx, 2
            //   7537                 | jne                 0x39

        $sequence_4 = { 85c0 a3???????? 7504 33c0 eb68 832000 }
            // n = 6, score = 2500
            //   85c0                 | cmp                 eax, 1
            //   a3????????           |                     
            //   7504                 | jne                 0x43
            //   33c0                 | mov                 ecx, 0x80
            //   eb68                 | test                eax, eax
            //   832000               | test                eax, eax

        $sequence_5 = { e8???????? 8bf8 83fb01 751d }
            // n = 4, score = 2500
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83fb01               | cmp                 ebx, 1
            //   751d                 | jne                 0x1f

        $sequence_6 = { 7514 391d???????? 754d 33c0 }
            // n = 4, score = 2500
            //   7514                 | jne                 0x16
            //   391d????????         |                     
            //   754d                 | jne                 0x4f
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { ff25???????? 53 56 57 8bd9 33f6 53 }
            // n = 7, score = 2500
            //   ff25????????         |                     
            //   53                   | test                eax, eax
            //   56                   | jne                 6
            //   57                   | xor                 eax, eax
            //   8bd9                 | jmp                 0x6c
            //   33f6                 | push                ebx
            //   53                   | push                esi

        $sequence_8 = { 5f 5e 5b c3 85db 7405 83fb03 }
            // n = 7, score = 2500
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85db                 | test                ebx, ebx
            //   7405                 | je                  7
            //   83fb03               | cmp                 ebx, 3

        $sequence_9 = { 85c0 757f 8b05???????? 85c0 }
            // n = 4, score = 2500
            //   85c0                 | test                eax, eax
            //   757f                 | jne                 0x81
            //   8b05????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_10 = { 85c0 750e 3905???????? 7e2c ff0d???????? 83f801 8b0d???????? }
            // n = 7, score = 2500
            //   85c0                 | jne                 0x3e
            //   750e                 | mov                 ecx, 0x80
            //   3905????????         |                     
            //   7e2c                 | test                eax, eax
            //   ff0d????????         |                     
            //   83f801               | jne                 0xd
            //   8b0d????????         |                     

        $sequence_11 = { 751c 8bcf ff15???????? 8d8fe8030000 }
            // n = 4, score = 2500
            //   751c                 | jne                 0x1e
            //   8bcf                 | mov                 ecx, edi
            //   ff15????????         |                     
            //   8d8fe8030000         | lea                 ecx, dword ptr [edi + 0x3e8]

        $sequence_12 = { 5b c3 85ff 7418 }
            // n = 4, score = 2500
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   85ff                 | test                edi, edi
            //   7418                 | je                  0x1a

        $sequence_13 = { eb09 8bc5 99 2bc2 }
            // n = 4, score = 1900
            //   eb09                 | push                eax
            //   8bc5                 | mov                 eax, dword ptr [ebp + 0xc]
            //   99                   | mov                 dword ptr [esi + 8], 1
            //   2bc2                 | add                 esp, 0x20

        $sequence_14 = { e8???????? 8d4644 50 e8???????? 8b450c c7460801000000 83c420 }
            // n = 7, score = 1900
            //   e8????????           |                     
            //   8d4644               | jl                  0xd
            //   50                   | mov                 al, byte ptr [edi + ebx]
            //   e8????????           |                     
            //   8b450c               | inc                 edi
            //   c7460801000000       | and                 dword ptr [ebp - 8], 0
            //   83c420               | lea                 eax, dword ptr [esi + 0x44]

        $sequence_15 = { ff45f8 837df808 7c0b 8a041f 47 8365f800 }
            // n = 6, score = 1900
            //   ff45f8               | xor                 eax, eax
            //   837df808             | cmp                 eax, -1
            //   7c0b                 | je                  9
            //   8a041f               | xor                 eax, eax
            //   47                   | inc                 dword ptr [ebp - 8]
            //   8365f800             | cmp                 dword ptr [ebp - 8], 8

        $sequence_16 = { 83f8ff 7407 33c0 e9???????? ff15???????? }
            // n = 5, score = 1900
            //   83f8ff               | cmp                 dword ptr [eax + ecx], 0x4550
            //   7407                 | jne                 5
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   ff15????????         |                     

        $sequence_17 = { 8b03 85c0 7e0b 213b }
            // n = 4, score = 1200
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   85c0                 | test                eax, eax
            //   7e0b                 | jle                 0xd
            //   213b                 | and                 dword ptr [ebx], edi

        $sequence_18 = { 8d7701 ff15???????? 8b4304 217b08 85c0 }
            // n = 5, score = 1200
            //   8d7701               | lea                 esi, dword ptr [edi + 1]
            //   ff15????????         |                     
            //   8b4304               | mov                 eax, dword ptr [ebx + 4]
            //   217b08               | and                 dword ptr [ebx + 8], edi
            //   85c0                 | test                eax, eax

        $sequence_19 = { 7f07 e8???????? eb26 83c0ff }
            // n = 4, score = 1200
            //   7f07                 | jg                  9
            //   e8????????           |                     
            //   eb26                 | jmp                 0x28
            //   83c0ff               | add                 eax, -1

        $sequence_20 = { 7406 83430401 eb04 834b08ff }
            // n = 4, score = 1200
            //   7406                 | je                  8
            //   83430401             | add                 dword ptr [ebx + 4], 1
            //   eb04                 | jmp                 6
            //   834b08ff             | or                  dword ptr [ebx + 8], 0xffffffff

        $sequence_21 = { 894c2450 740f 034810 894c2450 }
            // n = 4, score = 1200
            //   894c2450             | mov                 dword ptr [esp + 0x50], ecx
            //   740f                 | je                  0x11
            //   034810               | add                 ecx, dword ptr [eax + 0x10]
            //   894c2450             | mov                 dword ptr [esp + 0x50], ecx

        $sequence_22 = { 5f 5e 5d c3 8bc5 ebe4 }
            // n = 6, score = 1200
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bc5                 | mov                 eax, ebp
            //   ebe4                 | jmp                 0xffffffe6

        $sequence_23 = { e8???????? 33db 3bc3 741a }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx
            //   3bc3                 | cmp                 eax, ebx
            //   741a                 | je                  0x1c

        $sequence_24 = { e8???????? eb6d e8???????? 85c0 7564 }
            // n = 5, score = 1200
            //   e8????????           |                     
            //   eb6d                 | jmp                 0x6f
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7564                 | jne                 0x66

        $sequence_25 = { 83781400 750a b865005921 e9???????? }
            // n = 4, score = 900
            //   83781400             | jmp                 0xb
            //   750a                 | mov                 eax, 0x10000
            //   b865005921           | jmp                 4
            //   e9????????           |                     

        $sequence_26 = { ff15???????? 83f87a 740b 3d230000c0 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   83f87a               | je                  0xc
            //   740b                 | test                eax, eax
            //   3d230000c0           | jle                 0x92

        $sequence_27 = { 5d c3 8b4d08 57 51 6a00 }
            // n = 6, score = 800
            //   5d                   | push                0
            //   c3                   | push                esi
            //   8b4d08               | push                esi
            //   57                   | mov                 edi, eax
            //   51                   | pop                 ebp
            //   6a00                 | ret                 

        $sequence_28 = { 663bcb 75f4 8b15???????? 8b0d???????? 8910 8b15???????? 894804 }
            // n = 7, score = 800
            //   663bcb               | push                ecx
            //   75f4                 | call                esi
            //   8b15????????         |                     
            //   8b0d????????         |                     
            //   8910                 | add                 esp, 0xc
            //   8b15????????         |                     
            //   894804               | push                0x28

        $sequence_29 = { 68000000c0 50 ff15???????? 8bf0 83feff 7505 }
            // n = 6, score = 800
            //   68000000c0           | mov                 dword ptr [eax], ecx
            //   50                   | mov                 dword ptr [eax + 4], edx
            //   ff15????????         |                     
            //   8bf0                 | mov                 dword ptr [eax + 8], ecx
            //   83feff               | xor                 eax, eax
            //   7505                 | push                0xc0000000

        $sequence_30 = { 6689440ffc 6685c0 75ee f685c003000010 }
            // n = 4, score = 800
            //   6689440ffc           | sub                 eax, 1
            //   6685c0               | cmp                 eax, 0x7a
            //   75ee                 | je                  0xd
            //   f685c003000010       | cmp                 eax, 0xc0000023

        $sequence_31 = { 83c002 663bcb 75f4 8b0d???????? 8b15???????? 8908 8b0d???????? }
            // n = 7, score = 800
            //   83c002               | push                0
            //   663bcb               | push                0
            //   75f4                 | push                esi
            //   8b0d????????         |                     
            //   8b15????????         |                     
            //   8908                 | push                esi
            //   8b0d????????         |                     

        $sequence_32 = { 68???????? 51 ffd6 83c40c 6a28 }
            // n = 5, score = 800
            //   68????????           |                     
            //   51                   | mov                 dword ptr [eax], ecx
            //   ffd6                 | mov                 dword ptr [eax + 4], edx
            //   83c40c               | mov                 dword ptr [eax + 8], ecx
            //   6a28                 | xor                 eax, eax

        $sequence_33 = { 8b0d???????? 895004 894808 33c0 }
            // n = 4, score = 800
            //   8b0d????????         |                     
            //   895004               | mov                 ecx, dword ptr [ebp + 8]
            //   894808               | push                edi
            //   33c0                 | push                ecx

        $sequence_34 = { 53 56 33db 57 6808020000 }
            // n = 5, score = 800
            //   53                   | add                 eax, 2
            //   56                   | cmp                 cx, bx
            //   33db                 | jne                 0xfffffff9
            //   57                   | mov                 dword ptr [eax], edx
            //   6808020000           | push                ebx

        $sequence_35 = { 8d45e8 50 6a00 6aff e8???????? 85c0 }
            // n = 6, score = 800
            //   8d45e8               | xor                 eax, eax
            //   50                   | jmp                 7
            //   6a00                 | mov                 eax, 0x21590065
            //   6aff                 | xor                 eax, eax
            //   e8????????           |                     
            //   85c0                 | lea                 eax, dword ptr [ebp - 0x18]

        $sequence_36 = { 51 6a00 6a00 56 ff15???????? 56 8bf8 }
            // n = 7, score = 800
            //   51                   | sub                 ecx, edx
            //   6a00                 | lea                 eax, dword ptr [edi + edx]
            //   6a00                 | sub                 esi, edi
            //   56                   | mov                 edi, ebx
            //   ff15????????         |                     
            //   56                   | push                ecx
            //   8bf8                 | push                0

        $sequence_37 = { 5b 5d c3 4585e4 }
            // n = 4, score = 700
            //   5b                   | test                al, al
            //   5d                   | cmovne              edi, ecx
            //   c3                   | dec                 eax
            //   4585e4               | mov                 ecx, esi

        $sequence_38 = { 48894c2450 4c89642448 488d4c2468 48894c2440 4c89642438 }
            // n = 5, score = 700
            //   48894c2450           | test                al, al
            //   4c89642448           | cmovne              edi, ecx
            //   488d4c2468           | dec                 eax
            //   48894c2440           | mov                 ecx, esi
            //   4c89642438           | mov                 edx, edi

        $sequence_39 = { 498bcd ff15???????? 4c8bac24400d0000 488bbc24880d0000 4885db 7418 }
            // n = 6, score = 700
            //   498bcd               | cmovne              edi, ecx
            //   ff15????????         |                     
            //   4c8bac24400d0000     | dec                 eax
            //   488bbc24880d0000     | mov                 ecx, esi
            //   4885db               | mov                 edx, edi
            //   7418                 | test                eax, eax

        $sequence_40 = { ff15???????? 488bcf ff15???????? 41b701 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   488bcf               | pop                 ebx
            //   ff15????????         |                     
            //   41b701               | pop                 ebp

        $sequence_41 = { 8d8588feffff 68???????? 50 ff15???????? 83c42c }
            // n = 5, score = 700
            //   8d8588feffff         | test                eax, eax
            //   68????????           |                     
            //   50                   | jne                 0x10
            //   ff15????????         |                     
            //   83c42c               | jle                 0x2e

        $sequence_42 = { b914000000 84c0 0f45f9 488bce 8bd7 }
            // n = 5, score = 700
            //   b914000000           | mov                 word ptr [edi + ecx - 4], ax
            //   84c0                 | test                ax, ax
            //   0f45f9               | jne                 0xfffffff3
            //   488bce               | test                byte ptr [ebp + 0x3c0], 0x10
            //   8bd7                 | mov                 ecx, 0x14

        $sequence_43 = { 488bce 8bd7 ff15???????? 85c0 }
            // n = 4, score = 700
            //   488bce               | cmovne              edi, ecx
            //   8bd7                 | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, esi

        $sequence_44 = { 7507 32c0 e9???????? c745b818000000 }
            // n = 4, score = 600
            //   7507                 | push                eax
            //   32c0                 | push                0
            //   e9????????           |                     
            //   c745b818000000       | push                -1

        $sequence_45 = { 668b08 83c002 6685c9 75f5 2bc2 d1f8 66837c43fe5c }
            // n = 7, score = 500
            //   668b08               | jne                 0x3e
            //   83c002               | mov                 ecx, 0x80
            //   6685c9               | test                eax, eax
            //   75f5                 | jne                 0xd
            //   2bc2                 | test                eax, eax
            //   d1f8                 | jne                 6
            //   66837c43fe5c         | xor                 eax, eax

        $sequence_46 = { 0f8456feffff 807c241301 6800080000 0f8544020000 }
            // n = 4, score = 300
            //   0f8456feffff         | push                edx
            //   807c241301           | call                esi
            //   6800080000           | add                 eax, 0xa2
            //   0f8544020000         | push                eax

        $sequence_47 = { 05a1000000 50 8d84249c0d0000 68???????? }
            // n = 4, score = 300
            //   05a1000000           | xor                 eax, eax
            //   50                   | jmp                 0x6e
            //   8d84249c0d0000       | and                 dword ptr [eax], 0
            //   68????????           |                     

        $sequence_48 = { 0f84100f0000 6800080000 57 56 }
            // n = 4, score = 300
            //   0f84100f0000         | lea                 eax, dword ptr [esp + 0xd9c]
            //   6800080000           | push                eax
            //   57                   | add                 eax, 0xa1
            //   56                   | push                eax

        $sequence_49 = { 05a2000000 50 8d94249c0d0000 68???????? }
            // n = 4, score = 300
            //   05a2000000           | sar                 eax, 1
            //   50                   | cmp                 word ptr [ebx + eax*2 - 2], 0x5c
            //   8d94249c0d0000       | test                cx, cx
            //   68????????           |                     

        $sequence_50 = { 0f8431ffffff 8b4d08 5f 8931 }
            // n = 4, score = 300
            //   0f8431ffffff         | push                ecx
            //   8b4d08               | add                 eax, 0xa2
            //   5f                   | push                eax
            //   8931                 | lea                 ecx, dword ptr [esp + 0xd9c]

        $sequence_51 = { 05a2000000 50 8d8c249c0d0000 68???????? }
            // n = 4, score = 300
            //   05a2000000           | jne                 0x13
            //   50                   | test                eax, eax
            //   8d8c249c0d0000       | jne                 0xc
            //   68????????           |                     

        $sequence_52 = { 668cc8 c3 53 50 }
            // n = 4, score = 200
            //   668cc8               | xor                 esi, esi
            //   c3                   | add                 eax, edx
            //   53                   | adc                 ecx, esi
            //   50                   | push                ecx

        $sequence_53 = { 85c0 740a b8050000c0 e9???????? }
            // n = 4, score = 200
            //   85c0                 | mov                 ax, cs
            //   740a                 | ret                 
            //   b8050000c0           | push                ebx
            //   e9????????           |                     

        $sequence_54 = { c745a018000000 c745a400000000 c745ac40000000 8d45c0 }
            // n = 4, score = 100
            //   c745a018000000       | mov                 eax, 0xc0000005
            //   c745a400000000       | test                eax, eax
            //   c745ac40000000       | je                  0xe
            //   8d45c0               | mov                 eax, 0xc0000005

        $sequence_55 = { c745a0ffffffff c745fcffffffff 8b45a0 e9???????? }
            // n = 4, score = 100
            //   c745a0ffffffff       | lea                 edx, dword ptr [ebp - 0x38]
            //   c745fcffffffff       | mov                 dword ptr [ebp - 0x58], edx
            //   8b45a0               | mov                 dword ptr [ebp - 0x50], 0
            //   e9????????           |                     

    condition:
        7 of them and filesize < 1368064
}
[TLP:WHITE] win_cobra_w0   (20170512 | No description)
rule win_cobra_w0 {
    meta:
        author = "ESET Research"
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $s1 = "ModStart"
        $s2 = "ModuleStart"
        $t1 = "STOP|OK"
        $t2 = "STOP|KILL"

    condition:
        (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}
[TLP:WHITE] win_cobra_w1   (20170512 | No description)
import "pe"

rule win_cobra_w1 {
    meta:
        author = "ESET Research"
        source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra"
        malpedia_version = "20170512"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    condition:
        (pe.version_info["InternalName"] contains "SERVICE.EXE" or
        pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or
        pe.version_info["InternalName"] contains "MSXIML.DLL")
        and pe.version_info["CompanyName"] contains "Microsoft Corporation"
}
Download all Yara Rules