Actor(s): Turla
There is no description at this point.
rule win_cobra_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cobra." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7511 e8???????? 85c0 7508 ff15???????? } // n = 5, score = 2900 // 7511 | xor eax, eax // e8???????? | // 85c0 | mov dword ptr [eax], ecx // 7508 | mov dword ptr [eax + 4], edx // ff15???????? | $sequence_1 = { c20c00 ff25???????? 53 56 57 8bd9 33f6 } // n = 7, score = 2500 // c20c00 | mov dword ptr [ebp - 0x2c], 0x13938 // ff25???????? | // 53 | mov word ptr [ebp - 8], 0x12 // 56 | mov word ptr [ebp - 6], 0x14 // 57 | mov dword ptr [ebp - 0x60], 0x18 // 8bd9 | mov dword ptr [ebp - 0x2c], 0x13938 // 33f6 | mov word ptr [ebp - 8], 0x12 $sequence_2 = { 85c0 0f8e8c000000 83e801 8905???????? } // n = 4, score = 2500 // 85c0 | pop esi // 0f8e8c000000 | pop ebx // 83e801 | ret // 8905???????? | $sequence_3 = { 85c0 750e 33ff 8bc7 } // n = 4, score = 2500 // 85c0 | je 0xc // 750e | ret // 33ff | cmp eax, 1 // 8bc7 | jne 0xfffffffe $sequence_4 = { 83f801 75f1 b900010000 e8???????? } // n = 4, score = 2500 // 83f801 | mov dword ptr [eax + 8], ecx // 75f1 | xor eax, eax // b900010000 | cmp esi, -1 // e8???????? | $sequence_5 = { c3 85db 7405 83fb03 } // n = 4, score = 2500 // c3 | pop esi // 85db | pop ebx // 7405 | ret // 83fb03 | cmp ebx, 1 $sequence_6 = { 5b c3 83fb01 7405 83fb02 } // n = 5, score = 2500 // 5b | cmp cx, bx // c3 | jne 0xfffffffc // 83fb01 | add eax, -2 // 7405 | mov cx, word ptr [eax + 2] // 83fb02 | add eax, 2 $sequence_7 = { 7514 391d???????? 754d 33c0 } // n = 4, score = 2500 // 7514 | xor eax, eax // 391d???????? | // 754d | mov dword ptr [eax], ecx // 33c0 | mov dword ptr [eax + 4], edx $sequence_8 = { 5f 5e 5b c3 85ff 7418 } // n = 6, score = 2500 // 5f | cmp ebx, 1 // 5e | jne 0x24 // 5b | test edi, edi // c3 | mov edi, eax // 85ff | cmp ebx, 1 // 7418 | jne 0x1f $sequence_9 = { e8???????? 8bf8 83fb01 751d 85ff } // n = 5, score = 2500 // e8???????? | // 8bf8 | jne 0xa // 83fb01 | xor eax, eax // 751d | pop esi // 85ff | pop ebp $sequence_10 = { ff25???????? 8b442408 85c0 750e 3905???????? 7e2c ff0d???????? } // n = 7, score = 2500 // ff25???????? | // 8b442408 | mov word ptr [ebp - 6], 0x14 // 85c0 | mov dword ptr [ebp - 0x60], 0x18 // 750e | mov dword ptr [ebp - 0x5c], 0 // 3905???????? | // 7e2c | mov dword ptr [ebp - 0x2c], 0x13938 // ff0d???????? | $sequence_11 = { 33d2 b9e8030000 f7f1 83f805 } // n = 4, score = 2300 // 33d2 | mov edi, dword ptr [ebp + 0xc] // b9e8030000 | cmp edi, ebx // f7f1 | jne 0x13 // 83f805 | test eax, eax $sequence_12 = { 813c0850450000 7503 33c0 c3 } // n = 4, score = 2100 // 813c0850450000 | mov dword ptr [ebp - 0x54], 0x40 // 7503 | mov dword ptr [ebp - 0x2c], 0x40 // 33c0 | mov edx, dword ptr [ebp + 8] // c3 | add edx, 0xc $sequence_13 = { 7407 33c0 e9???????? ff15???????? e9???????? } // n = 5, score = 1900 // 7407 | mov dword ptr [ebp - 0x30], edx // 33c0 | pop ebx // e9???????? | // ff15???????? | // e9???????? | $sequence_14 = { eb1a 89730c e8???????? 257f000080 } // n = 4, score = 1900 // eb1a | push ebx // 89730c | push esi // e8???????? | // 257f000080 | push edi $sequence_15 = { e8???????? 8d4644 50 e8???????? 8b4508 8930 } // n = 6, score = 1900 // e8???????? | // 8d4644 | push ebx // 50 | push esi // e8???????? | // 8b4508 | push edi // 8930 | mov ebx, ecx $sequence_16 = { ff15???????? 59 ff75f8 ff15???????? 5f 8bc6 5e } // n = 7, score = 1900 // ff15???????? | // 59 | jle 0x30 // ff75f8 | ret 0xc // ff15???????? | // 5f | push ebx // 8bc6 | push esi // 5e | push edi $sequence_17 = { 7f07 e8???????? eb26 83c0ff } // n = 4, score = 1200 // 7f07 | jg 9 // e8???????? | // eb26 | jmp 0x28 // 83c0ff | add eax, -1 $sequence_18 = { eb6d e8???????? 85c0 7564 } // n = 4, score = 1200 // eb6d | jmp 0x6f // e8???????? | // 85c0 | test eax, eax // 7564 | jne 0x66 $sequence_19 = { e8???????? 33db 3bc3 741a } // n = 4, score = 1200 // e8???????? | // 33db | xor ebx, ebx // 3bc3 | cmp eax, ebx // 741a | je 0x1c $sequence_20 = { 750e e8???????? 48832700 e9???????? 488b2e } // n = 5, score = 1100 // 750e | and dword ptr [edi], 0 // e8???????? | // 48832700 | jne 0x66 // e9???????? | // 488b2e | dec eax $sequence_21 = { e8???????? 498bce 85c0 750e } // n = 4, score = 1100 // e8???????? | // 498bce | add ecx, 8 // 85c0 | dec eax // 750e | mov ebx, dword ptr [esp + 0x30] $sequence_22 = { 85c0 750b e8???????? 48832700 } // n = 4, score = 1100 // 85c0 | jne 0x12 // 750b | dec ecx // e8???????? | // 48832700 | mov ecx, esi $sequence_23 = { 7564 488b0b 488b01 83385c 7e4b } // n = 5, score = 1100 // 7564 | jne 0x66 // 488b0b | dec eax // 488b01 | mov ecx, dword ptr [ebx] // 83385c | dec eax // 7e4b | mov eax, dword ptr [ecx] $sequence_24 = { ff5064 488b0e 4883c108 e8???????? 488b5c2430 488b6c2438 488b742440 } // n = 7, score = 1100 // ff5064 | cmp dword ptr [eax], 0x5c // 488b0e | jle 0x4d // 4883c108 | call dword ptr [eax + 0x64] // e8???????? | // 488b5c2430 | dec eax // 488b6c2438 | mov ecx, dword ptr [esi] // 488b742440 | dec eax $sequence_25 = { 7504 33c0 eb05 b865005921 } // n = 4, score = 900 // 7504 | mov eax, dword ptr [ecx] // 33c0 | cmp dword ptr [eax], 0x5c // eb05 | jle 0x56 // b865005921 | dec esp $sequence_26 = { 83781400 750a b865005921 e9???????? } // n = 4, score = 900 // 83781400 | dec eax // 750a | mov ecx, dword ptr [ebx] // b865005921 | dec eax // e9???????? | $sequence_27 = { 83c0fe 668b4802 83c002 663bcb 75f4 8b15???????? 8b0d???????? } // n = 7, score = 800 // 83c0fe | xor eax, eax // 668b4802 | cmp eax, -1 // 83c002 | je 0xc // 663bcb | xor eax, eax // 75f4 | cmp eax, -1 // 8b15???????? | // 8b0d???????? | $sequence_28 = { c3 8b4d08 57 51 6a00 } // n = 5, score = 800 // c3 | push 4 // 8b4d08 | ret // 57 | cmp ebx, 1 // 51 | je 0xa // 6a00 | cmp ebx, 2 $sequence_29 = { 6689440ffc 6685c0 75ee f685c003000010 } // n = 4, score = 800 // 6689440ffc | cmp eax, 5 // 6685c0 | jne 0x13 // 75ee | test eax, eax // f685c003000010 | jne 0xa $sequence_30 = { 6a18 8d45e8 50 6a00 6aff e8???????? 85c0 } // n = 7, score = 800 // 6a18 | mov edx, dword ptr [eax + 0x5c] // 8d45e8 | dec ebp // 50 | test edx, edx // 6a00 | jne 0x10 // 6aff | dec eax // e8???????? | // 85c0 | and dword ptr [edi], 0 $sequence_31 = { 8908 8b0d???????? 895004 894808 33c0 } // n = 5, score = 800 // 8908 | jne 0xc // 8b0d???????? | // 895004 | xor eax, eax // 894808 | ret // 33c0 | je 9 $sequence_32 = { 83feff 7505 33c0 5e 5d c3 8b4d08 } // n = 7, score = 800 // 83feff | jne 0xfffffffc // 7505 | add eax, -2 // 33c0 | mov cx, word ptr [eax + 2] // 5e | add eax, 2 // 5d | cmp cx, bx // c3 | jne 0xfffffffc // 8b4d08 | ret $sequence_33 = { ff15???????? 83f87a 740b 3d230000c0 } // n = 4, score = 800 // ff15???????? | // 83f87a | xor edx, edx // 740b | mov ecx, 0x3e8 // 3d230000c0 | div ecx $sequence_34 = { 8bec 56 6a00 6880000000 6a03 6a00 6a03 } // n = 7, score = 800 // 8bec | jne 0x41 // 56 | ret // 6a00 | cmp ebx, 1 // 6880000000 | je 0xa // 6a03 | cmp ebx, 2 // 6a00 | jne 0x41 // 6a03 | mov dword ptr [eax], ecx $sequence_35 = { 68???????? 51 ffd6 83c40c 6a28 } // n = 5, score = 800 // 68???????? | // 51 | push edi // ffd6 | push ecx // 83c40c | push 0 // 6a28 | push 0 $sequence_36 = { 6a03 68000000c0 50 ff15???????? 8bf0 83feff 7505 } // n = 7, score = 800 // 6a03 | push edi // 68000000c0 | push ecx // 50 | push 0 // ff15???????? | // 8bf0 | push 0 // 83feff | push esi // 7505 | mov ecx, dword ptr [ebp + 8] $sequence_37 = { 8b7d0c 3bc3 7508 3bfb } // n = 4, score = 800 // 8b7d0c | mov dword ptr [eax + 4], edx // 3bc3 | mov dword ptr [eax + 8], ecx // 7508 | xor eax, eax // 3bfb | add eax, -2 $sequence_38 = { 33d2 488bc8 ff15???????? 488bcf ff15???????? 41b701 } // n = 6, score = 700 // 33d2 | mov edx, edi // 488bc8 | cmovne edi, ecx // ff15???????? | // 488bcf | dec eax // ff15???????? | // 41b701 | mov ecx, esi $sequence_39 = { 4c89642448 488d4c2468 48894c2440 4c89642438 } // n = 4, score = 700 // 4c89642448 | jne 0x13 // 488d4c2468 | test eax, eax // 48894c2440 | jne 0xa // 4c89642438 | cmp dword ptr [eax + ecx], 0x4550 $sequence_40 = { 4533e4 4c8bf1 488bda 488d8d10060000 33d2 41b808020000 4489a5800c0000 } // n = 7, score = 700 // 4533e4 | mov dword ptr [esp + 0x38], esp // 4c8bf1 | dec eax // 488bda | mov ecx, esi // 488d8d10060000 | mov edx, edi // 33d2 | test eax, eax // 41b808020000 | cmovne edi, ecx // 4489a5800c0000 | dec eax $sequence_41 = { 56 4154 4156 4157 488dac24b8f3ffff } // n = 5, score = 700 // 56 | mov edx, edi // 4154 | mov ecx, 0x14 // 4156 | test al, al // 4157 | cmovne edi, ecx // 488dac24b8f3ffff | dec eax $sequence_42 = { 84c0 0f45f9 488bce 8bd7 ff15???????? 85c0 } // n = 6, score = 700 // 84c0 | jne 0xc // 0f45f9 | xor eax, eax // 488bce | ret // 8bd7 | je 9 // ff15???????? | // 85c0 | xor eax, eax $sequence_43 = { 33c0 4881c4480d0000 415f 415e 415c 5e 5b } // n = 7, score = 700 // 33c0 | mov ecx, esi // 4881c4480d0000 | mov edx, edi // 415f | test eax, eax // 415e | mov ecx, 0x14 // 415c | test al, al // 5e | cmovne edi, ecx // 5b | dec eax $sequence_44 = { 8d8588feffff 68???????? 50 ff15???????? 83c42c } // n = 5, score = 700 // 8d8588feffff | jle 0x92 // 68???????? | // 50 | jne 0x13 // ff15???????? | // 83c42c | test eax, eax $sequence_45 = { 7507 32c0 e9???????? c745b818000000 } // n = 4, score = 600 // 7507 | test eax, eax // 32c0 | je 9 // e9???????? | // c745b818000000 | push eax $sequence_46 = { 6685c9 75f5 2bc2 d1f8 66837c43fe5c } // n = 5, score = 500 // 6685c9 | jne 0xc // 75f5 | pop ebx // 2bc2 | ret // d1f8 | test edi, edi // 66837c43fe5c | je 0x1c $sequence_47 = { 33f6 03c2 13ce 51 } // n = 4, score = 500 // 33f6 | push 0 // 03c2 | push -1 // 13ce | test eax, eax // 51 | je 0xb $sequence_48 = { 05a2000000 50 8d8c249c0d0000 68???????? } // n = 4, score = 300 // 05a2000000 | jne 0x44 // 50 | jne 0x81 // 8d8c249c0d0000 | test eax, eax // 68???????? | $sequence_49 = { 0f8431ffffff 8b4d08 5f 8931 } // n = 4, score = 300 // 0f8431ffffff | push eax // 8b4d08 | add esp, 0x2c // 5f | test cx, cx // 8931 | jne 0xfffffffa $sequence_50 = { 0f8456feffff 807c241301 6800080000 0f8544020000 } // n = 4, score = 300 // 0f8456feffff | lea eax, [esp + 0xd9c] // 807c241301 | add eax, 0xa1 // 6800080000 | push eax // 0f8544020000 | lea eax, [esp + 0xd9c] $sequence_51 = { 05a2000000 50 8d94249c0d0000 68???????? } // n = 4, score = 300 // 05a2000000 | pop ebx // 50 | ret // 8d94249c0d0000 | test ebx, ebx // 68???????? | $sequence_52 = { 0f84100f0000 6800080000 57 56 } // n = 4, score = 300 // 0f84100f0000 | test edi, edi // 6800080000 | je 0x1c // 57 | jne 0x16 // 56 | jne 0x51 $sequence_53 = { 05a1000000 50 8d84249c0d0000 68???????? } // n = 4, score = 300 // 05a1000000 | jne 0x81 // 50 | test eax, eax // 8d84249c0d0000 | jle 0x92 // 68???????? | $sequence_54 = { 668cc8 c3 53 50 } // n = 4, score = 200 // 668cc8 | test eax, eax // c3 | je 7 // 53 | lea eax, [ebp - 0x18] // 50 | push eax $sequence_55 = { 85c0 740a b8050000c0 e9???????? } // n = 4, score = 200 // 85c0 | push 0 // 740a | push -1 // b8050000c0 | test eax, eax // e9???????? | $sequence_56 = { c745d438390100 66c745f81200 66c745fa1400 c745fc???????? c745a018000000 } // n = 5, score = 100 // c745d438390100 | adc ecx, esi // 66c745f81200 | push ecx // 66c745fa1400 | push eax // c745fc???????? | // c745a018000000 | mov ax, cs condition: 7 of them and filesize < 1368064 }
rule win_cobra_w0 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $s1 = "ModStart" $s2 = "ModuleStart" $t1 = "STOP|OK" $t2 = "STOP|KILL" condition: (uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*)) }
import "pe" rule win_cobra_w1 { meta: author = "ESET Research" source = "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/#_footnote_2" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" malpedia_version = "20170512" malpedia_sharing = "TLP:WHITE" malpedia_license = "" condition: (pe.version_info["InternalName"] contains "SERVICE.EXE" or pe.version_info["InternalName"] contains "MSIMGHLP.DLL" or pe.version_info["InternalName"] contains "MSXIML.DLL") and pe.version_info["CompanyName"] contains "Microsoft Corporation" }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY