SYMBOLCOMMON_NAMEaka. SYNONYMS
win.newcore_rat (Back to overview)

NewCore RAT

Actor(s): Hellsing

There is no description at this point.

References
2020-06-03Kaspersky LabsGReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing
2020-05-01Viettel CybersecurityCyberthreat
@online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX
2020-02-12MeltX0R SecurityMeltX0R
@online{meltx0r:20200212:goblin:e79762e, author = {MeltX0R}, title = {{Goblin Panda APT: Recent infrastructure and RAT analysis}}, date = {2020-02-12}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html}, language = {English}, urldate = {2020-02-25} } Goblin Panda APT: Recent infrastructure and RAT analysis
NewCore RAT
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-05-02Medium SebdravenSébastien Larinier
@online{larinier:20190502:goblin:a0118b4, author = {Sébastien Larinier}, title = {{Goblin Panda continues to target Vietnam}}, date = {2019-05-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6}, language = {English}, urldate = {2019-10-23} } Goblin Panda continues to target Vietnam
NewCore RAT
2017-09-05FortinetJasper Manuel, Artem Semenchenko
@online{manuel:20170905:rehashed:c3d5a4c, author = {Jasper Manuel and Artem Semenchenko}, title = {{Rehashed RAT Used in APT Campaign Against Vietnamese Organizations}}, date = {2017-09-05}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations}, language = {English}, urldate = {2019-10-23} } Rehashed RAT Used in APT Campaign Against Vietnamese Organizations
NewCore RAT
Yara Rules
[TLP:WHITE] win_newcore_rat_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_newcore_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744242000000000 ff15???????? 85c0 0f8483010000 90 83f8ff 0f8479010000 }
            // n = 7, score = 100
            //   c744242000000000     | mov                 dword ptr [esp + 0x20], 0
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8483010000         | je                  0x189
            //   90                   | nop                 
            //   83f8ff               | cmp                 eax, -1
            //   0f8479010000         | je                  0x17f

        $sequence_1 = { 8da42400000000 8a540c54 30540424 83f803 7502 33c0 41 }
            // n = 7, score = 100
            //   8da42400000000       | lea                 esp, [esp]
            //   8a540c54             | mov                 dl, byte ptr [esp + ecx + 0x54]
            //   30540424             | xor                 byte ptr [esp + eax + 0x24], dl
            //   83f803               | cmp                 eax, 3
            //   7502                 | jne                 4
            //   33c0                 | xor                 eax, eax
            //   41                   | inc                 ecx

        $sequence_2 = { 89542418 83f804 73e3 85c0 7454 8a5d00 3a1a }
            // n = 7, score = 100
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   83f804               | cmp                 eax, 4
            //   73e3                 | jae                 0xffffffe5
            //   85c0                 | test                eax, eax
            //   7454                 | je                  0x56
            //   8a5d00               | mov                 bl, byte ptr [ebp]
            //   3a1a                 | cmp                 bl, byte ptr [edx]

        $sequence_3 = { bf08000000 c744241400000000 8d4900 8d442414 50 57 }
            // n = 6, score = 100
            //   bf08000000           | mov                 edi, 8
            //   c744241400000000     | mov                 dword ptr [esp + 0x14], 0
            //   8d4900               | lea                 ecx, [ecx]
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_4 = { 8bc6 c1f805 83e61f c1e606 033485c0cd0310 8b45e4 }
            // n = 6, score = 100
            //   8bc6                 | mov                 eax, esi
            //   c1f805               | sar                 eax, 5
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   033485c0cd0310       | add                 esi, dword ptr [eax*4 + 0x1003cdc0]
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_5 = { b804000000 b909000000 33d2 66898424b6000000 66898c24b8000000 }
            // n = 5, score = 100
            //   b804000000           | mov                 eax, 4
            //   b909000000           | mov                 ecx, 9
            //   33d2                 | xor                 edx, edx
            //   66898424b6000000     | mov                 word ptr [esp + 0xb6], ax
            //   66898c24b8000000     | mov                 word ptr [esp + 0xb8], cx

        $sequence_6 = { 50 ffd7 c7869040000000000000 8b868c400000 85c0 740d 50 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ffd7                 | call                edi
            //   c7869040000000000000     | mov    dword ptr [esi + 0x4090], 0
            //   8b868c400000         | mov                 eax, dword ptr [esi + 0x408c]
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   50                   | push                eax

        $sequence_7 = { 8bac2470080000 8944240c 8b8514100000 56 8b35???????? 33db 57 }
            // n = 7, score = 100
            //   8bac2470080000       | mov                 ebp, dword ptr [esp + 0x870]
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   8b8514100000         | mov                 eax, dword ptr [ebp + 0x1014]
            //   56                   | push                esi
            //   8b35????????         |                     
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi

        $sequence_8 = { 6a00 50 8bf1 c744241800000000 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   50                   | push                eax
            //   8bf1                 | mov                 esi, ecx
            //   c744241800000000     | mov                 dword ptr [esp + 0x18], 0

        $sequence_9 = { 52 e8???????? 8b44241c 83c0f0 83c40c 8d480c 83caff }
            // n = 7, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   83c0f0               | add                 eax, -0x10
            //   83c40c               | add                 esp, 0xc
            //   8d480c               | lea                 ecx, [eax + 0xc]
            //   83caff               | or                  edx, 0xffffffff

    condition:
        7 of them and filesize < 581632
}
Download all Yara Rules