SYMBOLCOMMON_NAMEaka. SYNONYMS
win.newcore_rat (Back to overview)

NewCore RAT

Actor(s): Hellsing


There is no description at this point.

References
2020-09-24CAROMark Lechtik, Giampaolo Dedola
@online{lechtik:20200924:cycldek:8b488b1, author = {Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek aka Goblin Panda: Chronicles of the Goblin}}, date = {2020-09-24}, organization = {CARO}, url = {https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view}, language = {English}, urldate = {2020-09-25} } Cycldek aka Goblin Panda: Chronicles of the Goblin
NewCore RAT USBCulprit
2020-06-03Kaspersky LabsGReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830, author = {GReAT and Mark Lechtik and Giampaolo Dedola}, title = {{Cycldek: Bridging the (air) gap}}, date = {2020-06-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/}, language = {English}, urldate = {2020-06-03} } Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit GOBLIN PANDA Hellsing
2020-05-01Viettel CybersecurityCyberthreat
@online{cyberthreat:20200501:chin:3a4fb89, author = {Cyberthreat}, title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}}, date = {2020-05-01}, organization = {Viettel Cybersecurity}, url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/}, language = {Vietnamese}, urldate = {2020-09-09} } Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX
2020-02-12MeltX0R SecurityMeltX0R
@online{meltx0r:20200212:goblin:e79762e, author = {MeltX0R}, title = {{Goblin Panda APT: Recent infrastructure and RAT analysis}}, date = {2020-02-12}, organization = {MeltX0R Security}, url = {https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html}, language = {English}, urldate = {2020-02-25} } Goblin Panda APT: Recent infrastructure and RAT analysis
NewCore RAT
2020-01-29nao_sec blognao_sec
@online{naosec:20200129:overhead:ec0aeb5, author = {nao_sec}, title = {{An Overhead View of the Royal Road}}, date = {2020-01-29}, organization = {nao_sec blog}, url = {https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html}, language = {English}, urldate = {2020-02-03} } An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader
2019-05-02Medium SebdravenSébastien Larinier
@online{larinier:20190502:goblin:a0118b4, author = {Sébastien Larinier}, title = {{Goblin Panda continues to target Vietnam}}, date = {2019-05-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6}, language = {English}, urldate = {2019-10-23} } Goblin Panda continues to target Vietnam
NewCore RAT
2017-09-05FortinetJasper Manuel, Artem Semenchenko
@online{manuel:20170905:rehashed:c3d5a4c, author = {Jasper Manuel and Artem Semenchenko}, title = {{Rehashed RAT Used in APT Campaign Against Vietnamese Organizations}}, date = {2017-09-05}, organization = {Fortinet}, url = {https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations}, language = {English}, urldate = {2019-10-23} } Rehashed RAT Used in APT Campaign Against Vietnamese Organizations
NewCore RAT
Yara Rules
[TLP:WHITE] win_newcore_rat_auto (20230715 | Detects win.newcore_rat.)
rule win_newcore_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.newcore_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c20400 8b8e3c200000 8d542404 52 50 8b442414 50 }
            // n = 7, score = 100
            //   c20400               | ret                 4
            //   8b8e3c200000         | mov                 ecx, dword ptr [esi + 0x203c]
            //   8d542404             | lea                 edx, [esp + 4]
            //   52                   | push                edx
            //   50                   | push                eax
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   50                   | push                eax

        $sequence_1 = { 33c0 6a08 56 8d54241c 52 81c110040000 8944243c }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   6a08                 | push                8
            //   56                   | push                esi
            //   8d54241c             | lea                 edx, [esp + 0x1c]
            //   52                   | push                edx
            //   81c110040000         | add                 ecx, 0x410
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_2 = { e8???????? 8b8c247c140200 5f 5e 5b 33cc }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b8c247c140200       | mov                 ecx, dword ptr [esp + 0x2147c]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   33cc                 | xor                 ecx, esp

        $sequence_3 = { 0437 eb02 0430 83e10f 88442434 8bc1 83f809 }
            // n = 7, score = 100
            //   0437                 | add                 al, 0x37
            //   eb02                 | jmp                 4
            //   0430                 | add                 al, 0x30
            //   83e10f               | and                 ecx, 0xf
            //   88442434             | mov                 byte ptr [esp + 0x34], al
            //   8bc1                 | mov                 eax, ecx
            //   83f809               | cmp                 eax, 9

        $sequence_4 = { eb03 80c130 83e20f 884802 8bca 83f909 }
            // n = 6, score = 100
            //   eb03                 | jmp                 5
            //   80c130               | add                 cl, 0x30
            //   83e20f               | and                 edx, 0xf
            //   884802               | mov                 byte ptr [eax + 2], cl
            //   8bca                 | mov                 ecx, edx
            //   83f909               | cmp                 ecx, 9

        $sequence_5 = { 8bc6 e8???????? eb0c c7035a1b0000 c70600000000 33d2 33c9 }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   eb0c                 | jmp                 0xe
            //   c7035a1b0000         | mov                 dword ptr [ebx], 0x1b5a
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx

        $sequence_6 = { 6880000000 8d442448 50 56 ff15???????? 56 }
            // n = 6, score = 100
            //   6880000000           | push                0x80
            //   8d442448             | lea                 eax, [esp + 0x48]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_7 = { 5d c21400 8b8638200000 6a00 6800010084 6a00 6a00 }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   c21400               | ret                 0x14
            //   8b8638200000         | mov                 eax, dword ptr [esi + 0x2038]
            //   6a00                 | push                0
            //   6800010084           | push                0x84000100
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_8 = { 5d c3 8b04cd948d0310 5d c3 0544ffffff }
            // n = 6, score = 100
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b04cd948d0310       | mov                 eax, dword ptr [ecx*8 + 0x10038d94]
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   0544ffffff           | add                 eax, 0xffffff44

        $sequence_9 = { 7e04 0437 eb02 0430 0fb64c2428 88442433 8bc1 }
            // n = 7, score = 100
            //   7e04                 | jle                 6
            //   0437                 | add                 al, 0x37
            //   eb02                 | jmp                 4
            //   0430                 | add                 al, 0x30
            //   0fb64c2428           | movzx               ecx, byte ptr [esp + 0x28]
            //   88442433             | mov                 byte ptr [esp + 0x33], al
            //   8bc1                 | mov                 eax, ecx

    condition:
        7 of them and filesize < 581632
}
Download all Yara Rules