SYMBOLCOMMON_NAMEaka. SYNONYMS
win.newpass (Back to overview)

NewPass

Actor(s): Turla Group

There is no description at this point.

References
2020-07-14TelsyTelsy
@online{telsy:20200714:turla:ef6592e, author = {Telsy}, title = {{Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene}}, date = {2020-07-14}, organization = {Telsy}, url = {https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/}, language = {English}, urldate = {2020-07-16} } Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene
NewPass Turla
Yara Rules
[TLP:WHITE] win_newpass_auto (20220808 | Detects win.newpass.)
rule win_newpass_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.newpass."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c6455800 84c0 7505 4c8bc6 eb0f 4d8bc7 6690 }
            // n = 7, score = 500
            //   c6455800             | jb                  0x33b
            //   84c0                 | dec                 esp
            //   7505                 | lea                 ecx, [0x88105]
            //   4c8bc6               | inc                 ecx
            //   eb0f                 | mov                 byte ptr [eax - 1], al
            //   4d8bc7               | cmp                 ecx, 0xc
            //   6690                 | jb                  0x34b

        $sequence_1 = { 482bc2 48c1f805 48ffc8 0f8404010000 4c8b7c2460 0f1f4000 }
            // n = 6, score = 500
            //   482bc2               | mov                 eax, ebx
            //   48c1f805             | jmp                 0x1170
            //   48ffc8               | dec                 esp
            //   0f8404010000         | mov                 eax, edi
            //   4c8b7c2460           | dec                 ecx
            //   0f1f4000             | inc                 eax

        $sequence_2 = { c745e007000000 668945c6 0fb745b0 488d55c0 668945c4 b830000000 668945c0 }
            // n = 7, score = 500
            //   c745e007000000       | dec                 ecx
            //   668945c6             | mov                 edx, esp
            //   0fb745b0             | dec                 eax
            //   488d55c0             | mov                 ecx, ebx
            //   668945c4             | test                al, al
            //   b830000000           | jne                 0x4c9
            //   668945c0             | cmp                 byte ptr [ebx + 8], al

        $sequence_3 = { 448d4a04 41b800100000 4903ce 488bd7 4889442420 ff5628 4885c0 }
            // n = 7, score = 500
            //   448d4a04             | dec                 eax
            //   41b800100000         | lea                 eax, [ebp - 0x59]
            //   4903ce               | dec                 esp
            //   488bd7               | cmp                 esp, dword ptr [ebp - 0x18]
            //   4889442420           | jb                  0xb2
            //   ff5628               | jmp                 0x1e0
            //   4885c0               | dec                 ebx

        $sequence_4 = { e8???????? 488b4d37 4833cc e8???????? 4c8d9c24d0000000 498b5b30 498b7338 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   488b4d37             | xor                 cl, byte ptr [ecx + 0xc]
            //   4833cc               | inc                 ecx
            //   e8????????           |                     
            //   4c8d9c24d0000000     | mov                 byte ptr [edx + edx - 1], cl
            //   498b5b30             | inc                 ebp
            //   498b7338             | cmp                 eax, dword ptr [ecx + 8]

        $sequence_5 = { 488b01 ff9000010000 488b4f10 488bd3 488b01 ff9010010000 488b4f10 }
            // n = 7, score = 500
            //   488b01               | dec                 esp
            //   ff9000010000         | lea                 eax, [0x87e25]
            //   488b4f10             | jne                 0x4b8
            //   488bd3               | dec                 ecx
            //   488b01               | mov                 ecx, eax
            //   ff9010010000         | dec                 esp
            //   488b4f10             | lea                 eax, [0x8824d]

        $sequence_6 = { 7404 3c09 7505 48ffc1 ebe8 48894c2428 0f10442428 }
            // n = 7, score = 500
            //   7404                 | jmp                 0x102
            //   3c09                 | dec                 eax
            //   7505                 | lea                 eax, [0x62ccc]
            //   48ffc1               | dec                 eax
            //   ebe8                 | mov                 dword ptr [esp + 0x50], 7
            //   48894c2428           | inc                 ebp
            //   0f10442428           | xor                 eax, eax

        $sequence_7 = { 483bc7 0f87b3000000 4885c9 0f849c000000 410fbae019 7343 }
            // n = 6, score = 500
            //   483bc7               | lea                 edx, [0x6c478]
            //   0f87b3000000         | lea                 ecx, [eax + 0x77]
            //   4885c9               | jmp                 0x1d40
            //   0f849c000000         | jne                 0x1d4c
            //   410fbae019           | dec                 eax
            //   7343                 | lea                 edx, [0x6ce86]

        $sequence_8 = { 7549 418bd6 4d8bc2 4c8b0d???????? 4d2bca 0f1f840000000000 8bca }
            // n = 7, score = 500
            //   7549                 | xor                 al, cl
            //   418bd6               | xor                 al, 0xd9
            //   4d8bc2               | dec                 ecx
            //   4c8b0d????????       |                     
            //   4d2bca               | or                  ecx, 0xffffff00
            //   0f1f840000000000     | inc                 ecx
            //   8bca                 | inc                 ebx

        $sequence_9 = { 48c7442448feffffff 48899c24c0000000 488b05???????? 4833c4 4889442478 450fb6f0 488bf1 }
            // n = 7, score = 500
            //   48c7442448feffffff     | mov    ecx, dword ptr [ebp + 0x48]
            //   48899c24c0000000     | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | mov                 edx, 0xfffffffe
            //   4889442478           | inc                 esp
            //   450fb6f0             | lea                 eax, [edx + 3]
            //   488bf1               | mov                 edx, 0xa

    condition:
        7 of them and filesize < 1286144
}
Download all Yara Rules