NewPass (Malware Family)

NewPass

There is no description at this point.
References

2020-07-14 ⋅ Telsy ⋅ Telsy
Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene
NewPass Turla Group
Yara Rules

[TLP:WHITE] win_newpass_auto (20220411 | Detects win.newpass.)
rule win_newpass_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.newpass."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb9c 663902 41b901000000 450f42cd eb92 498bd6 4d3bca }
            // n = 7, score = 500
            //   eb9c                 | lea                 eax, dword ptr [0x6c5c7]
            //   663902               | jne                 0x45a
            //   41b901000000         | dec                 eax
            //   450f42cd             | mov                 dword ptr [esp + 0x50], eax
            //   eb92                 | dec                 eax
            //   498bd6               | mov                 ebx, ecx
            //   4d3bca               | dec                 eax

        $sequence_1 = { 8803 48ffc3 48895c2448 e9???????? 483bdf 7561 488bc7 }
            // n = 7, score = 500
            //   8803                 | xor                 al, byte ptr [eax + ecx]
            //   48ffc3               | xor                 al, 0xcf
            //   48895c2448           | mov                 byte ptr [ecx], al
            //   e9????????           |                     
            //   483bdf               | inc                 edx
            //   7561                 | dec                 eax
            //   488bc7               | inc                 ecx

        $sequence_2 = { 4c895d10 6644895d00 4883cbff 66443918 7505 4d8bc3 eb14 }
            // n = 7, score = 500
            //   4c895d10             | je                  0x53a
            //   6644895d00           | jmp                 0x724
            //   4883cbff             | dec                 eax
            //   66443918             | lea                 ecx, dword ptr [0x3fb13]
            //   7505                 | test                al, al
            //   4d8bc3               | movzx               edi, byte ptr [esp + 0x22]
            //   eb14                 | je                  0x550

        $sequence_3 = { 33c0 c3 488b4008 c3 48833d????????00 488d05f9510200 740f }
            // n = 7, score = 500
            //   33c0                 | inc                 eax
            //   c3                   | cmp                 edx, 0x21
            //   488b4008             | jb                  0x230
            //   c3                   | dec                 eax
            //   48833d????????00     |                     
            //   488d05f9510200       | lea                 ebp, dword ptr [0x6ac2c]
            //   740f                 | dec                 ecx

        $sequence_4 = { e9???????? 41b901000000 4d8bc7 498bd6 498bcc e8???????? 85c0 }
            // n = 7, score = 500
            //   e9????????           |                     
            //   41b901000000         | mov                 ebx, dword ptr [ecx]
            //   4d8bc7               | dec                 eax
            //   498bd6               | lea                 edx, dword ptr [esp + 0x38]
            //   498bcc               | dec                 eax
            //   e8????????           |                     
            //   85c0                 | sub                 esp, 0x20

        $sequence_5 = { 5f c3 488b6c2438 89710c 897108 488b742440 48c70100000000 }
            // n = 7, score = 500
            //   5f                   | test                ecx, ecx
            //   c3                   | jne                 0x4f6
            //   488b6c2438           | test                edx, edx
            //   89710c               | je                  0x515
            //   897108               | dec                 eax
            //   488b742440           | lea                 eax, dword ptr [0x52b75]
            //   48c70100000000       | jmp                 0x528

        $sequence_6 = { ff15???????? 488d151bb50100 483305???????? 488bcb 488905???????? ff15???????? 488d1515b50100 }
            // n = 7, score = 500
            //   ff15????????         |                     
            //   488d151bb50100       | dec                 eax
            //   483305????????       |                     
            //   488bcb               | sub                 edx, ebx
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488d1515b50100       | dec                 eax

        $sequence_7 = { c645b000 803800 7505 4c8bc6 eb16 4d8bc4 660f1f840000000000 }
            // n = 7, score = 500
            //   c645b000             | dec                 ecx
            //   803800               | or                  eax, 0xffffffff
            //   7505                 | dec                 ecx
            //   4c8bc6               | inc                 eax
            //   eb16                 | inc                 ebp
            //   4d8bc4               | xor                 eax, eax
            //   660f1f840000000000     | dec    esp

        $sequence_8 = { 488bc8 e8???????? 4c8bf8 48894587 41bd01000000 488b4d97 4885c9 }
            // n = 7, score = 500
            //   488bc8               | sub                 esi, edx
            //   e8????????           |                     
            //   4c8bf8               | cmp                 byte ptr [edx], 0
            //   48894587             | jne                 0x531
            //   41bd01000000         | inc                 ecx
            //   488b4d97             | sub                 edx, eax
            //   4885c9               | xor                 eax, eax

        $sequence_9 = { 49b80026000001000000 0f110424 488b1424 0f1f8000000000 0fb602 3c20 770f }
            // n = 7, score = 500
            //   49b80026000001000000     | dec    eax
            //   0f110424             | lea                 edx, dword ptr [0x1619c]
            //   488b1424             | lea                 ecx, dword ptr [edi + 0xf]
            //   0f1f8000000000       | dec                 eax
            //   0fb602               | lea                 ebx, dword ptr [0x5192f]
            //   3c20                 | dec                 eax
            //   770f                 | test                eax, eax

    condition:
        7 of them and filesize < 1286144
}
Download all Yara Rules
NewPass Propose Change

References

Yara Rules

NewPass
