NewPass (Malware Family)

NewPass

There is no description at this point.
References

2020-07-14 ⋅ Telsy ⋅ Telsy
Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene
NewPass Turla Group
Yara Rules

[TLP:WHITE] win_newpass_auto (20210616 | Detects win.newpass.)
rule win_newpass_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.newpass."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 49ffc1 4183f810 72d3 c605????????00 488b03 8b10 }
            // n = 6, score = 500
            //   49ffc1               | push                ebp
            //   4183f810             | inc                 ecx
            //   72d3                 | push                esi
            //   c605????????00       |                     
            //   488b03               | inc                 ecx
            //   8b10                 | push                edi

        $sequence_1 = { 4883ec28 488b4120 483b4118 0f84b4000000 48895c2430 488bd8 488b40f0 }
            // n = 7, score = 500
            //   4883ec28             | dec                 eax
            //   488b4120             | lea                 edx, dword ptr [0x6cbc0]
            //   483b4118             | lea                 ecx, dword ptr [eax + 0x6e]
            //   0f84b4000000         | jmp                 0x367
            //   48895c2430           | dec                 eax
            //   488bd8               | lea                 eax, dword ptr [0x6cbaf]
            //   488b40f0             | jne                 0x37a

        $sequence_2 = { 4889b5b0000000 6689b5a0000000 48837d7808 7209 488b4d60 e8???????? 48c7457807000000 }
            // n = 7, score = 500
            //   4889b5b0000000       | jne                 0x3be
            //   6689b5a0000000       | dec                 eax
            //   48837d7808           | lea                 edx, dword ptr [0x60e18]
            //   7209                 | mov                 ecx, 0x126
            //   488b4d60             | jmp                 0x3c0
            //   e8????????           |                     
            //   48c7457807000000     | jne                 0x3ce

        $sequence_3 = { 448bfb 448be3 4c8d35a8d90300 e9???????? bd01000000 ba98000000 8bcd }
            // n = 7, score = 500
            //   448bfb               | inc                 esp
            //   448be3               | sub                 eax, eax
            //   4c8d35a8d90300       | inc                 esp
            //   e9????????           |                     
            //   bd01000000           | mov                 dword ptr [esp + 0x34], eax
            //   ba98000000           | dec                 esp
            //   8bcd                 | lea                 eax, dword ptr [0x63d4c]

        $sequence_4 = { e8???????? 488b4d37 4833cc e8???????? 4c8d9c24d0000000 498b5b30 498b7338 }
            // n = 7, score = 500
            //   e8????????           |                     
            //   488b4d37             | push                esi
            //   4833cc               | dec                 eax
            //   e8????????           |                     
            //   4c8d9c24d0000000     | sub                 esp, 0x30
            //   498b5b30             | dec                 ecx
            //   498b7338             | mov                 ebx, ecx

        $sequence_5 = { 7209 488b4d40 e8???????? 48c7455807000000 4c896d50 6644896d40 41f6c701 }
            // n = 7, score = 500
            //   7209                 | dec                 eax
            //   488b4d40             | or                  eax, 0xffffff00
            //   e8????????           |                     
            //   48c7455807000000     | inc                 eax
            //   4c896d50             | inc                 ecx
            //   6644896d40           | xor                 al, byte ptr [ecx + edx]
            //   41f6c701             | xor                 al, 0x45

        $sequence_6 = { 4c8bc6 488b45c0 41be01000000 488b4dc8 483bc1 7462 660f1f440000 }
            // n = 7, score = 500
            //   4c8bc6               | inc                 ecx
            //   488b45c0             | xor                 al, 0x4a
            //   41be01000000         | inc                 ecx
            //   488b4dc8             | mov                 byte ptr [eax - 1], al
            //   483bc1               | cmp                 ecx, 8
            //   7462                 | jb                  0x128c
            //   660f1f440000         | inc                 ecx

        $sequence_7 = { 482bc8 4883f90a 7371 c644243001 8b5587 83fa24 7c06 }
            // n = 7, score = 500
            //   482bc8               | dec                 esp
            //   4883f90a             | lea                 ecx, dword ptr [0x8852d]
            //   7371                 | jne                 0xb56
            //   c644243001           | jb                  0xb07
            //   8b5587               | dec                 esp
            //   83fa24               | lea                 ecx, dword ptr [0x8882d]
            //   7c06                 | jne                 0xb61

        $sequence_8 = { c7854001000014010000 488d8d40010000 ff15???????? 33d2 33c9 83bd4401000006 735f }
            // n = 7, score = 500
            //   c7854001000014010000     | dec    eax
            //   488d8d40010000       | mov                 dword ptr [edi + 0x10], eax
            //   ff15????????         |                     
            //   33d2                 | dec                 eax
            //   33c9                 | mov                 dword ptr [ebx + 0x10], ecx
            //   83bd4401000006       | dec                 eax
            //   735f                 | mov                 eax, dword ptr [ebx + 0x18]

        $sequence_9 = { 4533c0 e8???????? b90e000000 ff15???????? ebb6 33d2 41b800800000 }
            // n = 7, score = 500
            //   4533c0               | jb                  0x1ca
            //   e8????????           |                     
            //   b90e000000           | dec                 eax
            //   ff15????????         |                     
            //   ebb6                 | mov                 ecx, dword ptr [ebp + 8]
            //   33d2                 | dec                 eax
            //   41b800800000         | mov                 dword ptr [ebp + 0x20], edi

    condition:
        7 of them and filesize < 1286144
}
Download all Yara Rules
NewPass Propose Change

References

Yara Rules

NewPass
