SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pinchduke (Back to overview)

PinchDuke

Actor(s): APT29

VTCollection    

According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.

References
2015-09-01F-SecureF-Secure Labs
The Dukes - 7 Years of Russian Cyberespionage
PinchDuke
Yara Rules
[TLP:WHITE] win_pinchduke_auto (20260504 | Detects win.pinchduke.)
rule win_pinchduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.pinchduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6801000080 ff15???????? 85c0 7575 53 56 57 }
            // n = 7, score = 100
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7575                 | jne                 0x77
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_1 = { 50 c685c8f8ffff00 e8???????? ff750c ff7508 e8???????? 83c444 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   c685c8f8ffff00       | mov                 byte ptr [ebp - 0x738], 0
            //   e8????????           |                     
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c444               | add                 esp, 0x44

        $sequence_2 = { 803800 8bc8 7416 41 803900 75fa eb0a }
            // n = 7, score = 100
            //   803800               | cmp                 byte ptr [eax], 0
            //   8bc8                 | mov                 ecx, eax
            //   7416                 | je                  0x18
            //   41                   | inc                 ecx
            //   803900               | cmp                 byte ptr [ecx], 0
            //   75fa                 | jne                 0xfffffffc
            //   eb0a                 | jmp                 0xc

        $sequence_3 = { 8b4530 0faf4534 c1e80a 0faf452c c1e80a 50 }
            // n = 6, score = 100
            //   8b4530               | mov                 eax, dword ptr [ebp + 0x30]
            //   0faf4534             | imul                eax, dword ptr [ebp + 0x34]
            //   c1e80a               | shr                 eax, 0xa
            //   0faf452c             | imul                eax, dword ptr [ebp + 0x2c]
            //   c1e80a               | shr                 eax, 0xa
            //   50                   | push                eax

        $sequence_4 = { 50 c6400561 e8???????? 59 6a32 ffd6 6a32 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   c6400561             | mov                 byte ptr [eax + 5], 0x61
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   6a32                 | push                0x32
            //   ffd6                 | call                esi
            //   6a32                 | push                0x32

        $sequence_5 = { 50 7513 e8???????? 8b4d0c 8d45eb 50 e8???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   7513                 | jne                 0x15
            //   e8????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8d45eb               | lea                 eax, [ebp - 0x15]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_6 = { 85db 7e07 0fbe4c0201 eb03 33c9 41 8b75f8 }
            // n = 7, score = 100
            //   85db                 | test                ebx, ebx
            //   7e07                 | jle                 9
            //   0fbe4c0201           | movsx               ecx, byte ptr [edx + eax + 1]
            //   eb03                 | jmp                 5
            //   33c9                 | xor                 ecx, ecx
            //   41                   | inc                 ecx
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]

        $sequence_7 = { 8d450c 53 50 e8???????? 83c40c ff7510 ff7514 }
            // n = 7, score = 100
            //   8d450c               | lea                 eax, [ebp + 0xc]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff7514               | push                dword ptr [ebp + 0x14]

        $sequence_8 = { 334824 c1c605 334838 c1ca02 d1c1 8db437d6c162ca 8b7df8 }
            // n = 7, score = 100
            //   334824               | xor                 ecx, dword ptr [eax + 0x24]
            //   c1c605               | rol                 esi, 5
            //   334838               | xor                 ecx, dword ptr [eax + 0x38]
            //   c1ca02               | ror                 edx, 2
            //   d1c1                 | rol                 ecx, 1
            //   8db437d6c162ca       | lea                 esi, [edi + esi - 0x359d3e2a]
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]

        $sequence_9 = { 8d450c 83ec10 8bcc 50 e8???????? 8d45e3 }
            // n = 6, score = 100
            //   8d450c               | lea                 eax, [ebp + 0xc]
            //   83ec10               | sub                 esp, 0x10
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d45e3               | lea                 eax, [ebp - 0x1d]

    condition:
        7 of them and filesize < 223680
}
Download all Yara Rules