SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pinchduke (Back to overview)

PinchDuke

Actor(s): APT29

VTCollection    

According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.

References
2015-09-01F-SecureF-Secure Labs
The Dukes - 7 Years of Russian Cyberespionage
PinchDuke
Yara Rules
[TLP:WHITE] win_pinchduke_auto (20230808 | Detects win.pinchduke.)
rule win_pinchduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.pinchduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a01 895dd4 895dd8 895ddc c645e030 895de1 }
            // n = 6, score = 100
            //   6a01                 | push                1
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   895dd8               | mov                 dword ptr [ebp - 0x28], ebx
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   c645e030             | mov                 byte ptr [ebp - 0x20], 0x30
            //   895de1               | mov                 dword ptr [ebp - 0x1f], ebx

        $sequence_1 = { 9b d93c24 9b 58 50 80e4f3 80cc08 }
            // n = 7, score = 100
            //   9b                   | wait                
            //   d93c24               | fnstcw              word ptr [esp]
            //   9b                   | wait                
            //   58                   | pop                 eax
            //   50                   | push                eax
            //   80e4f3               | and                 ah, 0xf3
            //   80cc08               | or                  ah, 8

        $sequence_2 = { 85d2 7416 8d4c50fe 2bf0 57 668b3c0e 668939 }
            // n = 7, score = 100
            //   85d2                 | test                edx, edx
            //   7416                 | je                  0x18
            //   8d4c50fe             | lea                 ecx, [eax + edx*2 - 2]
            //   2bf0                 | sub                 esi, eax
            //   57                   | push                edi
            //   668b3c0e             | mov                 di, word ptr [esi + ecx]
            //   668939               | mov                 word ptr [ecx], di

        $sequence_3 = { 83c40c 8d857bffffff 50 8d4dc4 e8???????? 8d8d7bffffff e8???????? }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8d857bffffff         | lea                 eax, [ebp - 0x85]
            //   50                   | push                eax
            //   8d4dc4               | lea                 ecx, [ebp - 0x3c]
            //   e8????????           |                     
            //   8d8d7bffffff         | lea                 ecx, [ebp - 0x85]
            //   e8????????           |                     

        $sequence_4 = { 50 ff15???????? 3bc3 89456c 0f84cc020000 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   ff15????????         |                     
            //   3bc3                 | cmp                 eax, ebx
            //   89456c               | mov                 dword ptr [ebp + 0x6c], eax
            //   0f84cc020000         | je                  0x2d2

        $sequence_5 = { 8945fc e8???????? 83c410 ff75fc 56 ff15???????? 56 }
            // n = 7, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_6 = { 64a118000000 3e8b4030 3e0fb64002 890424 8b0424 59 c3 }
            // n = 7, score = 100
            //   64a118000000         | mov                 eax, dword ptr fs:[0x18]
            //   3e8b4030             | mov                 eax, dword ptr ds:[eax + 0x30]
            //   3e0fb64002           | movzx               eax, byte ptr ds:[eax + 2]
            //   890424               | mov                 dword ptr [esp], eax
            //   8b0424               | mov                 eax, dword ptr [esp]
            //   59                   | pop                 ecx
            //   c3                   | ret                 

        $sequence_7 = { 6a00 ff7510 ff75fc ffd6 85c0 7404 33c0 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ffd6                 | call                esi
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { 85d2 75f5 8bc7 5f 5e c3 8b4c240c }
            // n = 7, score = 100
            //   85d2                 | test                edx, edx
            //   75f5                 | jne                 0xfffffff7
            //   8bc7                 | mov                 eax, edi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]

        $sequence_9 = { e8???????? 8d85e4f7ffff 50 e8???????? 83ec0c 8bcc 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d85e4f7ffff         | lea                 eax, [ebp - 0x81c]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83ec0c               | sub                 esp, 0xc
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax

    condition:
        7 of them and filesize < 223680
}
Download all Yara Rules