SYMBOLCOMMON_NAMEaka. SYNONYMS
win.pinchduke (Back to overview)

PinchDuke

Actor(s): APT29


According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.

References
2015-09F-SecureF-Secure Labs
@techreport{labs:201509:dukes:035f864, author = {F-Secure Labs}, title = {{The Dukes - 7 Years of Russian Cyberespionage}}, date = {2015-09}, institution = {F-Secure}, url = {https://blog.f-secure.com/wp-content/uploads/2020/03/F-Secure_Dukes_Whitepaper.pdf}, language = {English}, urldate = {2022-10-20} } The Dukes - 7 Years of Russian Cyberespionage
PinchDuke
Yara Rules
[TLP:WHITE] win_pinchduke_auto (20230125 | Detects win.pinchduke.)
rule win_pinchduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.pinchduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f645fc04 740c 8365fcfb 8d4d8b e8???????? }
            // n = 5, score = 100
            //   f645fc04             | test                byte ptr [ebp - 4], 4
            //   740c                 | je                  0xe
            //   8365fcfb             | and                 dword ptr [ebp - 4], 0xfffffffb
            //   8d4d8b               | lea                 ecx, [ebp - 0x75]
            //   e8????????           |                     

        $sequence_1 = { 8d858cfeffff 50 53 53 68???????? ff75f4 c745fcff000000 }
            // n = 7, score = 100
            //   8d858cfeffff         | lea                 eax, [ebp - 0x174]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   68????????           |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   c745fcff000000       | mov                 dword ptr [ebp - 4], 0xff

        $sequence_2 = { e8???????? 0fb64c35f4 ff45f8 8a89e0404100 46 83fe04 8808 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   0fb64c35f4           | movzx               ecx, byte ptr [ebp + esi - 0xc]
            //   ff45f8               | inc                 dword ptr [ebp - 8]
            //   8a89e0404100         | mov                 cl, byte ptr [ecx + 0x4140e0]
            //   46                   | inc                 esi
            //   83fe04               | cmp                 esi, 4
            //   8808                 | mov                 byte ptr [eax], cl

        $sequence_3 = { 68???????? e8???????? 8b4d08 e8???????? 4b 8d0437 79d2 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   4b                   | dec                 ebx
            //   8d0437               | lea                 eax, [edi + esi]
            //   79d2                 | jns                 0xffffffd4

        $sequence_4 = { 83c40c 50 8d85a8f2ffff 50 e8???????? 59 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   50                   | push                eax
            //   8d85a8f2ffff         | lea                 eax, [ebp - 0xd58]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_5 = { 53 ffd7 ff35???????? 8d85c4f3ffff 50 ff15???????? 85c0 }
            // n = 7, score = 100
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   ff35????????         |                     
            //   8d85c4f3ffff         | lea                 eax, [ebp - 0xc3c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { e8???????? 53 56 ff15???????? 53 e8???????? 83ec0c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83ec0c               | sub                 esp, 0xc

        $sequence_7 = { 50 ff5144 85c0 0f8515030000 8b45f0 8945cc 8b45f4 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   ff5144               | call                dword ptr [ecx + 0x44]
            //   85c0                 | test                eax, eax
            //   0f8515030000         | jne                 0x31b
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_8 = { 83ec1c 53 56 57 bf10270000 57 e8???????? }
            // n = 7, score = 100
            //   83ec1c               | sub                 esp, 0x1c
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   bf10270000           | mov                 edi, 0x2710
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_9 = { 85c0 0f851effffff 53 e8???????? 59 b001 5f }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   0f851effffff         | jne                 0xffffff24
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   b001                 | mov                 al, 1
            //   5f                   | pop                 edi

    condition:
        7 of them and filesize < 223680
}
Download all Yara Rules