SYMBOLCOMMON_NAMEaka. SYNONYMS
win.powershellrunner (Back to overview)

PowerShellRunner

Actor(s): Turla

VTCollection    

There is no description at this point.

References
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
2019-04-13GitHubVitali Kremez
Decoded Turla Powershell Implant
PowerShellRunner
Yara Rules
[TLP:WHITE] win_powershellrunner_auto (20230808 | Detects win.powershellrunner.)
rule win_powershellrunner_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.powershellrunner."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powershellrunner"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4889442440 488b442420 488b8c2498000000 482bc8 488bc1 4c8bc0 488b542440 }
            // n = 7, score = 200
            //   4889442440           | jne                 0x1e42
            //   488b442420           | inc                 ebp
            //   488b8c2498000000     | xor                 ecx, ecx
            //   482bc8               | mov                 ecx, 0x127
            //   488bc1               | dec                 esp
            //   4c8bc0               | lea                 eax, [esp + 0x38]
            //   488b542440           | mov                 edx, 0x20

        $sequence_1 = { 488d4c2448 e8???????? 0fb6c0 85c0 7439 }
            // n = 5, score = 200
            //   488d4c2448           | dec                 eax
            //   e8????????           |                     
            //   0fb6c0               | mov                 dword ptr [ebp - 0x29], eax
            //   85c0                 | dec                 eax
            //   7439                 | lea                 eax, [0xdb6f]

        $sequence_2 = { 668984240e020000 b828000000 6689842410020000 b828000000 6689842412020000 b867000000 6689842414020000 }
            // n = 7, score = 200
            //   668984240e020000     | mov                 edx, dword ptr [esp + 0x58]
            //   b828000000           | dec                 eax
            //   6689842410020000     | mov                 eax, dword ptr [esp + 0x20]
            //   b828000000           | dec                 eax
            //   6689842412020000     | sub                 edx, ecx
            //   b867000000           | dec                 eax
            //   6689842414020000     | mov                 ecx, edx

        $sequence_3 = { 488bcd 488d1529b20100 83e13f 488bc5 48c1f806 48c1e106 48030cc2 }
            // n = 7, score = 200
            //   488bcd               | xor                 eax, eax
            //   488d1529b20100       | xor                 edx, edx
            //   83e13f               | mov                 ecx, 1
            //   488bc5               | inc                 ebp
            //   48c1f806             | xor                 eax, eax
            //   48c1e106             | xor                 edx, edx
            //   48030cc2             | mov                 ecx, 3

        $sequence_4 = { 6689842488000000 b865000000 668984248a000000 b872000000 668984248c000000 b86e000000 668984248e000000 }
            // n = 7, score = 200
            //   6689842488000000     | dec                 eax
            //   b865000000           | and                 dword ptr [eax - 0x28], 0
            //   668984248a000000     | dec                 esp
            //   b872000000           | lea                 eax, [0x518]
            //   668984248c000000     | dec                 eax
            //   b86e000000           | and                 dword ptr [eax - 0x20], 0
            //   668984248e000000     | dec                 eax

        $sequence_5 = { 4833c4 4889842428010000 48c744245800000000 48c744246800000000 c744244c00000000 c744244800000000 b853000000 }
            // n = 7, score = 200
            //   4833c4               | xlatb               
            //   4889842428010000     | add                 dword ptr [eax], eax
            //   48c744245800000000     | cdq    
            //   48c744246800000000     | mov    ebx, eax
            //   c744244c00000000     | mov                 ecx, edi
            //   c744244800000000     | dec                 eax
            //   b853000000           | mov                 edx, edi

        $sequence_6 = { f30f6f0f 4883f80e 7773 8b848654da0100 4803c6 ffe0 }
            // n = 6, score = 200
            //   f30f6f0f             | dec                 eax
            //   4883f80e             | mov                 eax, dword ptr [esp + 0x38]
            //   7773                 | dec                 eax
            //   8b848654da0100       | mov                 dword ptr [esp + 8], eax
            //   4803c6               | push                edi
            //   ffe0                 | dec                 eax

        $sequence_7 = { e8???????? 4889442458 488b8c2490000000 e8???????? 4889442448 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   4889442458           | mov                 eax, 0x4e
            //   488b8c2490000000     | mov                 word ptr [esp + 0x110], ax
            //   e8????????           |                     
            //   4889442448           | mov                 eax, 0x75

        $sequence_8 = { 48894c2408 48b8ffffffffffffff1f c3 48894c2408 48b8ffffffffffffff3f c3 4c894c2420 }
            // n = 7, score = 200
            //   48894c2408           | mov                 byte ptr [esp + 0x189], 0x30
            //   48b8ffffffffffffff1f     | mov    byte ptr [esp + 0x18a], 0x27
            //   c3                   | mov                 byte ptr [esp + 0x220], 0x21
            //   48894c2408           | mov                 byte ptr [esp + 0x221], 0x13
            //   48b8ffffffffffffff3f     | mov    byte ptr [esp + 0x222], 0x3c
            //   c3                   | mov                 byte ptr [esp + 0x223], 0x39
            //   4c894c2420           | mov                 byte ptr [esp + 0x224], 0x30

        $sequence_9 = { 4c8d0df9b30000 488be9 4c8d05e7b30000 488d15e8b30000 b914000000 e8???????? 4885c0 }
            // n = 7, score = 200
            //   4c8d0df9b30000       | xor                 edx, edx
            //   488be9               | mov                 ecx, 0x10b
            //   4c8d05e7b30000       | dec                 esp
            //   488d15e8b30000       | lea                 eax, [esp + 0x48]
            //   b914000000           | mov                 edx, 0x20
            //   e8????????           |                     
            //   4885c0               | dec                 eax

    condition:
        7 of them and filesize < 458752
}
Download all Yara Rules