PurpleWave (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.purplewave (Back to overview)
PurpleWave

ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.
The author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.
References

2020-08-14 ⋅ Zscaler ⋅ Mohd Sadique
PurpleWave - A New Infostealer from Russia
PurpleWave
Yara Rules

[TLP:WHITE] win_purplewave_auto (20230125 | Detects win.purplewave.)
rule win_purplewave_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.purplewave."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5a 2bd0 eb02 8b17 668b460e 6623c1 668945fa }
            // n = 7, score = 400
            //   5a                   | pop                 edx
            //   2bd0                 | sub                 edx, eax
            //   eb02                 | jmp                 4
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   668b460e             | mov                 ax, word ptr [esi + 0xe]
            //   6623c1               | and                 ax, cx
            //   668945fa             | mov                 word ptr [ebp - 6], ax

        $sequence_1 = { 8d4f08 e8???????? 8b45f0 8d4f50 83c048 50 }
            // n = 6, score = 400
            //   8d4f08               | lea                 ecx, [edi + 8]
            //   e8????????           |                     
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   8d4f50               | lea                 ecx, [edi + 0x50]
            //   83c048               | add                 eax, 0x48
            //   50                   | push                eax

        $sequence_2 = { 8955fc 99 3955f8 7779 7204 3bd8 7773 }
            // n = 7, score = 400
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   99                   | cdq                 
            //   3955f8               | cmp                 dword ptr [ebp - 8], edx
            //   7779                 | ja                  0x7b
            //   7204                 | jb                  6
            //   3bd8                 | cmp                 ebx, eax
            //   7773                 | ja                  0x75

        $sequence_3 = { 895dec 8b75dc 8bda 8b7dd8 c645fc01 56 8bcb }
            // n = 7, score = 400
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   8b75dc               | mov                 esi, dword ptr [ebp - 0x24]
            //   8bda                 | mov                 ebx, edx
            //   8b7dd8               | mov                 edi, dword ptr [ebp - 0x28]
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   56                   | push                esi
            //   8bcb                 | mov                 ecx, ebx

        $sequence_4 = { 6aff 50 52 68e9fd0000 894df0 ff15???????? 8bd8 }
            // n = 7, score = 400
            //   6aff                 | push                -1
            //   50                   | push                eax
            //   52                   | push                edx
            //   68e9fd0000           | push                0xfde9
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_5 = { 99 6a4c 59 f7f9 894d08 8945e8 8b4604 }
            // n = 7, score = 400
            //   99                   | cdq                 
            //   6a4c                 | push                0x4c
            //   59                   | pop                 ecx
            //   f7f9                 | idiv                ecx
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b4604               | mov                 eax, dword ptr [esi + 4]

        $sequence_6 = { 2bc6 3bc8 7604 8bc2 eb08 8d040e 3bc2 }
            // n = 7, score = 400
            //   2bc6                 | sub                 eax, esi
            //   3bc8                 | cmp                 ecx, eax
            //   7604                 | jbe                 6
            //   8bc2                 | mov                 eax, edx
            //   eb08                 | jmp                 0xa
            //   8d040e               | lea                 eax, [esi + ecx]
            //   3bc2                 | cmp                 eax, edx

        $sequence_7 = { 8945cc 8a16 80fa30 7d9b eb0e 8bd0 e8???????? }
            // n = 7, score = 400
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   8a16                 | mov                 dl, byte ptr [esi]
            //   80fa30               | cmp                 dl, 0x30
            //   7d9b                 | jge                 0xffffff9d
            //   eb0e                 | jmp                 0x10
            //   8bd0                 | mov                 edx, eax
            //   e8????????           |                     

        $sequence_8 = { c20800 8b4de8 894dec 3bf3 741d }
            // n = 5, score = 400
            //   c20800               | ret                 8
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   3bf3                 | cmp                 esi, ebx
            //   741d                 | je                  0x1f

        $sequence_9 = { 56 e8???????? 83c40c 33c9 894e28 884e18 894e3c }
            // n = 7, score = 400
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   33c9                 | xor                 ecx, ecx
            //   894e28               | mov                 dword ptr [esi + 0x28], ecx
            //   884e18               | mov                 byte ptr [esi + 0x18], cl
            //   894e3c               | mov                 dword ptr [esi + 0x3c], ecx

    condition:
        7 of them and filesize < 1400832
}
Download all Yara Rules
PurpleWave Propose Change

References

Yara Rules

PurpleWave
