SYMBOLCOMMON_NAMEaka. SYNONYMS
win.purplewave (Back to overview)

PurpleWave


ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.

The author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.

References
2020-08-14ZscalerMohd Sadique
@online{sadique:20200814:purplewave:2ef459c, author = {Mohd Sadique}, title = {{PurpleWave - A New Infostealer from Russia}}, date = {2020-08-14}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia}, language = {English}, urldate = {2020-08-19} } PurpleWave - A New Infostealer from Russia
PurpleWave
Yara Rules
[TLP:WHITE] win_purplewave_auto (20221125 | Detects win.purplewave.)
rule win_purplewave_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.purplewave."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 50 8d8d2cffffff e8???????? c645fc56 8d8dccfeffff 0fb69550ffffff }
            // n = 7, score = 400
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d8d2cffffff         | lea                 ecx, [ebp - 0xd4]
            //   e8????????           |                     
            //   c645fc56             | mov                 byte ptr [ebp - 4], 0x56
            //   8d8dccfeffff         | lea                 ecx, [ebp - 0x134]
            //   0fb69550ffffff       | movzx               edx, byte ptr [ebp - 0xb0]

        $sequence_1 = { 807dd630 7c79 8bfa 8a16 80fa39 7f70 3d99999919 }
            // n = 7, score = 400
            //   807dd630             | cmp                 byte ptr [ebp - 0x2a], 0x30
            //   7c79                 | jl                  0x7b
            //   8bfa                 | mov                 edi, edx
            //   8a16                 | mov                 dl, byte ptr [esi]
            //   80fa39               | cmp                 dl, 0x39
            //   7f70                 | jg                  0x72
            //   3d99999919           | cmp                 eax, 0x19999999

        $sequence_2 = { 83c410 8d85c0feffff 8d4dd8 50 e8???????? c645fc3a 8d9598feffff }
            // n = 7, score = 400
            //   83c410               | add                 esp, 0x10
            //   8d85c0feffff         | lea                 eax, [ebp - 0x140]
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c645fc3a             | mov                 byte ptr [ebp - 4], 0x3a
            //   8d9598feffff         | lea                 edx, [ebp - 0x168]

        $sequence_3 = { 8845e3 eb05 8ac3 885de3 8d7eff 3b7d08 7c7b }
            // n = 7, score = 400
            //   8845e3               | mov                 byte ptr [ebp - 0x1d], al
            //   eb05                 | jmp                 7
            //   8ac3                 | mov                 al, bl
            //   885de3               | mov                 byte ptr [ebp - 0x1d], bl
            //   8d7eff               | lea                 edi, [esi - 1]
            //   3b7d08               | cmp                 edi, dword ptr [ebp + 8]
            //   7c7b                 | jl                  0x7d

        $sequence_4 = { 51 8bcb ff5008 ba???????? c645fc1c 8d4dd8 e8???????? }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   8bcb                 | mov                 ecx, ebx
            //   ff5008               | call                dword ptr [eax + 8]
            //   ba????????           |                     
            //   c645fc1c             | mov                 byte ptr [ebp - 4], 0x1c
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     

        $sequence_5 = { 8d4dd4 c645fc06 51 8bc8 e8???????? 8d4dbc c645fc07 }
            // n = 7, score = 400
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   c645fc06             | mov                 byte ptr [ebp - 4], 6
            //   51                   | push                ecx
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8d4dbc               | lea                 ecx, [ebp - 0x44]
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7

        $sequence_6 = { 53 56 8bf2 33db 57 8bf9 897dfc }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx
            //   33db                 | xor                 ebx, ebx
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   897dfc               | mov                 dword ptr [ebp - 4], edi

        $sequence_7 = { 8d5508 c78568feffff70000000 8d8d30feffff e8???????? 59 8bc8 bbf0000000 }
            // n = 7, score = 400
            //   8d5508               | lea                 edx, [ebp + 8]
            //   c78568feffff70000000     | mov    dword ptr [ebp - 0x198], 0x70
            //   8d8d30feffff         | lea                 ecx, [ebp - 0x1d0]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bc8                 | mov                 ecx, eax
            //   bbf0000000           | mov                 ebx, 0xf0

        $sequence_8 = { 57 895dd4 50 eb2a 50 8d4db4 e8???????? }
            // n = 7, score = 400
            //   57                   | push                edi
            //   895dd4               | mov                 dword ptr [ebp - 0x2c], ebx
            //   50                   | push                eax
            //   eb2a                 | jmp                 0x2c
            //   50                   | push                eax
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e8????????           |                     

        $sequence_9 = { 51 8d4d9c e8???????? c745fc01000000 8d4d9c c745ec12000000 e8???????? }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   8d4d9c               | lea                 ecx, [ebp - 0x64]
            //   e8????????           |                     
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   8d4d9c               | lea                 ecx, [ebp - 0x64]
            //   c745ec12000000       | mov                 dword ptr [ebp - 0x14], 0x12
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1400832
}
Download all Yara Rules