Actor(s): Turla
There is no description at this point.
rule win_turla_rpc_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.turla_rpc." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c645bc55 c7854001000030163930 c78544010000343b2025 c6854801000055 c78560010000013c3830 c785640100003a202155 } // n = 6, score = 200 // c645bc55 | mov dword ptr [ebp + 0xc4], 0x273a2727 // c7854001000030163930 | mov dword ptr [ebp + 0xc8], 0x30313a18 // c78544010000343b2025 | mov byte ptr [ebp + 0xcc], 0x55 // c6854801000055 | mov byte ptr [ebp - 0x44], 0x55 // c78560010000013c3830 | mov dword ptr [ebp + 0x140], 0x30391630 // c785640100003a202155 | mov dword ptr [ebp + 0x144], 0x25203b34 $sequence_1 = { c744244806393030 66c744244c2555 c785c000000006302110 c785c400000027273a27 c785c8000000183a3130 c685cc00000055 } // n = 6, score = 200 // c744244806393030 | mov dword ptr [ebp + 0x110], 0x34302716 // 66c744244c2555 | mov dword ptr [ebp + 0x114], 0x27053021 // c785c000000006302110 | mov dword ptr [ebp + 0x118], 0x2630363a // c785c400000027273a27 | mov dword ptr [esp + 0x48], 0x30303906 // c785c8000000183a3130 | mov word ptr [esp + 0x4c], 0x5525 // c685cc00000055 | mov dword ptr [ebp + 0xc0], 0x10213006 $sequence_2 = { c7456016273034 c745642130133c c7456839300255 c7851001000016273034 c7851401000021300527 c785180100003a363026 } // n = 6, score = 200 // c7456016273034 | dec eax // c745642130133c | mov edi, eax // c7456839300255 | call ebx // c7851001000016273034 | mov dword ptr [ebp + 0x60], 0x34302716 // c7851401000021300527 | mov dword ptr [ebp + 0x64], 0x3c133021 // c785180100003a363026 | mov dword ptr [ebp + 0x68], 0x55023039 $sequence_3 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? } // n = 4, score = 200 // c745b06970746f | mov dword ptr [ebp + 0x54], 0x3b341d30 // c745b472536163 | mov dword ptr [ebp + 0x58], 0x55303931 // 66c745b86c00 | mov dword ptr [ebp + 0x60], 0x34302716 // ff15???????? | $sequence_4 = { c7850401000030102d36 c785080100003025213c 66c7850c0100003a3b c6850e01000055 c745c007303431 } // n = 5, score = 200 // c7850401000030102d36 | mov dword ptr [ebp + 0x104], 0x362d1030 // c785080100003025213c | mov dword ptr [ebp + 0x108], 0x3c212530 // 66c7850c0100003a3b | mov word ptr [ebp + 0x10c], 0x3b3a // c6850e01000055 | mov byte ptr [ebp + 0x10e], 0x55 // c745c007303431 | mov dword ptr [ebp - 0x40], 0x31343007 $sequence_5 = { 488bd8 ffd3 488d4d70 488bf8 ffd3 } // n = 5, score = 200 // 488bd8 | dec eax // ffd3 | mov ebx, eax // 488d4d70 | call ebx // 488bf8 | dec eax // ffd3 | lea ecx, [ebp + 0x70] $sequence_6 = { c6458e55 c744245033273034 66c74424543155 c744243033273030 c644243455 c744244033263030 66c74424443e55 } // n = 7, score = 200 // c6458e55 | mov byte ptr [ebp - 0x72], 0x55 // c744245033273034 | mov dword ptr [esp + 0x50], 0x34302733 // 66c74424543155 | mov word ptr [esp + 0x54], 0x5531 // c744243033273030 | mov dword ptr [esp + 0x30], 0x30302733 // c644243455 | mov byte ptr [esp + 0x34], 0x55 // c744244033263030 | mov dword ptr [esp + 0x40], 0x30302633 // 66c74424443e55 | mov word ptr [esp + 0x44], 0x553e $sequence_7 = { c6852e01000055 c745b0193a3431 c745b4193c3727 c745b834272c14 c645bc55 c7854001000030163930 c78544010000343b2025 } // n = 7, score = 200 // c6852e01000055 | mov word ptr [esp + 0x44], 0x553e // c745b0193a3431 | mov dword ptr [esp + 0x38], 0x39302133 // c745b4193c3727 | mov word ptr [esp + 0x3c], 0x5539 // c745b834272c14 | mov byte ptr [ebp + 0x12e], 0x55 // c645bc55 | mov dword ptr [ebp - 0x50], 0x31343a19 // c7854001000030163930 | mov dword ptr [ebp - 0x4c], 0x27373c19 // c78544010000343b2025 | mov dword ptr [ebp - 0x48], 0x142c2734 $sequence_8 = { c7851401000021300527 c785180100003a363026 66c7851c0100002602 c6851e01000055 } // n = 4, score = 200 // c7851401000021300527 | mov byte ptr [ebp - 0x44], 0x55 // c785180100003a363026 | mov dword ptr [ebp + 0x140], 0x30391630 // 66c7851c0100002602 | mov dword ptr [ebp + 0x144], 0x25203b34 // c6851e01000055 | mov dword ptr [ebp + 0x114], 0x27053021 $sequence_9 = { c7854cffffff00000000 c78548ffffff00000000 c78554ffffff00000000 c78550ffffff00000000 c745bc53003a00 c745c028004d00 c745c44c003b00 } // n = 7, score = 100 // c7854cffffff00000000 | call esi // c78548ffffff00000000 | mov edi, eax // c78554ffffff00000000 | lea eax, [ebp - 0xa8] // c78550ffffff00000000 | mov dword ptr [ebp - 0xb4], 0 // c745bc53003a00 | mov dword ptr [ebp - 0xb8], 0 // c745c028004d00 | mov dword ptr [ebp - 0xac], 0 // c745c44c003b00 | mov dword ptr [ebp - 0xb0], 0 $sequence_10 = { 56 ffd3 8987d8000000 8d87dc000000 } // n = 4, score = 100 // 56 | push 3 // ffd3 | lea ecx, [eax*2 + 0x100188ac] // 8987d8000000 | mov eax, ecx // 8d87dc000000 | push esi $sequence_11 = { 68???????? ff15???????? 8b4dfc 33c0 5f 5e } // n = 6, score = 100 // 68???????? | // ff15???????? | // 8b4dfc | mov dword ptr [ebp - 0x50], 0x6f747069 // 33c0 | mov dword ptr [ebp - 0x4c], 0x63615372 // 5f | mov word ptr [ebp - 0x48], 0x6c // 5e | mov ecx, dword ptr [ebp - 4] $sequence_12 = { 8bf8 85ff 7514 8d45ac 50 ff15???????? } // n = 6, score = 100 // 8bf8 | xor eax, eax // 85ff | pop edi // 7514 | pop esi // 8d45ac | mov edi, eax // 50 | test edi, edi // ff15???????? | $sequence_13 = { 57 ff15???????? 8b85b8fdffff ffb5bcfdffff a3???????? } // n = 5, score = 100 // 57 | call ebx // ff15???????? | // 8b85b8fdffff | mov dword ptr [edi + 0xd8], eax // ffb5bcfdffff | lea eax, [edi + 0xdc] // a3???????? | $sequence_14 = { 68???????? e8???????? 6a03 68???????? 8d0c45ac880110 8bc1 } // n = 6, score = 100 // 68???????? | // e8???????? | // 6a03 | mov dword ptr [ebp - 0x44], 0x3a0053 // 68???????? | // 8d0c45ac880110 | mov dword ptr [ebp - 0x40], 0x4d0028 // 8bc1 | mov dword ptr [ebp - 0x3c], 0x3b004c $sequence_15 = { 8d45c8 50 ffd6 8bf8 8d8558ffffff } // n = 5, score = 100 // 8d45c8 | jne 0x16 // 50 | lea eax, [ebp - 0x54] // ffd6 | push eax // 8bf8 | lea eax, [ebp - 0x38] // 8d8558ffffff | push eax condition: 7 of them and filesize < 311296 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY