Actor(s): Turla Group
There is no description at this point.
rule win_turla_rpc_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.turla_rpc." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c74554301d343b c7455831393055 c7456016273034 c745642130133c c7456839300255 c7851001000016273034 } // n = 6, score = 200 // c74554301d343b | mov word ptr [esp + 0x44], 0x553e // c7455831393055 | mov dword ptr [esp + 0x38], 0x39302133 // c7456016273034 | mov word ptr [esp + 0x3c], 0x5539 // c745642130133c | mov dword ptr [ebp + 0x54], 0x3b341d30 // c7456839300255 | mov dword ptr [ebp + 0x58], 0x55303931 // c7851001000016273034 | mov dword ptr [ebp + 0x60], 0x34302716 $sequence_1 = { c744247836343939 66c744247c3a36 c644247e55 c745883336393a 66c7458c2630 } // n = 5, score = 200 // c744247836343939 | mov dword ptr [ebp + 0x64], 0x3c133021 // 66c744247c3a36 | mov dword ptr [ebp + 0x68], 0x55023039 // c644247e55 | mov dword ptr [ebp + 0x110], 0x34302716 // c745883336393a | mov dword ptr [esp + 0x78], 0x39393436 // 66c7458c2630 | mov word ptr [esp + 0x7c], 0x363a $sequence_2 = { c7857801000026302410 66c7857c0100002502 c6857e01000055 c7452038262336 } // n = 4, score = 200 // c7857801000026302410 | call ebx // 66c7857c0100002502 | dec eax // c6857e01000055 | lea ecx, dword ptr [ebp + 0x10] // c7452038262336 | mov dword ptr [ebp + 0x178], 0x10243026 $sequence_3 = { 66c744246c3a36 c644246e55 c745a038303838 c745a43a233055 c745a827303439 c745ac393a3655 } // n = 6, score = 200 // 66c744246c3a36 | mov byte ptr [esp + 0x7e], 0x55 // c644246e55 | mov dword ptr [ebp - 0x78], 0x3a393633 // c745a038303838 | mov word ptr [ebp - 0x74], 0x3026 // c745a43a233055 | mov word ptr [esp + 0x6c], 0x363a // c745a827303439 | mov byte ptr [esp + 0x6e], 0x55 // c745ac393a3655 | mov dword ptr [ebp - 0x60], 0x38383038 $sequence_4 = { c785c400000027273a27 c785c8000000183a3130 c685cc00000055 c785c001000030362155 c745d002273c21 c745d430133c39 } // n = 6, score = 200 // c785c400000027273a27 | mov dword ptr [ebp + 0xc0], 0x10213006 // c785c8000000183a3130 | mov dword ptr [ebp + 0xc4], 0x273a2727 // c685cc00000055 | mov dword ptr [ebp + 0xc8], 0x30313a18 // c785c001000030362155 | mov dword ptr [ebp + 0xc4], 0x273a2727 // c745d002273c21 | mov dword ptr [ebp + 0xc8], 0x30313a18 // c745d430133c39 | mov byte ptr [ebp + 0xcc], 0x55 $sequence_5 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? } // n = 4, score = 200 // c745b06970746f | mov dword ptr [ebp - 0x50], 0x6f747069 // c745b472536163 | mov dword ptr [ebp - 0x4c], 0x63615372 // 66c745b86c00 | mov word ptr [ebp - 0x48], 0x6c // ff15???????? | $sequence_6 = { 488d4d70 488bf8 ffd3 488d4d10 } // n = 4, score = 200 // 488d4d70 | dec eax // 488bf8 | lea ecx, dword ptr [ebp + 0x70] // ffd3 | dec eax // 488d4d10 | mov edi, eax $sequence_7 = { c644243455 c744244033263030 66c74424443e55 c744243833213039 66c744243c3955 } // n = 5, score = 200 // c644243455 | mov word ptr [ebp + 0x17c], 0x225 // c744244033263030 | mov byte ptr [ebp + 0x17e], 0x55 // 66c74424443e55 | mov dword ptr [ebp + 0x20], 0x36232638 // c744243833213039 | mov byte ptr [esp + 0x34], 0x55 // 66c744243c3955 | mov dword ptr [esp + 0x40], 0x30302633 $sequence_8 = { 66c744244c2555 c785c000000006302110 c785c400000027273a27 c785c8000000183a3130 } // n = 4, score = 200 // 66c744244c2555 | mov dword ptr [ebp - 0x5c], 0x5530233a // c785c000000006302110 | mov dword ptr [ebp - 0x58], 0x39343027 // c785c400000027273a27 | mov dword ptr [ebp - 0x54], 0x55363a39 // c785c8000000183a3130 | mov word ptr [esp + 0x4c], 0x5525 $sequence_9 = { c745e470006900 c745e870006500 c745ec5c006100 c745f074006300 c745f474006c00 c785c8feffff14010000 ff15???????? } // n = 7, score = 100 // c745e470006900 | mov dword ptr [ebp - 0x1c], 0x690070 // c745e870006500 | mov dword ptr [ebp - 0x18], 0x650070 // c745ec5c006100 | mov dword ptr [ebp - 0x14], 0x61005c // c745f074006300 | mov dword ptr [ebp - 0x10], 0x630074 // c745f474006c00 | mov dword ptr [ebp - 0xc], 0x6c0074 // c785c8feffff14010000 | mov dword ptr [ebp - 0x138], 0x114 // ff15???????? | $sequence_10 = { 8b9530e5ffff 8b8528e5ffff 8b8d24e5ffff 8b0485d8860110 f644010440 7409 803a1a } // n = 7, score = 100 // 8b9530e5ffff | mov edx, dword ptr [ebp - 0x1ad0] // 8b8528e5ffff | mov eax, dword ptr [ebp - 0x1ad8] // 8b8d24e5ffff | mov ecx, dword ptr [ebp - 0x1adc] // 8b0485d8860110 | mov eax, dword ptr [eax*4 + 0x100186d8] // f644010440 | test byte ptr [ecx + eax + 4], 0x40 // 7409 | je 0xb // 803a1a | cmp byte ptr [edx], 0x1a $sequence_11 = { c745d831002d00 c745dc31003600 c745e02d003000 c745e429000000 c745e861006400 } // n = 5, score = 100 // c745d831002d00 | mov dword ptr [ebp - 0x28], 0x2d0031 // c745dc31003600 | mov dword ptr [ebp - 0x24], 0x360031 // c745e02d003000 | mov dword ptr [ebp - 0x20], 0x30002d // c745e429000000 | mov dword ptr [ebp - 0x1c], 0x29 // c745e861006400 | mov dword ptr [ebp - 0x18], 0x640061 $sequence_12 = { 72e6 5e c3 6a03 e8???????? } // n = 5, score = 100 // 72e6 | jb 0xffffffe8 // 5e | pop esi // c3 | ret // 6a03 | push 3 // e8???????? | $sequence_13 = { 66c785c4feffff7000 8bff 80b40568ffffff55 40 } // n = 4, score = 100 // 66c785c4feffff7000 | mov word ptr [ebp - 0x13c], 0x70 // 8bff | mov edi, edi // 80b40568ffffff55 | xor byte ptr [ebp + eax - 0x98], 0x55 // 40 | inc eax $sequence_14 = { 8bf0 85f6 7522 8d45e8 50 ff15???????? } // n = 6, score = 100 // 8bf0 | mov esi, eax // 85f6 | test esi, esi // 7522 | jne 0x24 // 8d45e8 | lea eax, dword ptr [ebp - 0x18] // 50 | push eax // ff15???????? | $sequence_15 = { 33c0 8d4900 80b40518ffffff55 40 } // n = 4, score = 100 // 33c0 | xor eax, eax // 8d4900 | lea ecx, dword ptr [ecx] // 80b40518ffffff55 | xor byte ptr [ebp + eax - 0xe8], 0x55 // 40 | inc eax condition: 7 of them and filesize < 311296 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY