SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_rpc (Back to overview)

TurlaRPC

Actor(s): Turla Group


There is no description at this point.

References
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ TurlaRPC
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
@online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
Yara Rules
[TLP:WHITE] win_turla_rpc_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_turla_rpc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c6854801000055 c78560010000013c3830 c785640100003a202155 c785a8010000271c3367 }
            // n = 4, score = 200
            //   c6854801000055       | mov                 dword ptr [ebp + 0x60], 0x34302716
            //   c78560010000013c3830     | mov    byte ptr [ebp + 0x8c], 0x55
            //   c785640100003a202155     | mov    dword ptr [ebp + 0xe0], 0x3213012
            //   c785a8010000271c3367     | mov    dword ptr [ebp + 0xe4], 0x3c262730

        $sequence_1 = { c7455016393a26 c74554301d343b c7455831393055 c7456016273034 }
            // n = 4, score = 200
            //   c7455016393a26       | mov                 dword ptr [ebp - 0x70], 0x3b263622
            //   c74554301d343b       | mov                 dword ptr [ebp - 0x6c], 0x55213436
            //   c7455831393055       | mov                 dword ptr [esp + 0x58], 0x39263622
            //   c7456016273034       | mov                 word ptr [esp + 0x5c], 0x3b30

        $sequence_2 = { ffd3 488d4d70 488bf8 ffd3 488d4d10 488bf0 ffd3 }
            // n = 7, score = 200
            //   ffd3                 | call                ebx
            //   488d4d70             | dec                 eax
            //   488bf8               | lea                 ecx, [ebp + 0x70]
            //   ffd3                 | dec                 eax
            //   488d4d10             | mov                 edi, eax
            //   488bf0               | call                ebx
            //   ffd3                 | dec                 eax

        $sequence_3 = { c7851001000016273034 c7851401000021300527 c785180100003a363026 66c7851c0100002602 }
            // n = 4, score = 200
            //   c7851001000016273034     | mov    dword ptr [ebp + 0x110], 0x34302716
            //   c7851401000021300527     | mov    dword ptr [ebp + 0x114], 0x27053021
            //   c785180100003a363026     | mov    dword ptr [ebp + 0x118], 0x2630363a
            //   66c7851c0100002602     | mov    word ptr [ebp + 0x11c], 0x226

        $sequence_4 = { c7452427217b31 66c745283939 c6452a55 c745703e30273b c7457430396667 }
            // n = 5, score = 200
            //   c7452427217b31       | mov                 dword ptr [ebp + 0x24], 0x317b2127
            //   66c745283939         | mov                 word ptr [ebp + 0x28], 0x3939
            //   c6452a55             | mov                 byte ptr [ebp + 0x2a], 0x55
            //   c745703e30273b       | mov                 dword ptr [ebp + 0x70], 0x3b27303e
            //   c7457430396667       | mov                 dword ptr [ebp + 0x74], 0x67663930

        $sequence_5 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? }
            // n = 4, score = 200
            //   c745b06970746f       | mov                 dword ptr [ebp - 0x50], 0x6f747069
            //   c745b472536163       | mov                 dword ptr [ebp - 0x4c], 0x63615372
            //   66c745b86c00         | mov                 word ptr [ebp - 0x48], 0x6c
            //   ff15????????         |                     

        $sequence_6 = { f30f7f8550010000 660f6f05???????? c6858c00000055 c785e000000012302103 c785e40000003027263c c785e80000003a3b102d f30f7f85e0010000 }
            // n = 7, score = 200
            //   f30f7f8550010000     | movdqu              xmmword ptr [ebp + 0x150], xmm0
            //   660f6f05????????     |                     
            //   c6858c00000055       | mov                 byte ptr [ebp + 0x8c], 0x55
            //   c785e000000012302103     | mov    dword ptr [ebp + 0xe0], 0x3213012
            //   c785e40000003027263c     | mov    dword ptr [ebp + 0xe4], 0x3c262730
            //   c785e80000003a3b102d     | mov    dword ptr [ebp + 0xe8], 0x2d103b3a
            //   f30f7f85e0010000     | movdqu              xmmword ptr [ebp + 0x1e0], xmm0

        $sequence_7 = { c6450a55 c745980a22333a c7459c25303b55 c744247836343939 66c744247c3a36 c644247e55 c745883336393a }
            // n = 7, score = 200
            //   c6450a55             | mov                 dword ptr [ebp + 0xc0], 0x10213006
            //   c745980a22333a       | mov                 dword ptr [ebp + 0xc4], 0x273a2727
            //   c7459c25303b55       | mov                 dword ptr [ebp + 0xc8], 0x30313a18
            //   c744247836343939     | mov                 byte ptr [ebp + 0xcc], 0x55
            //   66c744247c3a36       | mov                 byte ptr [ebp + 0xa], 0x55
            //   c644247e55           | mov                 dword ptr [ebp - 0x68], 0x3a33220a
            //   c745883336393a       | mov                 dword ptr [ebp - 0x64], 0x553b3025

        $sequence_8 = { c644247655 c744246022362636 66c74424643825 c644246655 c745902236263b c7459436342155 c744245822362639 }
            // n = 7, score = 200
            //   c644247655           | mov                 byte ptr [esp + 0x76], 0x55
            //   c744246022362636     | mov                 dword ptr [esp + 0x60], 0x36263622
            //   66c74424643825       | mov                 word ptr [esp + 0x64], 0x2538
            //   c644246655           | mov                 byte ptr [esp + 0x66], 0x55
            //   c745902236263b       | mov                 dword ptr [ebp - 0x70], 0x3b263622
            //   c7459436342155       | mov                 dword ptr [ebp - 0x6c], 0x55213436
            //   c744245822362639     | mov                 dword ptr [esp + 0x58], 0x39263622

        $sequence_9 = { 8b8d6cfdffff 89410c 8d8580feffff 50 57 ff9570fdffff 8b8d6cfdffff }
            // n = 7, score = 100
            //   8b8d6cfdffff         | mov                 ecx, dword ptr [ebp - 0x294]
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   8d8580feffff         | lea                 eax, [ebp - 0x180]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff9570fdffff         | call                dword ptr [ebp - 0x290]
            //   8b8d6cfdffff         | mov                 ecx, dword ptr [ebp - 0x294]

        $sequence_10 = { e8???????? 59 8365fc00 8b049dd8860110 f644380401 7413 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8b049dd8860110       | mov                 eax, dword ptr [ebx*4 + 0x100186d8]
            //   f644380401           | test                byte ptr [eax + edi + 4], 1
            //   7413                 | je                  0x15

        $sequence_11 = { c1ef02 3b850cffffff 0f47f9 85ff 7413 ff36 }
            // n = 6, score = 100
            //   c1ef02               | shr                 edi, 2
            //   3b850cffffff         | cmp                 eax, dword ptr [ebp - 0xf4]
            //   0f47f9               | cmova               edi, ecx
            //   85ff                 | test                edi, edi
            //   7413                 | je                  0x15
            //   ff36                 | push                dword ptr [esi]

        $sequence_12 = { c78538ffffff16273034 c7853cffffff2130013d c78540ffffff27303431 c68544ffffff55 c745b011303930 c745b42130133c }
            // n = 6, score = 100
            //   c78538ffffff16273034     | mov    dword ptr [ebp - 0xc8], 0x34302716
            //   c7853cffffff2130013d     | mov    dword ptr [ebp - 0xc4], 0x3d013021
            //   c78540ffffff27303431     | mov    dword ptr [ebp - 0xc0], 0x31343027
            //   c68544ffffff55       | mov                 byte ptr [ebp - 0xbc], 0x55
            //   c745b011303930       | mov                 dword ptr [ebp - 0x50], 0x30393011
            //   c745b42130133c       | mov                 dword ptr [ebp - 0x4c], 0x3c133021

        $sequence_13 = { 83c408 8945c8 85c0 0f8480000000 }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   85c0                 | test                eax, eax
            //   0f8480000000         | je                  0x86

        $sequence_14 = { 7311 f30f7e0e 83e908 8d7608 660fd60f 8d7f08 8b048d48350010 }
            // n = 7, score = 100
            //   7311                 | jae                 0x13
            //   f30f7e0e             | movq                xmm1, qword ptr [esi]
            //   83e908               | sub                 ecx, 8
            //   8d7608               | lea                 esi, [esi + 8]
            //   660fd60f             | movq                qword ptr [edi], xmm1
            //   8d7f08               | lea                 edi, [edi + 8]
            //   8b048d48350010       | mov                 eax, dword ptr [ecx*4 + 0x10003548]

        $sequence_15 = { 8b0485d8860110 80643004fd 8b45f8 8b55fc 5f 5e }
            // n = 6, score = 100
            //   8b0485d8860110       | mov                 eax, dword ptr [eax*4 + 0x100186d8]
            //   80643004fd           | and                 byte ptr [eax + esi + 4], 0xfd
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules