SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_rpc (Back to overview)

TurlaRPC

Actor(s): Turla

There is no description at this point.

References
2022-09-20cocomelonc
@online{cocomelonc:20220920:malware:c0e9c97, author = {cocomelonc}, title = {{Malware development: persistence - part 11. Powershell profile. Simple C++ example.}}, date = {2022-09-20}, url = {https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html}, language = {English}, urldate = {2022-10-19} } Malware development: persistence - part 11. Powershell profile. Simple C++ example.
Turla RAT TurlaRPC
2022-06-12cocomelonc
@online{cocomelonc:20220612:malware:e988236, author = {cocomelonc}, title = {{Malware development: persistence - part 7. Winlogon. Simple C++ example.}}, date = {2022-06-12}, url = {https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2022-05-02cocomelonccocomelonc
@online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ IronNetInjector TurlaRPC
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
@online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
Yara Rules
[TLP:WHITE] win_turla_rpc_auto (20230715 | Detects win.turla_rpc.)
rule win_turla_rpc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.turla_rpc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66c7442474303b c644247655 c744246022362636 66c74424643825 c644246655 }
            // n = 5, score = 200
            //   66c7442474303b       | mov                 word ptr [ebp + 0x28], 0x3939
            //   c644247655           | mov                 byte ptr [ebp + 0x2a], 0x55
            //   c744246022362636     | mov                 dword ptr [ebp + 0x70], 0x3b27303e
            //   66c74424643825       | mov                 dword ptr [ebp + 0x74], 0x67663930
            //   c644246655           | mov                 word ptr [esp + 0x74], 0x3b30

        $sequence_1 = { 66c7458c2630 c6458e55 c744245033273034 66c74424543155 }
            // n = 4, score = 200
            //   66c7458c2630         | dec                 eax
            //   c6458e55             | lea                 ecx, [esp + 0x20]
            //   c744245033273034     | inc                 ecx
            //   66c74424543155       | mov                 eax, 1

        $sequence_2 = { f30f7f8d98010000 c785b800000027273a27 c685bc00000055 c685d801000055 f30f7f85b0010000 660f6f05???????? }
            // n = 6, score = 200
            //   f30f7f8d98010000     | mov                 byte ptr [esp + 0x76], 0x55
            //   c785b800000027273a27     | mov    dword ptr [esp + 0x60], 0x36263622
            //   c685bc00000055       | mov                 word ptr [esp + 0x64], 0x2538
            //   c685d801000055       | mov                 byte ptr [esp + 0x66], 0x55
            //   f30f7f85b0010000     | movdqu              xmmword ptr [ebp + 0x198], xmm1
            //   660f6f05????????     |                     

        $sequence_3 = { 66c7850c0100003a3b c6850e01000055 c745c007303431 c745c4133c3930 c645c855 }
            // n = 5, score = 200
            //   66c7850c0100003a3b     | mov    word ptr [ebp + 0x10c], 0x3b3a
            //   c6850e01000055       | mov                 byte ptr [ebp + 0x10e], 0x55
            //   c745c007303431       | mov                 dword ptr [ebp - 0x40], 0x31343007
            //   c745c4133c3930       | mov                 dword ptr [ebp - 0x3c], 0x30393c13
            //   c645c855             | mov                 byte ptr [ebp - 0x38], 0x55

        $sequence_4 = { 660f6f05???????? c6858c00000055 c785e000000012302103 c785e40000003027263c c785e80000003a3b102d f30f7f85e0010000 660f6f05???????? }
            // n = 7, score = 200
            //   660f6f05????????     |                     
            //   c6858c00000055       | mov                 word ptr [ebp - 0x74], 0x3026
            //   c785e000000012302103     | mov    byte ptr [ebp - 0x72], 0x55
            //   c785e40000003027263c     | mov    dword ptr [esp + 0x50], 0x34302733
            //   c785e80000003a3b102d     | mov    word ptr [esp + 0x54], 0x5531
            //   f30f7f85e0010000     | mov                 byte ptr [ebp + 0x8c], 0x55
            //   660f6f05????????     |                     

        $sequence_5 = { 66c745283939 c6452a55 c745703e30273b c7457430396667 }
            // n = 4, score = 200
            //   66c745283939         | mov                 dword ptr [ebp + 0xe0], 0x3213012
            //   c6452a55             | mov                 dword ptr [ebp + 0xe4], 0x3c262730
            //   c745703e30273b       | mov                 dword ptr [ebp + 0xe8], 0x2d103b3a
            //   c7457430396667       | movdqu              xmmword ptr [ebp + 0x1e0], xmm0

        $sequence_6 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? }
            // n = 4, score = 200
            //   c745b06970746f       | mov                 dword ptr [ebp + 0x84], 0x5253830
            //   c745b472536163       | mov                 dword ptr [ebp + 0x88], 0x23d2134
            //   66c745b86c00         | movdqu              xmmword ptr [ebp + 0x130], xmm0
            //   ff15????????         |                     

        $sequence_7 = { f30f7f85e0010000 660f6f05???????? f30f7f8580010000 660f6f05???????? 66c785ec0000000255 c785a0000000193a3431 c785a4000000193c3727 }
            // n = 7, score = 200
            //   f30f7f85e0010000     | mov                 dword ptr [ebp + 0xb8], 0x273a2727
            //   660f6f05????????     |                     
            //   f30f7f8580010000     | mov                 byte ptr [ebp + 0xbc], 0x55
            //   660f6f05????????     |                     
            //   66c785ec0000000255     | mov    byte ptr [ebp + 0x1d8], 0x55
            //   c785a0000000193a3431     | movdqu    xmmword ptr [ebp + 0x1b0], xmm0
            //   c785a4000000193c3727     | movdqu    xmmword ptr [ebp + 0x1e0], xmm0

        $sequence_8 = { c3 488d053bda0000 488d542458 488d4c2420 41b801000000 }
            // n = 5, score = 200
            //   c3                   | ret                 
            //   488d053bda0000       | dec                 eax
            //   488d542458           | lea                 eax, [0xda3b]
            //   488d4c2420           | dec                 eax
            //   41b801000000         | lea                 edx, [esp + 0x58]

        $sequence_9 = { 85ff 7514 8d45ac 50 ff15???????? }
            // n = 5, score = 100
            //   85ff                 | je                  0x85
            //   7514                 | lea                 eax, [esp + 0x260]
            //   8d45ac               | push                eax
            //   50                   | push                esi
            //   ff15????????         |                     

        $sequence_10 = { 83c414 8d85b8fdffff 50 8d8574fdffff 50 }
            // n = 5, score = 100
            //   83c414               | test                edi, edi
            //   8d85b8fdffff         | jne                 0x18
            //   50                   | lea                 eax, [ebp - 0x54]
            //   8d8574fdffff         | push                eax
            //   50                   | add                 esp, 0x14

        $sequence_11 = { 83feff 741d 6a00 8d45f8 50 }
            // n = 5, score = 100
            //   83feff               | push                eax
            //   741d                 | add                 esp, 4
            //   6a00                 | push                2
            //   8d45f8               | push                0
            //   50                   | cmp                 esi, -1

        $sequence_12 = { 8bf0 85f6 747f 8d842460020000 50 56 ff15???????? }
            // n = 7, score = 100
            //   8bf0                 | mov                 dword ptr [edi], eax
            //   85f6                 | add                 esp, 4
            //   747f                 | push                2
            //   8d842460020000       | push                0
            //   50                   | mov                 esi, eax
            //   56                   | test                esi, esi
            //   ff15????????         |                     

        $sequence_13 = { e8???????? 83c404 6a02 ff15???????? 6a00 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c404               | inc                 eax
            //   6a02                 | push                1
            //   ff15????????         |                     
            //   6a00                 | push                eax

        $sequence_14 = { 40 83f80d 72f5 33c0 8d4900 80b40518ffffff55 }
            // n = 6, score = 100
            //   40                   | movdqu              xmmword ptr [ebp + 0x150], xmm0
            //   83f80d               | mov                 dword ptr [ebp - 0x50], 0x6f747069
            //   72f5                 | mov                 dword ptr [ebp - 0x4c], 0x63615372
            //   33c0                 | mov                 word ptr [ebp - 0x48], 0x6c
            //   8d4900               | inc                 eax
            //   80b40518ffffff55     | cmp                 eax, 0xd

        $sequence_15 = { 56 ff15???????? 40 6a01 50 8907 }
            // n = 6, score = 100
            //   56                   | jb                  0xfffffffa
            //   ff15????????         |                     
            //   40                   | xor                 eax, eax
            //   6a01                 | lea                 ecx, [ecx]
            //   50                   | xor                 byte ptr [ebp + eax - 0xe8], 0x55
            //   8907                 | push                esi

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules