SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_rpc (Back to overview)

TurlaRPC

Actor(s): Turla

VTCollection    

There is no description at this point.

References
2022-09-20cocomelonc
Malware development: persistence - part 11. Powershell profile. Simple C++ example.
Turla RAT TurlaRPC
2022-06-12cocomelonc
Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2022-05-02cocomelonccocomelonc
Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ IronNetInjector TurlaRPC
2020-10-28AccentureCyber Defense
Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
Yara Rules
[TLP:WHITE] win_turla_rpc_auto (20260504 | Detects win.turla_rpc.)
rule win_turla_rpc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.turla_rpc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488bd8 4885c0 744e 4c8b4708 488b17 488bcb }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488bd8               | mov                 dword ptr [esp + 0x30], 0x30302733
            //   4885c0               | mov                 byte ptr [esp + 0x34], 0x55
            //   744e                 | dec                 eax
            //   4c8b4708             | mov                 ebx, eax
            //   488b17               | dec                 eax
            //   488bcb               | test                eax, eax

        $sequence_1 = { c744245033273034 66c74424543155 c744243033273030 c644243455 }
            // n = 4, score = 200
            //   c744245033273034     | mov                 dword ptr [esp + 0x48], 0x30303906
            //   66c74424543155       | mov                 word ptr [esp + 0x4c], 0x5525
            //   c744243033273030     | mov                 dword ptr [esp + 0x50], 0x34302733
            //   c644243455           | mov                 word ptr [esp + 0x54], 0x5531

        $sequence_2 = { c745803322273c 66c745842130 c6458655 c744246838343939 66c744246c3a36 c644246e55 }
            // n = 6, score = 200
            //   c745803322273c       | je                  0x53
            //   66c745842130         | dec                 esp
            //   c6458655             | mov                 eax, dword ptr [edi + 8]
            //   c744246838343939     | dec                 eax
            //   66c744246c3a36       | mov                 edx, dword ptr [edi]
            //   c644246e55           | dec                 eax

        $sequence_3 = { 74e7 4883c440 5b c3 488d053bda0000 }
            // n = 5, score = 200
            //   74e7                 | je                  0xffffffe9
            //   4883c440             | dec                 eax
            //   5b                   | add                 esp, 0x40
            //   c3                   | pop                 ebx
            //   488d053bda0000       | ret                 

        $sequence_4 = { c745c007303431 c745c4133c3930 c645c855 c744244806393030 66c744244c2555 }
            // n = 5, score = 200
            //   c745c007303431       | dec                 eax
            //   c745c4133c3930       | lea                 eax, [0xda3b]
            //   c645c855             | mov                 dword ptr [ebp - 0x40], 0x31343007
            //   c744244806393030     | mov                 dword ptr [ebp - 0x3c], 0x30393c13
            //   66c744244c2555       | mov                 byte ptr [ebp - 0x38], 0x55

        $sequence_5 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? }
            // n = 4, score = 200
            //   c745b06970746f       | mov                 dword ptr [esp + 0x60], 0x36263622
            //   c745b472536163       | mov                 byte ptr [ebp + 0xa], 0x55
            //   66c745b86c00         | mov                 dword ptr [ebp - 0x68], 0x3a33220a
            //   ff15????????         |                     

        $sequence_6 = { c7456839300255 c7851001000016273034 c7851401000021300527 c785180100003a363026 66c7851c0100002602 }
            // n = 5, score = 200
            //   c7456839300255       | mov                 dword ptr [ebp + 0x68], 0x55023039
            //   c7851001000016273034     | mov    dword ptr [ebp + 0x110], 0x34302716
            //   c7851401000021300527     | mov    dword ptr [ebp + 0x114], 0x27053021
            //   c785180100003a363026     | mov    dword ptr [ebp + 0x118], 0x2630363a
            //   66c7851c0100002602     | mov    word ptr [ebp + 0x11c], 0x226

        $sequence_7 = { 660f6f05???????? 66c785ec0000000255 c785a0000000193a3431 c785a4000000193c3727 c785a800000034272c02 f30f7f8568010000 c685ac00000055 }
            // n = 7, score = 200
            //   660f6f05????????     |                     
            //   66c785ec0000000255     | mov    ecx, ebx
            //   c785a0000000193a3431     | mov    dword ptr [ebp - 0x80], 0x3c272233
            //   c785a4000000193c3727     | mov    word ptr [ebp - 0x7c], 0x3021
            //   c785a800000034272c02     | mov    byte ptr [ebp - 0x7a], 0x55
            //   f30f7f8568010000     | mov                 dword ptr [esp + 0x68], 0x39393438
            //   c685ac00000055       | mov                 word ptr [esp + 0x6c], 0x363a

        $sequence_8 = { c745ac393a3655 c744247026212739 66c7442474303b c644247655 c744246022362636 }
            // n = 5, score = 200
            //   c745ac393a3655       | mov                 dword ptr [ebp - 0x54], 0x55363a39
            //   c744247026212739     | mov                 dword ptr [esp + 0x70], 0x39272126
            //   66c7442474303b       | mov                 word ptr [esp + 0x74], 0x3b30
            //   c644247655           | mov                 byte ptr [esp + 0x76], 0x55
            //   c744246022362636     | mov                 dword ptr [esp + 0x60], 0x36263622

        $sequence_9 = { 7434 8da42400000000 8d047d02000000 50 }
            // n = 4, score = 100
            //   7434                 | push                eax
            //   8da42400000000       | push                dword ptr [ebp - 0xb4]
            //   8d047d02000000       | call                esi
            //   50                   | lea                 eax, [ebp + 0x18]

        $sequence_10 = { 74ab 8d45c4 50 57 6a00 6a00 ff75c0 }
            // n = 7, score = 100
            //   74ab                 | mov                 dword ptr [ebp - 0x64], 0x553b3025
            //   8d45c4               | mov                 dword ptr [esp + 0x78], 0x39393436
            //   50                   | mov                 word ptr [esp + 0x7c], 0x363a
            //   57                   | mov                 byte ptr [esp + 0x7e], 0x55
            //   6a00                 | mov                 dword ptr [ebp - 0x50], 0x6f747069
            //   6a00                 | mov                 dword ptr [ebp - 0x4c], 0x63615372
            //   ff75c0               | mov                 word ptr [ebp - 0x48], 0x6c

        $sequence_11 = { b802000000 5f 5e 5b 8b8c2480020000 33cc }
            // n = 6, score = 100
            //   b802000000           | mov                 dword ptr [ebp - 0x2c], 0x2d0053
            //   5f                   | mov                 dword ptr [ebp - 0x28], 0x2d0031
            //   5e                   | mov                 dword ptr [ebp - 0x24], 0x360031
            //   5b                   | mov                 dword ptr [ebp - 0x20], 0x30002d
            //   8b8c2480020000       | mov                 dword ptr [ebp - 0x1c], 0x29
            //   33cc                 | mov                 dword ptr [ebp - 0x18], 0x640061

        $sequence_12 = { c745d453002d00 c745d831002d00 c745dc31003600 c745e02d003000 c745e429000000 c745e861006400 c745ec76006100 }
            // n = 7, score = 100
            //   c745d453002d00       | lea                 esp, [esp]
            //   c745d831002d00       | lea                 eax, [edi*2 + 2]
            //   c745dc31003600       | push                eax
            //   c745e02d003000       | jne                 0x29
            //   c745e429000000       | add                 esp, 4
            //   c745e861006400       | push                edi
            //   c745ec76006100       | pop                 edi

        $sequence_13 = { 8d8548ffffff 50 8d8554ffffff 50 ffb54cffffff ffd6 }
            // n = 6, score = 100
            //   8d8548ffffff         | je                  0xffffffad
            //   50                   | lea                 eax, [ebp - 0x3c]
            //   8d8554ffffff         | push                eax
            //   50                   | push                edi
            //   ffb54cffffff         | push                0
            //   ffd6                 | push                0

        $sequence_14 = { 8d4518 c7451840540110 50 8d4dc4 }
            // n = 4, score = 100
            //   8d4518               | push                dword ptr [ebp - 0x40]
            //   c7451840540110       | lea                 eax, [ebp - 0xb8]
            //   50                   | push                eax
            //   8d4dc4               | lea                 eax, [ebp - 0xac]

        $sequence_15 = { 7527 ff15???????? 83c404 57 ff15???????? ff15???????? 5f }
            // n = 7, score = 100
            //   7527                 | mov                 dword ptr [ebp + 0x18], 0x10015440
            //   ff15????????         |                     
            //   83c404               | push                eax
            //   57                   | lea                 ecx, [ebp - 0x3c]
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   5f                   | je                  0x36

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules