SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: BigBoss, Cacao, GoldenSky, HyperStack

Actor(s): Turla

VTCollection    

There is no description at this point.

References
2022-06-12cocomelonc
Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2021-11-05Emanuele De Lucia on SecurityEmanuele De Lucia
The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
Turla SilentMoon
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-10-28AccentureCyber Defense
Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20260504 | Detects win.turla_silentmoon.)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.turla_silentmoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7468 8b15???????? 56 57 8d3c1b 8d4f02 51 }
            // n = 7, score = 300
            //   7468                 | je                  0x6a
            //   8b15????????         |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d3c1b               | lea                 edi, [ebx + ebx]
            //   8d4f02               | lea                 ecx, [edi + 2]
            //   51                   | push                ecx

        $sequence_1 = { ff15???????? 85c0 0f858b010000 8d95e4f7ffff 52 e9???????? 6a02 }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f858b010000         | jne                 0x191
            //   8d95e4f7ffff         | lea                 edx, [ebp - 0x81c]
            //   52                   | push                edx
            //   e9????????           |                     
            //   6a02                 | push                2

        $sequence_2 = { 7516 8bc6 e8???????? 84c0 757d eb09 83f802 }
            // n = 7, score = 300
            //   7516                 | jne                 0x18
            //   8bc6                 | mov                 eax, esi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   757d                 | jne                 0x7f
            //   eb09                 | jmp                 0xb
            //   83f802               | cmp                 eax, 2

        $sequence_3 = { 6a00 8d54241c 52 6a08 68???????? 56 ff15???????? }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   8d54241c             | lea                 edx, [esp + 0x1c]
            //   52                   | push                edx
            //   6a08                 | push                8
            //   68????????           |                     
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_4 = { ff15???????? 8d85e4f7ffff 50 6a00 68???????? 8d8de4efffff 51 }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   8d85e4f7ffff         | lea                 eax, [ebp - 0x81c]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   68????????           |                     
            //   8d8de4efffff         | lea                 ecx, [ebp - 0x101c]
            //   51                   | push                ecx

        $sequence_5 = { 8d9598feffff 52 6800020000 6a00 ff15???????? 8bc7 c6043e00 }
            // n = 7, score = 300
            //   8d9598feffff         | lea                 edx, [ebp - 0x168]
            //   52                   | push                edx
            //   6800020000           | push                0x200
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bc7                 | mov                 eax, edi
            //   c6043e00             | mov                 byte ptr [esi + edi], 0

        $sequence_6 = { 8d0cbb 894de0 33c0 8d4900 8b11 81e2ffffdfff 899405e0f6ffff }
            // n = 7, score = 300
            //   8d0cbb               | lea                 ecx, [ebx + edi*4]
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   33c0                 | xor                 eax, eax
            //   8d4900               | lea                 ecx, [ecx]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   81e2ffffdfff         | and                 edx, 0xffdfffff
            //   899405e0f6ffff       | mov                 dword ptr [ebp + eax - 0x920], edx

        $sequence_7 = { 8d44247c 56 50 c644245800 }
            // n = 4, score = 300
            //   8d44247c             | lea                 eax, [esp + 0x7c]
            //   56                   | push                esi
            //   50                   | push                eax
            //   c644245800           | mov                 byte ptr [esp + 0x58], 0

        $sequence_8 = { 83c404 6a08 b953000000 e8???????? 83c404 6a08 b959000000 }
            // n = 7, score = 300
            //   83c404               | add                 esp, 4
            //   6a08                 | push                8
            //   b953000000           | mov                 ecx, 0x53
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   6a08                 | push                8
            //   b959000000           | mov                 ecx, 0x59

        $sequence_9 = { 8d8decf7ffff 90 833900 750b 40 83bc85ecf7ffff00 74f5 }
            // n = 7, score = 300
            //   8d8decf7ffff         | lea                 ecx, [ebp - 0x814]
            //   90                   | nop                 
            //   833900               | cmp                 dword ptr [ecx], 0
            //   750b                 | jne                 0xd
            //   40                   | inc                 eax
            //   83bc85ecf7ffff00     | cmp                 dword ptr [ebp + eax*4 - 0x814], 0
            //   74f5                 | je                  0xfffffff7

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules