Ransomware written in Go.
rule win_agendacrypt_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.agendacrypt." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c3 8b45f0 8d4408ff 68???????? 6a28 50 e8???????? } // n = 7, score = 100 // c3 | ret // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // 8d4408ff | lea eax, [eax + ecx - 1] // 68???????? | // 6a28 | push 0x28 // 50 | push eax // e8???????? | $sequence_1 = { e9???????? 89f9 31d2 e8???????? 89c3 00db 89d8 } // n = 7, score = 100 // e9???????? | // 89f9 | mov ecx, edi // 31d2 | xor edx, edx // e8???????? | // 89c3 | mov ebx, eax // 00db | add bl, bl // 89d8 | mov eax, ebx $sequence_2 = { c784240c0e000004000000 660fd69424100e0000 888c241d0e0000 ff7308 895c2428 ff33 8d8424a80d0000 } // n = 7, score = 100 // c784240c0e000004000000 | mov dword ptr [esp + 0xe0c], 4 // 660fd69424100e0000 | movq qword ptr [esp + 0xe10], xmm2 // 888c241d0e0000 | mov byte ptr [esp + 0xe1d], cl // ff7308 | push dword ptr [ebx + 8] // 895c2428 | mov dword ptr [esp + 0x28], ebx // ff33 | push dword ptr [ebx] // 8d8424a80d0000 | lea eax, [esp + 0xda8] $sequence_3 = { c1c007 c1c215 89f1 8b75f0 31d0 89fa 894de4 } // n = 7, score = 100 // c1c007 | rol eax, 7 // c1c215 | rol edx, 0x15 // 89f1 | mov ecx, esi // 8b75f0 | mov esi, dword ptr [ebp - 0x10] // 31d0 | xor eax, edx // 89fa | mov edx, edi // 894de4 | mov dword ptr [ebp - 0x1c], ecx $sequence_4 = { f20f118c248c010000 0f8455030000 8b942478010000 8bbc2480010000 f20f100d???????? 0f57c0 89b4242c010000 } // n = 7, score = 100 // f20f118c248c010000 | movsd qword ptr [esp + 0x18c], xmm1 // 0f8455030000 | je 0x35b // 8b942478010000 | mov edx, dword ptr [esp + 0x178] // 8bbc2480010000 | mov edi, dword ptr [esp + 0x180] // f20f100d???????? | // 0f57c0 | xorps xmm0, xmm0 // 89b4242c010000 | mov dword ptr [esp + 0x12c], esi $sequence_5 = { e8???????? 83c414 837c242000 7463 8b442428 f20f10442420 89442418 } // n = 7, score = 100 // e8???????? | // 83c414 | add esp, 0x14 // 837c242000 | cmp dword ptr [esp + 0x20], 0 // 7463 | je 0x65 // 8b442428 | mov eax, dword ptr [esp + 0x28] // f20f10442420 | movsd xmm0, qword ptr [esp + 0x20] // 89442418 | mov dword ptr [esp + 0x18], eax $sequence_6 = { ff30 6a00 ff31 e8???????? 83c43c 5e 5f } // n = 7, score = 100 // ff30 | push dword ptr [eax] // 6a00 | push 0 // ff31 | push dword ptr [ecx] // e8???????? | // 83c43c | add esp, 0x3c // 5e | pop esi // 5f | pop edi $sequence_7 = { c1e206 c5edfec3 8d9c24e0000000 c1e706 c5fd7f442440 01f8 01fe } // n = 7, score = 100 // c1e206 | shl edx, 6 // c5edfec3 | vpaddd ymm0, ymm2, ymm3 // 8d9c24e0000000 | lea ebx, [esp + 0xe0] // c1e706 | shl edi, 6 // c5fd7f442440 | vmovdqa ymmword ptr [esp + 0x40], ymm0 // 01f8 | add eax, edi // 01fe | add esi, edi $sequence_8 = { eb43 c1e006 83c302 31d2 09f0 895df0 89c1 } // n = 7, score = 100 // eb43 | jmp 0x45 // c1e006 | shl eax, 6 // 83c302 | add ebx, 2 // 31d2 | xor edx, edx // 09f0 | or eax, esi // 895df0 | mov dword ptr [ebp - 0x10], ebx // 89c1 | mov ecx, eax $sequence_9 = { f20f5ec2 81c634010000 89f0 f7d8 0f48c6 3d35010000 73dc } // n = 7, score = 100 // f20f5ec2 | divsd xmm0, xmm2 // 81c634010000 | add esi, 0x134 // 89f0 | mov eax, esi // f7d8 | neg eax // 0f48c6 | cmovs eax, esi // 3d35010000 | cmp eax, 0x135 // 73dc | jae 0xffffffde condition: 7 of them and filesize < 3340288 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY