Ransomware written in Go.
rule win_agendacrypt_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.agendacrypt." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 84c0 0f8552020000 f20f1055b0 f20f104da8 f20f1045b8 f20f1155dc f20f114dd4 } // n = 7, score = 100 // 84c0 | test al, al // 0f8552020000 | jne 0x258 // f20f1055b0 | movsd xmm2, qword ptr [ebp - 0x50] // f20f104da8 | movsd xmm1, qword ptr [ebp - 0x58] // f20f1045b8 | movsd xmm0, qword ptr [ebp - 0x48] // f20f1155dc | movsd qword ptr [ebp - 0x24], xmm2 // f20f114dd4 | movsd qword ptr [ebp - 0x2c], xmm1 $sequence_1 = { eb5c 0fb65301 89cf 83e71f 83e23f 80f9df 762a } // n = 7, score = 100 // eb5c | jmp 0x5e // 0fb65301 | movzx edx, byte ptr [ebx + 1] // 89cf | mov edi, ecx // 83e71f | and edi, 0x1f // 83e23f | and edx, 0x3f // 80f9df | cmp cl, 0xdf // 762a | jbe 0x2c $sequence_2 = { e8???????? 83c414 8d8424d0060000 68???????? 50 6a03 68???????? } // n = 7, score = 100 // e8???????? | // 83c414 | add esp, 0x14 // 8d8424d0060000 | lea eax, [esp + 0x6d0] // 68???????? | // 50 | push eax // 6a03 | push 3 // 68???????? | $sequence_3 = { f20f1145a8 8945b0 740c 8d45a8 50 e8???????? 83c404 } // n = 7, score = 100 // f20f1145a8 | movsd qword ptr [ebp - 0x58], xmm0 // 8945b0 | mov dword ptr [ebp - 0x50], eax // 740c | je 0xe // 8d45a8 | lea eax, [ebp - 0x58] // 50 | push eax // e8???????? | // 83c404 | add esp, 4 $sequence_4 = { e9???????? 8b45a8 0fb64da7 0fb75da5 8945ec 894df0 f0ff0e } // n = 7, score = 100 // e9???????? | // 8b45a8 | mov eax, dword ptr [ebp - 0x58] // 0fb64da7 | movzx ecx, byte ptr [ebp - 0x59] // 0fb75da5 | movzx ebx, word ptr [ebp - 0x5b] // 8945ec | mov dword ptr [ebp - 0x14], eax // 894df0 | mov dword ptr [ebp - 0x10], ecx // f0ff0e | lock dec dword ptr [esi] $sequence_5 = { 8b4c2404 e8???????? 56 e8???????? 83c404 0f0b 662e0f1f840000000000 } // n = 7, score = 100 // 8b4c2404 | mov ecx, dword ptr [esp + 4] // e8???????? | // 56 | push esi // e8???????? | // 83c404 | add esp, 4 // 0f0b | ud2 // 662e0f1f840000000000 | nop word ptr cs:[eax + eax] $sequence_6 = { c7442470ffffffff c744247400000000 89bc24d0010000 c644247e00 8b8c24c8010000 7416 0f88f2110000 } // n = 7, score = 100 // c7442470ffffffff | mov dword ptr [esp + 0x70], 0xffffffff // c744247400000000 | mov dword ptr [esp + 0x74], 0 // 89bc24d0010000 | mov dword ptr [esp + 0x1d0], edi // c644247e00 | mov byte ptr [esp + 0x7e], 0 // 8b8c24c8010000 | mov ecx, dword ptr [esp + 0x1c8] // 7416 | je 0x18 // 0f88f2110000 | js 0x11f8 $sequence_7 = { 89d9 81e3ff030000 8955ac 81cb00dc0000 c1e90a 89da 81c900d80000 } // n = 7, score = 100 // 89d9 | mov ecx, ebx // 81e3ff030000 | and ebx, 0x3ff // 8955ac | mov dword ptr [ebp - 0x54], edx // 81cb00dc0000 | or ebx, 0xdc00 // c1e90a | shr ecx, 0xa // 89da | mov edx, ebx // 81c900d80000 | or ecx, 0xd800 $sequence_8 = { 8d72ff 0fb65c17ff 80fb0a 750d 807c17fe0d 8d42fe 0f44f0 } // n = 7, score = 100 // 8d72ff | lea esi, [edx - 1] // 0fb65c17ff | movzx ebx, byte ptr [edi + edx - 1] // 80fb0a | cmp bl, 0xa // 750d | jne 0xf // 807c17fe0d | cmp byte ptr [edi + edx - 2], 0xd // 8d42fe | lea eax, [edx - 2] // 0f44f0 | cmove esi, eax $sequence_9 = { e8???????? 83c408 84c0 0f84ee070000 89f0 89f9 c1e804 } // n = 7, score = 100 // e8???????? | // 83c408 | add esp, 8 // 84c0 | test al, al // 0f84ee070000 | je 0x7f4 // 89f0 | mov eax, esi // 89f9 | mov ecx, edi // c1e804 | shr eax, 4 condition: 7 of them and filesize < 3340288 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY