There is no description at this point.
rule win_alureon_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.alureon." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b4dfc 8b07 8d440802 50 ff75f0 } // n = 5, score = 200 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 8b07 | mov eax, dword ptr [edi] // 8d440802 | lea eax, [eax + ecx + 2] // 50 | push eax // ff75f0 | push dword ptr [ebp - 0x10] $sequence_1 = { 6a60 32c0 59 6a2c } // n = 4, score = 200 // 6a60 | push 0x60 // 32c0 | xor al, al // 59 | pop ecx // 6a2c | push 0x2c $sequence_2 = { 8b5710 49 03d3 4c 3912 } // n = 5, score = 200 // 8b5710 | mov edx, dword ptr [edi + 0x10] // 49 | dec ecx // 03d3 | add edx, ebx // 4c | dec esp // 3912 | cmp dword ptr [edx], edx $sequence_3 = { 0fb603 0fb65301 23c6 c1e004 c1ea04 0bc2 8a4405bc } // n = 7, score = 200 // 0fb603 | movzx eax, byte ptr [ebx] // 0fb65301 | movzx edx, byte ptr [ebx + 1] // 23c6 | and eax, esi // c1e004 | shl eax, 4 // c1ea04 | shr edx, 4 // 0bc2 | or eax, edx // 8a4405bc | mov al, byte ptr [ebp + eax - 0x44] $sequence_4 = { 8b48fc 83c028 f3a4 8b78f8 0fb74b06 03fa ff45f8 } // n = 7, score = 200 // 8b48fc | mov ecx, dword ptr [eax - 4] // 83c028 | add eax, 0x28 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // 8b78f8 | mov edi, dword ptr [eax - 8] // 0fb74b06 | movzx ecx, word ptr [ebx + 6] // 03fa | add edi, edx // ff45f8 | inc dword ptr [ebp - 8] $sequence_5 = { 756d 33f6 56 8d45f0 } // n = 4, score = 200 // 756d | jne 0x6f // 33f6 | xor esi, esi // 56 | push esi // 8d45f0 | lea eax, [ebp - 0x10] $sequence_6 = { 83c228 48 03f5 41 ffc0 f3a4 } // n = 6, score = 200 // 83c228 | add edx, 0x28 // 48 | dec eax // 03f5 | add esi, ebp // 41 | inc ecx // ffc0 | inc eax // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] $sequence_7 = { 03d3 48 8bce 48 } // n = 4, score = 200 // 03d3 | add edx, ebx // 48 | dec eax // 8bce | mov ecx, esi // 48 | dec eax $sequence_8 = { 83c424 68???????? 68???????? 885dff ff15???????? 50 ff15???????? } // n = 7, score = 100 // 83c424 | add esp, 0x24 // 68???????? | // 68???????? | // 885dff | mov byte ptr [ebp - 1], bl // ff15???????? | // 50 | push eax // ff15???????? | $sequence_9 = { ff742408 ff30 e8???????? 85c0 59 59 } // n = 6, score = 100 // ff742408 | push dword ptr [esp + 8] // ff30 | push dword ptr [eax] // e8???????? | // 85c0 | test eax, eax // 59 | pop ecx // 59 | pop ecx $sequence_10 = { ff7028 8bf0 e8???????? 59 50 ff742418 } // n = 6, score = 100 // ff7028 | push dword ptr [eax + 0x28] // 8bf0 | mov esi, eax // e8???????? | // 59 | pop ecx // 50 | push eax // ff742418 | push dword ptr [esp + 0x18] $sequence_11 = { 8b35???????? 51 bfff010000 03c3 } // n = 4, score = 100 // 8b35???????? | // 51 | push ecx // bfff010000 | mov edi, 0x1ff // 03c3 | add eax, ebx $sequence_12 = { 53 8d442418 50 6a15 } // n = 4, score = 100 // 53 | push ebx // 8d442418 | lea eax, [esp + 0x18] // 50 | push eax // 6a15 | push 0x15 $sequence_13 = { ff15???????? 385dff 0f85d3000000 8d45e8 50 683f000f00 53 } // n = 7, score = 100 // ff15???????? | // 385dff | cmp byte ptr [ebp - 1], bl // 0f85d3000000 | jne 0xd9 // 8d45e8 | lea eax, [ebp - 0x18] // 50 | push eax // 683f000f00 | push 0xf003f // 53 | push ebx $sequence_14 = { 50 53 68???????? 8d8424ec000000 50 ff15???????? } // n = 6, score = 100 // 50 | push eax // 53 | push ebx // 68???????? | // 8d8424ec000000 | lea eax, [esp + 0xec] // 50 | push eax // ff15???????? | $sequence_15 = { 68???????? 8d842400040000 56 50 ff15???????? 68b6100000 } // n = 6, score = 100 // 68???????? | // 8d842400040000 | lea eax, [esp + 0x400] // 56 | push esi // 50 | push eax // ff15???????? | // 68b6100000 | push 0x10b6 condition: 7 of them and filesize < 278528 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
