Actor(s): APT 29
There is no description at this point.
rule win_ati_agent_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.ati_agent." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488bc8 ff15???????? 488d1548a20000 488bce 488905???????? } // n = 5, score = 100 // 488bc8 | jmp 0x608 // ff15???????? | // 488d1548a20000 | dec eax // 488bce | lea ecx, [0xc46f] // 488905???????? | $sequence_1 = { e8???????? 488d2d24a60000 4c8d250dd80000 83f8ff 7435 488bcf e8???????? } // n = 7, score = 100 // e8???????? | // 488d2d24a60000 | mov ebx, ecx // 4c8d250dd80000 | dec eax // 83f8ff | sub esp, 0x48 // 7435 | dec eax // 488bcf | and dword ptr [esp + 0x30], 0 // e8???????? | $sequence_2 = { 488d442460 488d942490010000 4533c9 4889442448 48894c2440 } // n = 5, score = 100 // 488d442460 | dec eax // 488d942490010000 | lea ecx, [0x3751] // 4533c9 | inc eax // 4889442448 | push edi // 48894c2440 | dec eax $sequence_3 = { 488b05???????? 4833c4 4889442438 498bf0 488bfa 488bd9 } // n = 6, score = 100 // 488b05???????? | // 4833c4 | mov eax, esi // 4889442438 | jmp 0x469 // 498bf0 | dec esp // 488bfa | lea esi, [0xe228] // 488bd9 | and ebx, 0x1f $sequence_4 = { 488d0526d80000 488d0cc8 48890f ff15???????? } // n = 4, score = 100 // 488d0526d80000 | dec eax // 488d0cc8 | lea edx, [esp + 0x20] // 48890f | dec ecx // ff15???????? | $sequence_5 = { e9???????? 4881ec28050000 488b05???????? 4833c4 4889842410050000 488b05???????? 4885c0 } // n = 7, score = 100 // e9???????? | // 4881ec28050000 | dec esp // 488b05???????? | // 4833c4 | lea ecx, [0xffff8662] // 4889842410050000 | dec ecx // 488b05???????? | // 4885c0 | mov ecx, ecx $sequence_6 = { 488d8c24f0000000 ba04010000 4889442420 e8???????? 4c8d5c2438 488d9424f0000000 41b919010200 } // n = 7, score = 100 // 488d8c24f0000000 | xor ecx, ecx // ba04010000 | dec eax // 4889442420 | lea edx, [0x707f] // e8???????? | // 4c8d5c2438 | dec eax // 488d9424f0000000 | mov dword ptr [ecx + eax], edx // 41b919010200 | dec eax $sequence_7 = { 442bc0 488b442450 488d0d85be0000 488b0cc1 } // n = 4, score = 100 // 442bc0 | lea ecx, [0x7ba0] // 488b442450 | inc eax // 488d0d85be0000 | push ebx // 488b0cc1 | dec eax $sequence_8 = { 897c2428 897c2420 c784248000000068000000 ff15???????? } // n = 4, score = 100 // 897c2428 | dec eax // 897c2420 | lea edx, [0x58e8] // c784248000000068000000 | inc ecx // ff15???????? | $sequence_9 = { 8bf8 85c0 750d 488bce e8???????? e9???????? 4c8d2d6dc10000 } // n = 7, score = 100 // 8bf8 | dec eax // 85c0 | lea eax, [0xc151] // 750d | dec eax // 488bce | mov ecx, dword ptr [eax + ecx*8] // e8???????? | // e9???????? | // 4c8d2d6dc10000 | dec esp condition: 7 of them and filesize < 172032 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY