Actor(s): SNOWGLOBE
There is no description at this point.
rule win_babar_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.babar." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 3bd6 0f86f9feffff 8b54243c 8b442438 } // n = 4, score = 400 // 3bd6 | cmp edx, esi // 0f86f9feffff | jbe 0xfffffeff // 8b54243c | mov edx, dword ptr [esp + 0x3c] // 8b442438 | mov eax, dword ptr [esp + 0x38] $sequence_1 = { 3bd6 0f8c7affffff 8bbc24d0000000 ddd9 } // n = 4, score = 400 // 3bd6 | cmp edx, esi // 0f8c7affffff | jl 0xffffff80 // 8bbc24d0000000 | mov edi, dword ptr [esp + 0xd0] // ddd9 | fstp st(1) $sequence_2 = { 3bd5 7e47 8d0c9500000000 2bd9 } // n = 4, score = 400 // 3bd5 | cmp edx, ebp // 7e47 | jle 0x49 // 8d0c9500000000 | lea ecx, [edx*4] // 2bd9 | sub ebx, ecx $sequence_3 = { 3bd5 0f8671ffffff 8144241890020000 ddd8 816c242880020000 83c710 81c680020000 } // n = 7, score = 400 // 3bd5 | cmp edx, ebp // 0f8671ffffff | jbe 0xffffff77 // 8144241890020000 | add dword ptr [esp + 0x18], 0x290 // ddd8 | fstp st(0) // 816c242880020000 | sub dword ptr [esp + 0x28], 0x280 // 83c710 | add edi, 0x10 // 81c680020000 | add esi, 0x280 $sequence_4 = { 46 8d44af08 8d5708 8d4cb500 d942f8 } // n = 5, score = 400 // 46 | inc esi // 8d44af08 | lea eax, [edi + ebp*4 + 8] // 8d5708 | lea edx, [edi + 8] // 8d4cb500 | lea ecx, [ebp + esi*4] // d942f8 | fld dword ptr [edx - 8] $sequence_5 = { 3bd6 0f82eefeffff 8b742458 03f5 } // n = 4, score = 400 // 3bd6 | cmp edx, esi // 0f82eefeffff | jb 0xfffffef4 // 8b742458 | mov esi, dword ptr [esp + 0x58] // 03f5 | add esi, ebp $sequence_6 = { 3bd6 721b 57 8bcb } // n = 4, score = 400 // 3bd6 | cmp edx, esi // 721b | jb 0x1d // 57 | push edi // 8bcb | mov ecx, ebx $sequence_7 = { 3bd6 72d9 33f6 eb08 } // n = 4, score = 400 // 3bd6 | cmp edx, esi // 72d9 | jb 0xffffffdb // 33f6 | xor esi, esi // eb08 | jmp 0xa $sequence_8 = { 8906 0f8496000000 50 ffd7 894604 8b0d???????? 894e08 } // n = 7, score = 200 // 8906 | mov dword ptr [esi], eax // 0f8496000000 | je 0x9c // 50 | push eax // ffd7 | call edi // 894604 | mov dword ptr [esi + 4], eax // 8b0d???????? | // 894e08 | mov dword ptr [esi + 8], ecx $sequence_9 = { 8d8407d8988069 c1c007 8bfa 03c6 33fe } // n = 5, score = 200 // 8d8407d8988069 | lea eax, [edi + eax + 0x698098d8] // c1c007 | rol eax, 7 // 8bfa | mov edi, edx // 03c6 | add eax, esi // 33fe | xor edi, esi $sequence_10 = { 803800 8b0d???????? 741d 803900 7506 8b0d???????? 8a11 } // n = 7, score = 200 // 803800 | cmp byte ptr [eax], 0 // 8b0d???????? | // 741d | je 0x1f // 803900 | cmp byte ptr [ecx], 0 // 7506 | jne 8 // 8b0d???????? | // 8a11 | mov dl, byte ptr [ecx] $sequence_11 = { 23d1 33d0 0354244c 8d94322108b449 c1ca0a 03d1 8bf1 } // n = 7, score = 200 // 23d1 | and edx, ecx // 33d0 | xor edx, eax // 0354244c | add edx, dword ptr [esp + 0x4c] // 8d94322108b449 | lea edx, [edx + esi + 0x49b40821] // c1ca0a | ror edx, 0xa // 03d1 | add edx, ecx // 8bf1 | mov esi, ecx $sequence_12 = { 57 8d3c85a09e0110 8b07 03c3 8a4824 } // n = 5, score = 200 // 57 | push edi // 8d3c85a09e0110 | lea edi, [eax*4 + 0x10019ea0] // 8b07 | mov eax, dword ptr [edi] // 03c3 | add eax, ebx // 8a4824 | mov cl, byte ptr [eax + 0x24] $sequence_13 = { e8???????? 57 e8???????? 83c410 8d842480000000 50 ffd5 } // n = 7, score = 200 // e8???????? | // 57 | push edi // e8???????? | // 83c410 | add esp, 0x10 // 8d842480000000 | lea eax, [esp + 0x80] // 50 | push eax // ffd5 | call ebp $sequence_14 = { 0fb64e04 884804 8b5604 c1ea08 885005 0fb64e06 } // n = 6, score = 200 // 0fb64e04 | movzx ecx, byte ptr [esi + 4] // 884804 | mov byte ptr [eax + 4], cl // 8b5604 | mov edx, dword ptr [esi + 4] // c1ea08 | shr edx, 8 // 885005 | mov byte ptr [eax + 5], dl // 0fb64e06 | movzx ecx, byte ptr [esi + 6] $sequence_15 = { 8b4b04 55 8b2d???????? 68???????? } // n = 4, score = 200 // 8b4b04 | mov ecx, dword ptr [ebx + 4] // 55 | push ebp // 8b2d???????? | // 68???????? | condition: 7 of them and filesize < 1294336 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY