SYMBOLCOMMON_NAMEaka. SYNONYMS
win.banatrix (Back to overview)

Banatrix

There is no description at this point.

References
2014-12-15CERT.PLCERT.PL
@online{certpl:20141215:banatrix:ff1a5a2, author = {CERT.PL}, title = {{Banatrix – an indepth look}}, date = {2014-12-15}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/banatrix-an-indepth-look/}, language = {English}, urldate = {2019-10-23} } Banatrix – an indepth look
Banatrix
Yara Rules
[TLP:WHITE] win_banatrix_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_banatrix_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8975c8 eb24 8b4b20 894c2408 7926 0fb7c0 89442404 }
            // n = 7, score = 200
            //   8975c8               | mov                 dword ptr [ebp - 0x38], esi
            //   eb24                 | jmp                 0x26
            //   8b4b20               | mov                 ecx, dword ptr [ebx + 0x20]
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   7926                 | jns                 0x28
            //   0fb7c0               | movzx               eax, ax
            //   89442404             | mov                 dword ptr [esp + 4], eax

        $sequence_1 = { 8b5704 0310 8b450c 83e00f 48 83f8ff 7409 }
            // n = 7, score = 200
            //   8b5704               | mov                 edx, dword ptr [edi + 4]
            //   0310                 | add                 edx, dword ptr [eax]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   83e00f               | and                 eax, 0xf
            //   48                   | dec                 eax
            //   83f8ff               | cmp                 eax, -1
            //   7409                 | je                  0xb

        $sequence_2 = { 8b45e4 81e2ffffff7f 039388000000 01f2 }
            // n = 4, score = 200
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   81e2ffffff7f         | and                 edx, 0x7fffffff
            //   039388000000         | add                 edx, dword ptr [ebx + 0x88]
            //   01f2                 | add                 edx, esi

        $sequence_3 = { c1e91e 83e702 83e101 01f9 01c9 034dcc }
            // n = 6, score = 200
            //   c1e91e               | shr                 ecx, 0x1e
            //   83e702               | and                 edi, 2
            //   83e101               | and                 ecx, 1
            //   01f9                 | add                 ecx, edi
            //   01c9                 | add                 ecx, ecx
            //   034dcc               | add                 ecx, dword ptr [ebp - 0x34]

        $sequence_4 = { ebb4 8b7dd0 03b880000000 897dcc 8b7dcc c744240414000000 }
            // n = 6, score = 200
            //   ebb4                 | jmp                 0xffffffb6
            //   8b7dd0               | mov                 edi, dword ptr [ebp - 0x30]
            //   03b880000000         | add                 edi, dword ptr [eax + 0x80]
            //   897dcc               | mov                 dword ptr [ebp - 0x34], edi
            //   8b7dcc               | mov                 edi, dword ptr [ebp - 0x34]
            //   c744240414000000     | mov                 dword ptr [esp + 4], 0x14

        $sequence_5 = { 7306 c6040300 89c6 83c202 89742408 }
            // n = 5, score = 200
            //   7306                 | jae                 8
            //   c6040300             | mov                 byte ptr [ebx + eax], 0
            //   89c6                 | mov                 esi, eax
            //   83c202               | add                 edx, 2
            //   89742408             | mov                 dword ptr [esp + 8], esi

        $sequence_6 = { 85c0 750b 8b03 8b4028 85c0 7461 }
            // n = 6, score = 200
            //   85c0                 | test                eax, eax
            //   750b                 | jne                 0xd
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b4028               | mov                 eax, dword ptr [eax + 0x28]
            //   85c0                 | test                eax, eax
            //   7461                 | je                  0x63

        $sequence_7 = { 833e00 741b 8345c804 83c604 8b45c8 8b00 85c0 }
            // n = 7, score = 200
            //   833e00               | cmp                 dword ptr [esi], 0
            //   741b                 | je                  0x1d
            //   8345c804             | add                 dword ptr [ebp - 0x38], 4
            //   83c604               | add                 esi, 4
            //   8b45c8               | mov                 eax, dword ptr [ebp - 0x38]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   85c0                 | test                eax, eax

        $sequence_8 = { 89c7 83ec10 f3a4 894208 }
            // n = 4, score = 200
            //   89c7                 | mov                 edi, eax
            //   83ec10               | sub                 esp, 0x10
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   894208               | mov                 dword ptr [edx + 8], eax

        $sequence_9 = { c7430800000000 c7431000000000 894318 8b4514 89431c }
            // n = 5, score = 200
            //   c7430800000000       | mov                 dword ptr [ebx + 8], 0
            //   c7431000000000       | mov                 dword ptr [ebx + 0x10], 0
            //   894318               | mov                 dword ptr [ebx + 0x18], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   89431c               | mov                 dword ptr [ebx + 0x1c], eax

    condition:
        7 of them and filesize < 180224
}
Download all Yara Rules