There is no description at this point.
rule win_bandit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.bandit." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandit" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 488d0d9ca6a100 48894820 833d????????00 750b 488b4c2478 48894828 } // n = 7, score = 100 // e8???????? | // 488d0d9ca6a100 | mov eax, edx // 48894820 | mov ecx, dword ptr [eax] // 833d????????00 | // 750b | je 0x426 // 488b4c2478 | dec eax // 48894828 | mov dword ptr [esp + 0x68], edi $sequence_1 = { c3 4889d0 e8???????? 84c0 744e 488b4c2428 488b11 } // n = 7, score = 100 // c3 | dec esp // 4889d0 | mov eax, dword ptr [esp + 0x610] // e8???????? | // 84c0 | dec esp // 744e | add esi, eax // 488b4c2428 | dec eax // 488b11 | mov esi, dword ptr [esp + 0x288] $sequence_2 = { 83c301 4883c604 4501f1 e8???????? 4139df 75d6 8b742460 } // n = 7, score = 100 // 83c301 | dec eax // 4883c604 | mov eax, esi // 4501f1 | dec eax // e8???????? | // 4139df | mov ecx, ebx // 75d6 | dec ecx // 8b742460 | cmp eax, 7 $sequence_3 = { e9???????? 488d5f01 4839da 731d 4889f0 4889d1 bf01000000 } // n = 7, score = 100 // e9???????? | // 488d5f01 | xor eax, eax // 4839da | dec eax // 731d | lea ebx, [esp + 0x7e] // 4889f0 | mov ecx, 0xf // 4889d1 | dec eax // bf01000000 | mov ebp, dword ptr [esp + 0x2b0] $sequence_4 = { e8???????? 48c7401801000000 488d0d1c9c5e00 48894810 4889c3 488d0530636a00 488b6c2440 } // n = 7, score = 100 // e8???????? | // 48c7401801000000 | dec eax // 488d0d1c9c5e00 | mov dword ptr [esp + 0x20], ebx // 48894810 | nop // 4889c3 | dec eax // 488d0530636a00 | lea eax, [0x4abda9] // 488b6c2440 | je 0x2b6 $sequence_5 = { ffd2 4889442438 48895c2440 48894c2448 48897c2450 90 488b7c2430 } // n = 7, score = 100 // ffd2 | mov dword ptr [esp + 0x98], edx // 4889442438 | lea edi, [eax + 1] // 48895c2440 | test eax, eax // 48894c2448 | jne 0x5e7 // 48897c2450 | movzx eax, word ptr [ebx + 0x28] // 90 | inc esp // 488b7c2430 | mov ecx, dword ptr [ebx + 0x40] $sequence_6 = { c644242701 488b4210 488b5c2428 488b4c2430 488b7c2438 6690 e8???????? } // n = 7, score = 100 // c644242701 | dec ebp // 488b4210 | test edx, edx // 488b5c2428 | je 0x15c // 488b4c2430 | dec eax // 488b7c2438 | mov dword ptr [esp + 0x20], edx // 6690 | dec eax // e8???????? | $sequence_7 = { 8894249d000000 0fb654246c 4129d7 4488bc249e000000 0fb6542474 440fb6442425 4429c2 } // n = 7, score = 100 // 8894249d000000 | je 0x2411 // 0fb654246c | dec ecx // 4129d7 | mov eax, eax // 4488bc249e000000 | dec eax // 0fb6542474 | imul eax, edx // 440fb6442425 | dec eax // 4429c2 | xor eax, ecx $sequence_8 = { e8???????? 4889d7 c60700 488d050e9a6b00 e8???????? 488b4c2438 488b542448 } // n = 7, score = 100 // e8???????? | // 4889d7 | xor eax, eax // c60700 | jmp 0x1131 // 488d050e9a6b00 | inc esp // e8???????? | // 488b4c2438 | movzx ecx, byte ptr [esp + esi + 0x1d] // 488b542448 | inc ecx $sequence_9 = { c604085c 49f7d9 49c1f93f 4c8d5101 4d21ca 4e8d0c10 48f7df } // n = 7, score = 100 // c604085c | cmp ebx, 0xd // 49f7d9 | jae 0x888 // 49c1f93f | dec eax // 4c8d5101 | mov dword ptr [esp + 0x28], eax // 4d21ca | dec esp // 4e8d0c10 | lea ecx, [0x77e20a] // 48f7df | dec ebp condition: 7 of them and filesize < 29914112 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY