Actor(s): Dark Caracal
There is no description at this point.
rule win_bandook_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.bandook." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bf1 c706???????? c74604???????? c7461c38a01c13 e8???????? f6450801 740b } // n = 7, score = 100 // 8bf1 | mov esi, ecx // c706???????? | // c74604???????? | // c7461c38a01c13 | mov dword ptr [esi + 0x1c], 0x131ca038 // e8???????? | // f6450801 | test byte ptr [ebp + 8], 1 // 740b | je 0xd $sequence_1 = { 83c440 a3???????? ba???????? b9???????? 6a07 e8???????? 6a08 } // n = 7, score = 100 // 83c440 | add esp, 0x40 // a3???????? | // ba???????? | // b9???????? | // 6a07 | push 7 // e8???????? | // 6a08 | push 8 $sequence_2 = { e8???????? a3???????? ba???????? 6a09 b9???????? e8???????? 83c440 } // n = 7, score = 100 // e8???????? | // a3???????? | // ba???????? | // 6a09 | push 9 // b9???????? | // e8???????? | // 83c440 | add esp, 0x40 $sequence_3 = { 6a05 6a00 53 8d85f4f3ffff 50 68???????? 6a00 } // n = 7, score = 100 // 6a05 | push 5 // 6a00 | push 0 // 53 | push ebx // 8d85f4f3ffff | lea eax, [ebp - 0xc0c] // 50 | push eax // 68???????? | // 6a00 | push 0 $sequence_4 = { 75f7 8b8dc4f9ffff ba???????? 2bd1 0f1f440000 8a01 8d4901 } // n = 7, score = 100 // 75f7 | jne 0xfffffff9 // 8b8dc4f9ffff | mov ecx, dword ptr [ebp - 0x63c] // ba???????? | // 2bd1 | sub edx, ecx // 0f1f440000 | nop dword ptr [eax + eax] // 8a01 | mov al, byte ptr [ecx] // 8d4901 | lea ecx, [ecx + 1] $sequence_5 = { 83f81f 0f87a1000000 eb73 8b45b0 80784900 0f84a1000000 } // n = 6, score = 100 // 83f81f | cmp eax, 0x1f // 0f87a1000000 | ja 0xa7 // eb73 | jmp 0x75 // 8b45b0 | mov eax, dword ptr [ebp - 0x50] // 80784900 | cmp byte ptr [eax + 0x49], 0 // 0f84a1000000 | je 0xa7 $sequence_6 = { 0f84ed010000 6a10 8d8d80f7ffff 51 50 ff15???????? 83f8ff } // n = 7, score = 100 // 0f84ed010000 | je 0x1f3 // 6a10 | push 0x10 // 8d8d80f7ffff | lea ecx, [ebp - 0x880] // 51 | push ecx // 50 | push eax // ff15???????? | // 83f8ff | cmp eax, -1 $sequence_7 = { 83c40c 33c9 c745e801000000 83e801 746f 8b1d???????? 8bc3 } // n = 7, score = 100 // 83c40c | add esp, 0xc // 33c9 | xor ecx, ecx // c745e801000000 | mov dword ptr [ebp - 0x18], 1 // 83e801 | sub eax, 1 // 746f | je 0x71 // 8b1d???????? | // 8bc3 | mov eax, ebx $sequence_8 = { 6a0e ba???????? a3???????? b9???????? e8???????? 6a0d ba???????? } // n = 7, score = 100 // 6a0e | push 0xe // ba???????? | // a3???????? | // b9???????? | // e8???????? | // 6a0d | push 0xd // ba???????? | $sequence_9 = { 50 e8???????? 83c404 8bd0 8bcf e8???????? } // n = 6, score = 100 // 50 | push eax // e8???????? | // 83c404 | add esp, 4 // 8bd0 | mov edx, eax // 8bcf | mov ecx, edi // e8???????? | condition: 7 of them and filesize < 23088128 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY