Actor(s): Lazarus Group
There is no description at this point.
rule win_bankshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 55 8bec 81ec48040000 a1???????? 33c5 8945f8 53 } // n = 7, score = 200 // 55 | xor ebx, ebx // 8bec | dec eax // 81ec48040000 | mov dword ptr [esp + 0x20], edx // a1???????? | // 33c5 | dec eax // 8945f8 | mov ecx, edi // 53 | dec ecx $sequence_1 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 } // n = 7, score = 200 // 8bf8 | mov esi, eax // 8d5101 | inc ecx // 8a01 | mov edi, edi // 41 | dec esp // 84c0 | mov esp, eax // 75f9 | dec eax // 57 | test esi, esi $sequence_2 = { 51 50 6a00 68e9fd0000 ffd3 } // n = 5, score = 200 // 51 | sub edi, edx // 50 | inc ebp // 6a00 | xor edi, edi // 68e9fd0000 | lea ecx, [edx + 2] // ffd3 | dec eax $sequence_3 = { e8???????? 83c40c e8???????? 99 b907000000 } // n = 5, score = 200 // e8???????? | // 83c40c | inc ecx // e8???????? | // 99 | test al, al // b907000000 | jne 0 $sequence_4 = { c1e91f 03d1 6bd21a 2bfa } // n = 4, score = 100 // c1e91f | mov ecx, edi // 03d1 | shr eax, cl // 6bd21a | dec eax // 2bfa | sub esp, 0x20 $sequence_5 = { 898560f2ffff 8d8570f2ffff 6a00 50 } // n = 4, score = 100 // 898560f2ffff | push ebx // 8d8570f2ffff | push ecx // 6a00 | push eax // 50 | push 0 $sequence_6 = { 8bf7 c744242400010000 8b4c2414 8b5c241c 8a06 81e1ff000000 } // n = 6, score = 100 // 8bf7 | lea esi, [edi + 0x10] // c744242400010000 | call dword ptr [ebp - 0xc28] // 8b4c2414 | push eax // 8b5c241c | call dword ptr [ebp - 0xc24] // 8a06 | add esp, 0xc // 81e1ff000000 | cdq $sequence_7 = { 8d44247c 50 e8???????? 03f8 83c408 } // n = 5, score = 100 // 8d44247c | add esp, 0xc // 50 | cdq // e8???????? | // 03f8 | mov ecx, 7 // 83c408 | idiv ecx $sequence_8 = { ff15???????? 03742428 83d700 3bfb 72ac 7704 } // n = 6, score = 100 // ff15???????? | // 03742428 | jmp 0x3d // 83d700 | lea eax, [ebp - 0xc20] // 3bfb | xorps xmm0, xmm0 // 72ac | push eax // 7704 | mov dword ptr [ebp - 0xda0], eax $sequence_9 = { 69cf60ea0000 51 ffd0 e9???????? ff442418 68???????? } // n = 6, score = 100 // 69cf60ea0000 | sub esp, 0x448 // 51 | xor eax, ebp // ffd0 | mov dword ptr [ebp - 8], eax // e9???????? | // ff442418 | push ebx // 68???????? | $sequence_10 = { 83e103 03dd f3a4 8b742410 } // n = 4, score = 100 // 83e103 | add esi, dword ptr [esp + 0x28] // 03dd | adc edi, 0 // f3a4 | cmp edi, ebx // 8b742410 | jb 0xffffffb0 $sequence_11 = { 3bd9 0f835ffbffff 03f3 03d3 83fb1f 0f8715040000 ff249d34e87000 } // n = 7, score = 100 // 3bd9 | idiv ecx // 0f835ffbffff | and ecx, 3 // 03f3 | rep movsb byte ptr es:[edi], byte ptr [esi] // 03d3 | lea eax, [ebp - 0x148] // 83fb1f | mov dword ptr [ebp - 0x870], eax // 0f8715040000 | mov ecx, dword ptr [ebp - 0x870] // ff249d34e87000 | mov dword ptr [ebp - 0x8bc], ecx $sequence_12 = { 803d????????55 488d3dbf870000 0f85b9faffff 660f1f840000000000 418bc6 418bcf d3e8 } // n = 7, score = 100 // 803d????????55 | // 488d3dbf870000 | mov ecx, ebx // 0f85b9faffff | dec eax // 660f1f840000000000 | lea edx, [0xe9e2] // 418bc6 | dec eax // 418bcf | lea ecx, [esp + 0x20] // d3e8 | dec eax $sequence_13 = { 8a02 888564f8ffff 838554f8ffff01 80bd64f8ffff00 75e2 8b8d54f8ffff 2b8df4f7ffff } // n = 7, score = 100 // 8a02 | mov edx, dword ptr [ebp - 0x870] // 888564f8ffff | cmp dword ptr [ebp - 4], 0 // 838554f8ffff01 | je 0x2e // 80bd64f8ffff00 | mov eax, dword ptr [ebp - 4] // 75e2 | push eax // 8b8d54f8ffff | je 0x24f // 2b8df4f7ffff | mov edx, dword ptr [ebp - 0xc34] $sequence_14 = { 837dfc00 742c 68???????? 8b45fc 50 } // n = 5, score = 100 // 837dfc00 | jb 0x61 // 742c | pop ebp // 68???????? | // 8b45fc | ret // 50 | mov esi, eax $sequence_15 = { 4889542420 488b15???????? 488bcf e8???????? e9???????? 4c8b05???????? 498d5106 } // n = 7, score = 100 // 4889542420 | lea ebx, [0x2233] // 488b15???????? | // 488bcf | dec eax // e8???????? | // e9???????? | // 4c8b05???????? | // 498d5106 | lea edi, [0x87bf] $sequence_16 = { 0f108405f4bfffff 660fefc1 0f118405f4bfffff 83c020 3bc6 7cd1 3bc2 } // n = 7, score = 100 // 0f108405f4bfffff | mov ebp, esp // 660fefc1 | sub esp, 0x448 // 0f118405f4bfffff | xor eax, ebp // 83c020 | mov dword ptr [ebp - 8], eax // 3bc6 | push ebx // 7cd1 | mov edi, eax // 3bc2 | lea edx, [ecx + 1] $sequence_17 = { 83e103 f3a4 8d85b8feffff 898590f7ffff 8b8d90f7ffff 898d44f7ffff 8b9590f7ffff } // n = 7, score = 100 // 83e103 | lea ecx, [ebp - 0xc74c] // f3a4 | cmp edx, -1 // 8d85b8feffff | je 0x85 // 898590f7ffff | xor eax, eax // 8b8d90f7ffff | test edx, edx // 898d44f7ffff | jle 0x7c // 8b9590f7ffff | cmp edx, 0x20 $sequence_18 = { e8???????? 85c0 7433 6a00 8b9568ddffff 52 8b0d???????? } // n = 7, score = 100 // e8???????? | // 85c0 | mov ecx, 7 // 7433 | idiv ecx // 6a00 | add esp, 0xc // 8b9568ddffff | cdq // 52 | mov ecx, 7 // 8b0d???????? | $sequence_19 = { 85c0 5f 753d ff15???????? 8b0d???????? 6a01 } // n = 6, score = 100 // 85c0 | lea eax, [ebp - 0xd90] // 5f | push 0 // 753d | push eax // ff15???????? | // 8b0d???????? | // 6a01 | je 0x97 $sequence_20 = { 81c2???????? e8???????? 83c404 85c0 0f8427040000 8b4608 8d8db438ffff } // n = 7, score = 100 // 81c2???????? | // e8???????? | // 83c404 | sub esp, 0x448 // 85c0 | xor eax, ebp // 0f8427040000 | mov dword ptr [ebp - 8], eax // 8b4608 | push ebx // 8d8db438ffff | push ebp $sequence_21 = { 81c4a40c0000 c3 8b0d???????? 8b15???????? 6a01 6890190000 } // n = 6, score = 100 // 81c4a40c0000 | mov ecx, 7 // c3 | add esp, 0xc // 8b0d???????? | // 8b15???????? | // 6a01 | cdq // 6890190000 | mov ecx, 7 $sequence_22 = { e8???????? 8bd0 83c408 83faff 747d 33c9 } // n = 6, score = 100 // e8???????? | // 8bd0 | mov al, byte ptr [ecx] // 83c408 | inc ecx // 83faff | test al, al // 747d | jne 0 // 33c9 | push edi $sequence_23 = { 83faff 0f847c000000 33c0 85d2 7e76 83fa20 7256 } // n = 7, score = 100 // 83faff | mov ebp, esp // 0f847c000000 | sub esp, 0x448 // 33c0 | xor eax, ebp // 85d2 | mov dword ptr [ebp - 8], eax // 7e76 | push ebx // 83fa20 | movups xmm0, xmmword ptr [ebp + eax - 0x400c] // 7256 | pxor xmm0, xmm1 $sequence_24 = { 8bc8 b8f1197605 f7e9 c1fa05 8bc2 } // n = 5, score = 100 // 8bc8 | jne 0xfffffac6 // b8f1197605 | nop word ptr [eax + eax] // f7e9 | inc ecx // c1fa05 | mov eax, esi // 8bc2 | inc ecx $sequence_25 = { 899590f8ffff 8b8590f8ffff 898540f8ffff 8b8d68f8ffff } // n = 4, score = 100 // 899590f8ffff | cdq // 8b8590f8ffff | mov ecx, 7 // 898540f8ffff | add esp, 0xc // 8b8d68f8ffff | cdq $sequence_26 = { 48895c2408 57 4883ec20 488d1d33220000 } // n = 4, score = 100 // 48895c2408 | jne 0xffffffe1 // 57 | dec eax // 4883ec20 | lea edx, [esp + 0x20] // 488d1d33220000 | dec eax $sequence_27 = { ff15???????? 33c0 8dbe14020000 6689845de8fbffff 3807 0f847f000000 } // n = 6, score = 100 // ff15???????? | // 33c0 | push ecx // 8dbe14020000 | push eax // 6689845de8fbffff | push 0 // 3807 | push 0xfde9 // 0f847f000000 | call ebx $sequence_28 = { eb4b e8???????? eb44 8d4b0c 51 } // n = 5, score = 100 // eb4b | add esp, 0xc // e8???????? | // eb44 | cdq // 8d4b0c | mov ecx, 7 // 51 | idiv ecx $sequence_29 = { 68???????? ff15???????? 85c0 0f8433f9ffff } // n = 4, score = 100 // 68???????? | // ff15???????? | // 85c0 | push ebp // 0f8433f9ffff | mov ebp, esp $sequence_30 = { 0f8449020000 8b95ccf3ffff 81c2e80e0000 52 68???????? 8d85d0fbffff 50 } // n = 7, score = 100 // 0f8449020000 | lea eax, [ebp - 0x22c] // 8b95ccf3ffff | sub esi, edi // 81c2e80e0000 | add esp, 0xc // 52 | cdq // 68???????? | // 8d85d0fbffff | mov ecx, 7 // 50 | add esp, 0xc $sequence_31 = { 488b05???????? 4833c4 4889842450030000 488d4c2440 488d153b940000 41b810030000 e8???????? } // n = 7, score = 100 // 488b05???????? | // 4833c4 | dec eax // 4889842450030000 | xor eax, esp // 488d4c2440 | dec eax // 488d153b940000 | mov dword ptr [esp + 0x350], eax // 41b810030000 | dec eax // e8???????? | $sequence_32 = { eb3b 8d85e0f3ffff 0f57c0 50 } // n = 4, score = 100 // eb3b | mov ebp, esp // 8d85e0f3ffff | sub esp, 0x448 // 0f57c0 | xor eax, ebp // 50 | mov dword ptr [ebp - 8], eax $sequence_33 = { 75df 488d542420 488bcb ff15???????? 488d15e2e90000 488d4c2420 } // n = 6, score = 100 // 75df | lea ecx, [esp + 0x40] // 488d542420 | dec eax // 488bcb | lea edx, [0x943b] // ff15???????? | // 488d15e2e90000 | inc ecx // 488d4c2420 | mov eax, 0x310 $sequence_34 = { 8bcf 50 e8???????? 85c0 0f848c000000 } // n = 5, score = 100 // 8bcf | sub esp, 0x448 // 50 | xor eax, ebp // e8???????? | // 85c0 | mov dword ptr [ebp - 8], eax // 0f848c000000 | push ebx $sequence_35 = { 4883ec20 c705????????01000000 488d3d35a40000 488d1d56a40000 b9e8030000 ff15???????? 4533db } // n = 7, score = 100 // 4883ec20 | mov dword ptr [esp + 8], ebx // c705????????01000000 | // 488d3d35a40000 | push edi // 488d1d56a40000 | dec eax // b9e8030000 | sub esp, 0x20 // ff15???????? | // 4533db | dec eax condition: 7 of them and filesize < 860160 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY