Actor(s): Lazarus Group
There is no description at this point.
rule win_bankshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 } // n = 7, score = 300 // 8bf8 | dec eax // 8d5101 | lea ebx, [0xb1b] // 8a01 | push ecx // 41 | push eax // 84c0 | push 0 // 75f9 | push 0xfde9 // 57 | call ebx $sequence_1 = { 51 50 6a00 68e9fd0000 ffd3 } // n = 5, score = 300 // 51 | or edx, 0xffffffff // 50 | dec eax // 6a00 | mov ecx, edi // 68e9fd0000 | dec eax // ffd3 | mov ecx, edi $sequence_2 = { 8bec 81ec48040000 a1???????? 33c5 8945f8 53 } // n = 6, score = 300 // 8bec | dec eax // 81ec48040000 | lea ebx, [0x7d99] // a1???????? | // 33c5 | dec eax // 8945f8 | lea edx, [esp + 0x20] // 53 | dec eax $sequence_3 = { 6a06 8d90c4e10110 5f 668b02 8d5202 } // n = 5, score = 200 // 6a06 | mov ecx, edi // 8d90c4e10110 | mov eax, edi // 5f | mov dword ptr [ebp - 0x1c], ecx // 668b02 | cmp dword ptr [eax + 0x1001e1c0], ebx // 8d5202 | push eax $sequence_4 = { 8d430c 2bce 51 56 50 e8???????? 8bc3 } // n = 7, score = 200 // 8d430c | mov al, byte ptr [ecx] // 2bce | inc ecx // 51 | test al, al // 56 | jne 3 // 50 | push edi // e8???????? | // 8bc3 | add esp, 8 $sequence_5 = { e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 8945e4 } // n = 6, score = 200 // e8???????? | // 83c40c | mov word ptr [eax + 0x6c], cx // 6b45e430 | mov eax, dword ptr [ebp + 8] // 8945e0 | mov word ptr [eax + 0x172], cx // 8d80d0e10110 | mov eax, dword ptr [ebp + 8] // 8945e4 | mov dword ptr [esi + 0x21c], eax $sequence_6 = { 0fb6c0 eb17 81fa00010000 7313 8a87bce10110 } // n = 5, score = 200 // 0fb6c0 | pop edi // eb17 | lea ecx, [esi + 0xc] // 81fa00010000 | push 6 // 7313 | lea edx, [eax + 0x1001e1c4] // 8a87bce10110 | pop edi $sequence_7 = { 6800100000 ffd6 ebf7 55 8bec } // n = 5, score = 200 // 6800100000 | jle 0x79 // ffd6 | cmp edx, 0x20 // ebf7 | jb 0x61 // 55 | cmp edx, -1 // 8bec | je 0x72 $sequence_8 = { e8???????? 83c40c e8???????? 99 b907000000 } // n = 5, score = 200 // e8???????? | // 83c40c | push eax // e8???????? | // 99 | call ebx // b907000000 | push 0x800 $sequence_9 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 } // n = 7, score = 200 // e8???????? | // 83c404 | lea eax, [eax + 0x1001e1d0] // 89861c020000 | mov eax, edi // 8b45e0 | mov dword ptr [ebp - 0x1c], ecx // 8d4e0c | cmp dword ptr [eax + 0x1001e1c0], ebx // 6a06 | je 0xf9 // 8d90c4e10110 | pop ecx $sequence_10 = { 680c400000 8d84243c050000 6a00 50 e8???????? } // n = 5, score = 200 // 680c400000 | xor ecx, ecx // 8d84243c050000 | test edx, edx // 6a00 | jle 0x74 // 50 | cmp edx, 0x20 // e8???????? | $sequence_11 = { 83faff 7479 33c9 85d2 7e73 83fa20 7256 } // n = 7, score = 200 // 83faff | push ecx // 7479 | push eax // 33c9 | push 0 // 85d2 | push 0xfde9 // 7e73 | call ebx // 83fa20 | push ebp // 7256 | mov ebp, esp $sequence_12 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 } // n = 7, score = 200 // 8b4508 | mov ax, word ptr [edx] // c700???????? | // 8b4508 | lea edx, [edx + 2] // 898850030000 | push edi // 8b4508 | xor edi, edi // 59 | mov ecx, edi // c74048b8e40110 | mov eax, edi $sequence_13 = { 83c408 83faff 0f84a5010000 33c9 } // n = 4, score = 200 // 83c408 | sub esp, 0x448 // 83faff | xor eax, ebp // 0f84a5010000 | mov dword ptr [ebp - 8], eax // 33c9 | push ebx $sequence_14 = { 8bcf 8bc7 894de4 3998c0e10110 0f84ea000000 } // n = 5, score = 200 // 8bcf | imul eax, dword ptr [ebp - 0x1c], 0x30 // 8bc7 | mov dword ptr [ebp - 0x20], eax // 894de4 | lea eax, [eax + 0x1001e1d0] // 3998c0e10110 | mov dword ptr [ebp - 0x1c], eax // 0f84ea000000 | cmp byte ptr [eax], 0 $sequence_15 = { 7515 8b45fc 817848b8e40110 7409 ff7048 e8???????? 59 } // n = 7, score = 200 // 7515 | je 0xe // 8b45fc | cmp dword ptr [ebp - 0x718], 0x123482 // 817848b8e40110 | je 0x3b // 7409 | mov eax, dword ptr [ebp - 0x720] // ff7048 | je 0x5d // e8???????? | // 59 | mov dword ptr [ebp - 0x470], eax $sequence_16 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 } // n = 7, score = 200 // c74048b8e40110 | dec ebx // 8b4508 | jne 0x18 // 6689486c | mov eax, dword ptr [ebp - 4] // 8b4508 | cmp dword ptr [eax + 0x48], 0x1001e4b8 // 66898872010000 | pop ecx // 8b4508 | mov dword ptr [eax + 0x48], 0x1001e4b8 // 83a04c03000000 | mov eax, dword ptr [ebp + 8] $sequence_17 = { ff15???????? 8d9424dc000000 56 8d8424e0080000 } // n = 4, score = 100 // ff15???????? | // 8d9424dc000000 | add esp, 0xc // 56 | cdq // 8d8424e0080000 | mov ecx, 7 $sequence_18 = { 837a1000 7455 8d85fcf7ffff 50 8b8df8f3ffff 83c114 51 } // n = 7, score = 100 // 837a1000 | idiv ecx // 7455 | add esp, 0xc // 8d85fcf7ffff | cdq // 50 | mov ecx, 7 // 8b8df8f3ffff | idiv ecx // 83c114 | mov edx, dword ptr [ecx + 0xc] // 51 | push edx $sequence_19 = { 52 89842491020000 e8???????? 8d842495020000 50 e8???????? 8d6c0025 } // n = 7, score = 100 // 52 | mov ecx, 7 // 89842491020000 | idiv ecx // e8???????? | // 8d842495020000 | add esp, 0xc // 50 | cdq // e8???????? | // 8d6c0025 | mov ecx, 7 $sequence_20 = { 898850030000 8b4508 59 c7404810740110 8b4508 6689486c } // n = 6, score = 100 // 898850030000 | push ebx // 8b4508 | mov edi, eax // 59 | lea edx, [ecx + 1] // c7404810740110 | mov al, byte ptr [ecx] // 8b4508 | inc ecx // 6689486c | test al, al $sequence_21 = { e8???????? 85c0 0f8497020000 51 6a04 8d45d8 } // n = 6, score = 100 // e8???????? | // 85c0 | mov dword ptr [ebp - 8], eax // 0f8497020000 | push ebx // 51 | sub esp, 0x448 // 6a04 | xor eax, ebp // 8d45d8 | mov dword ptr [ebp - 8], eax $sequence_22 = { e8???????? 8d47fd e9???????? 4533c9 } // n = 4, score = 100 // e8???????? | // 8d47fd | dec ecx // e9???????? | // 4533c9 | mov edi, esp $sequence_23 = { 03048dc8887100 50 ff15???????? 5d c3 } // n = 5, score = 100 // 03048dc8887100 | call edi // 50 | mov dword ptr [ebp - 0xc794], 0 // ff15???????? | // 5d | lea ecx, [ebp - 0xc794] // c3 | add esp, 0xc $sequence_24 = { 660fd645bc ffd7 68???????? 50 ffd3 6800080000 898564f2ffff } // n = 7, score = 100 // 660fd645bc | push ebx // ffd7 | push ebp // 68???????? | // 50 | mov ebp, esp // ffd3 | sub esp, 0x448 // 6800080000 | xor eax, ebp // 898564f2ffff | mov dword ptr [ebp - 8], eax $sequence_25 = { 745b a1???????? 898590fbffff 8b8d90fbffff 898db8fbffff 83bdb8fbffff00 } // n = 6, score = 100 // 745b | push 0 // a1???????? | // 898590fbffff | mov edx, dword ptr [ebp - 0x66c] // 8b8d90fbffff | push edx // 898db8fbffff | mov dword ptr [ebp - 0x694], eax // 83bdb8fbffff00 | cmp dword ptr [edx + 0x10], 0 $sequence_26 = { 6a00 8b9594f9ffff 52 ff15???????? 89856cf9ffff } // n = 5, score = 100 // 6a00 | mov ecx, 7 // 8b9594f9ffff | add esp, 0xc // 52 | cdq // ff15???????? | // 89856cf9ffff | mov ecx, 7 $sequence_27 = { 53 56 8d84247c020000 57 } // n = 4, score = 100 // 53 | mov dword ptr [ebp - 0xc28], ebx // 56 | call ebx // 8d84247c020000 | mov esi, eax // 57 | call ebx $sequence_28 = { 8b442404 81ec08020000 85c0 53 } // n = 4, score = 100 // 8b442404 | call dword ptr [ebp - 0x68] // 81ec08020000 | mov dword ptr [ebp - 0x34], eax // 85c0 | test eax, eax // 53 | mov edi, ecx $sequence_29 = { 89442440 e8???????? 85c0 0f84b9010000 bf04000000 488d542440 4d8bcd } // n = 7, score = 100 // 89442440 | repne scasb al, byte ptr es:[edi] // e8???????? | // 85c0 | dec eax // 0f84b9010000 | not ecx // bf04000000 | lea eax, [edi - 3] // 488d542440 | inc ebp // 4d8bcd | xor ecx, ecx $sequence_30 = { 6a03 6a00 6a01 6800000080 56 89442430 } // n = 6, score = 100 // 6a03 | add esp, 0xc // 6a00 | cdq // 6a01 | mov ecx, 7 // 6800000080 | idiv ecx // 56 | add esp, 0xc // 89442430 | cdq $sequence_31 = { 488d542420 488d4c2428 ff15???????? 488d542430 488d4c2420 } // n = 5, score = 100 // 488d542420 | dec eax // 488d4c2428 | mov dword ptr [esp + 0x140], eax // ff15???????? | // 488d542430 | dec eax // 488d4c2420 | mov ebx, dword ptr [ecx] $sequence_32 = { 50 e8???????? 83c42c 5f eb26 8d4508 8db61ca84100 } // n = 7, score = 100 // 50 | mov eax, dword ptr [esp + 4] // e8???????? | // 83c42c | sub esp, 0x208 // 5f | test eax, eax // eb26 | push ebx // 8d4508 | push ebx // 8db61ca84100 | push esi $sequence_33 = { 894c2444 488bcd ff15???????? 85c0 } // n = 4, score = 100 // 894c2444 | mov edi, 4 // 488bcd | dec eax // ff15???????? | // 85c0 | lea edx, [esp + 0x40] $sequence_34 = { 50 e8???????? c745e4271a16ab 83c424 } // n = 4, score = 100 // 50 | mov ebp, esp // e8???????? | // c745e4271a16ab | sub esp, 0x448 // 83c424 | xor eax, ebp $sequence_35 = { 488bce e8???????? 4883c9ff 33c0 498bfc f2ae 48f7d1 } // n = 7, score = 100 // 488bce | mov ebx, edi // e8???????? | // 4883c9ff | dec eax // 33c0 | mov ecx, esi // 498bfc | dec eax // f2ae | or ecx, 0xffffffff // 48f7d1 | xor eax, eax $sequence_36 = { 6a00 6a04 6a00 50 ff5598 8945cc 85c0 } // n = 7, score = 100 // 6a00 | jne 3 // 6a04 | push edi // 6a00 | push eax // 50 | mov dword ptr [ebp - 0x1c], 0xab161a27 // ff5598 | add esp, 0x24 // 8945cc | test eax, eax // 85c0 | je 0x29d $sequence_37 = { 85c0 740c 81bde8f8ffff82341200 742d 8b85e0f8ffff } // n = 5, score = 100 // 85c0 | ret // 740c | push 2 // 81bde8f8ffff82341200 | movzx eax, word ptr [ebp - 0x2b94] // 742d | add eax, 0x1a // 8b85e0f8ffff | push eax $sequence_38 = { 83caff 488bcf ff15???????? 488bcf ff15???????? 488d1d997d0000 } // n = 6, score = 100 // 83caff | dec ebp // 488bcf | mov ecx, ebp // ff15???????? | // 488bcf | dec eax // ff15???????? | // 488d1d997d0000 | xor eax, esp $sequence_39 = { 8b542420 8d4c2414 51 52 e8???????? 83c408 85c0 } // n = 7, score = 100 // 8b542420 | lea eax, [esp + 0x27c] // 8d4c2414 | push edi // 51 | lea edx, [esp + 0xdc] // 52 | push esi // e8???????? | // 83c408 | lea eax, [esp + 0x8e0] // 85c0 | push 3 $sequence_40 = { 6a02 0fb7856cd4ffff 83c01a 50 } // n = 4, score = 100 // 6a02 | cdq // 0fb7856cd4ffff | mov ecx, 7 // 83c01a | add esp, 0xc // 50 | cdq $sequence_41 = { 488b05???????? 4833c4 4889842440010000 488b19 } // n = 4, score = 100 // 488b05???????? | // 4833c4 | mov dword ptr [esp + 0x40], eax // 4889842440010000 | test eax, eax // 488b19 | je 0x1c1 $sequence_42 = { 8b510c 52 ff15???????? 8b45fc c7400c00000000 8b4dfc } // n = 6, score = 100 // 8b510c | push 0x400c // 52 | lea eax, [esp + 0x53c] // ff15???????? | // 8b45fc | push 0 // c7400c00000000 | push eax // 8b4dfc | push eax $sequence_43 = { ffc3 83fb02 0f82e5feffff 418bdf e9???????? } // n = 5, score = 100 // ffc3 | inc ebx // 83fb02 | cmp ebx, 2 // 0f82e5feffff | jb 0xfffffeeb // 418bdf | inc ecx // e9???????? | condition: 7 of them and filesize < 860160 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY