Actor(s): Lazarus Group
There is no description at this point.
rule win_bankshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.bankshot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 } // n = 7, score = 300 // 8bf8 | mov edi, eax // 8d5101 | lea edx, dword ptr [ecx + 1] // 8a01 | mov al, byte ptr [ecx] // 41 | inc ecx // 84c0 | test al, al // 75f9 | jne 0xfffffffb // 57 | push edi $sequence_1 = { 81ec48040000 a1???????? 33c5 8945f8 53 } // n = 5, score = 300 // 81ec48040000 | sub esp, 0x448 // a1???????? | // 33c5 | xor eax, ebp // 8945f8 | mov dword ptr [ebp - 8], eax // 53 | push ebx $sequence_2 = { 51 50 6a00 68e9fd0000 ffd3 } // n = 5, score = 300 // 51 | push ecx // 50 | push eax // 6a00 | push 0 // 68e9fd0000 | push 0xfde9 // ffd3 | call ebx $sequence_3 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 } // n = 7, score = 200 // e8???????? | // 83c404 | add esp, 4 // 89861c020000 | mov dword ptr [esi + 0x21c], eax // 8b45e0 | mov eax, dword ptr [ebp - 0x20] // 8d4e0c | lea ecx, dword ptr [esi + 0xc] // 6a06 | push 6 // 8d90c4e10110 | lea edx, dword ptr [eax + 0x1001e1c4] $sequence_4 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 } // n = 7, score = 200 // c74048b8e40110 | mov dword ptr [eax + 0x48], 0x1001e4b8 // 8b4508 | mov eax, dword ptr [ebp + 8] // 6689486c | mov word ptr [eax + 0x6c], cx // 8b4508 | mov eax, dword ptr [ebp + 8] // 66898872010000 | mov word ptr [eax + 0x172], cx // 8b4508 | mov eax, dword ptr [ebp + 8] // 83a04c03000000 | and dword ptr [eax + 0x34c], 0 $sequence_5 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 } // n = 6, score = 200 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 6b45e430 | imul eax, dword ptr [ebp - 0x1c], 0x30 // 8945e0 | mov dword ptr [ebp - 0x20], eax // 8d80d0e10110 | lea eax, dword ptr [eax + 0x1001e1d0] $sequence_6 = { 8b85c0baffff 85c0 740d 50 ffd7 } // n = 5, score = 200 // 8b85c0baffff | xor eax, ebp // 85c0 | mov dword ptr [ebp - 8], eax // 740d | push ebx // 50 | mov ebp, esp // ffd7 | sub esp, 0x448 $sequence_7 = { 8d80d0e10110 8945e4 803800 8bc8 } // n = 4, score = 200 // 8d80d0e10110 | lea eax, dword ptr [eax + 0x1001e1d0] // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 803800 | cmp byte ptr [eax], 0 // 8bc8 | mov ecx, eax $sequence_8 = { 8d90c4e10110 5f 668b02 8d5202 } // n = 4, score = 200 // 8d90c4e10110 | lea edx, dword ptr [eax + 0x1001e1c4] // 5f | pop edi // 668b02 | mov ax, word ptr [edx] // 8d5202 | lea edx, dword ptr [edx + 2] $sequence_9 = { 50 6a14 e8???????? 83c40c } // n = 4, score = 200 // 50 | xor eax, ebp // 6a14 | mov dword ptr [ebp - 8], eax // e8???????? | // 83c40c | push ebx $sequence_10 = { 817848b8e40110 7409 ff7048 e8???????? 59 c70701000000 8bcf } // n = 7, score = 200 // 817848b8e40110 | cmp dword ptr [eax + 0x48], 0x1001e4b8 // 7409 | je 0xb // ff7048 | push dword ptr [eax + 0x48] // e8???????? | // 59 | pop ecx // c70701000000 | mov dword ptr [edi], 1 // 8bcf | mov ecx, edi $sequence_11 = { 83c40c e8???????? 99 b907000000 f7f9 } // n = 5, score = 200 // 83c40c | dec eax // e8???????? | // 99 | mov dword ptr [ebp + 0x3a0], eax // b907000000 | xor esi, esi // f7f9 | dec esp $sequence_12 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 } // n = 7, score = 200 // e9???????? | // 57 | push edi // 33ff | xor edi, edi // 8bcf | mov ecx, edi // 8bc7 | mov eax, edi // 894de4 | mov dword ptr [ebp - 0x1c], ecx // 3998c0e10110 | cmp dword ptr [eax + 0x1001e1c0], ebx $sequence_13 = { 6828050000 57 50 e8???????? 83c40c 39bdecbfffff } // n = 6, score = 200 // 6828050000 | mov dword ptr [ebp - 8], eax // 57 | push ebx // 50 | push ebp // e8???????? | // 83c40c | mov ebp, esp // 39bdecbfffff | sub esp, 0x448 $sequence_14 = { 83c404 85c0 0f8475030000 8b1d???????? 0f1f440000 } // n = 5, score = 200 // 83c404 | mov byte ptr [esp + 0x5f], 0x9f // 85c0 | mov byte ptr [esp + 0x61], 0x5b // 0f8475030000 | mov edi, eax // 8b1d???????? | // 0f1f440000 | lea edx, dword ptr [ecx + 1] $sequence_15 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 } // n = 7, score = 200 // 8b4508 | mov eax, dword ptr [ebp + 8] // c700???????? | // 8b4508 | mov eax, dword ptr [ebp + 8] // 898850030000 | mov dword ptr [eax + 0x350], ecx // 8b4508 | mov eax, dword ptr [ebp + 8] // 59 | pop ecx // c74048b8e40110 | mov dword ptr [eax + 0x48], 0x1001e4b8 $sequence_16 = { 8bb5b8fbffff c1e902 f3a5 8bca 8d9314020000 83e103 f3a4 } // n = 7, score = 200 // 8bb5b8fbffff | mov al, byte ptr [ecx] // c1e902 | inc ecx // f3a5 | test al, al // 8bca | jne 0 // 8d9314020000 | push edi // 83e103 | sub esp, 0x448 // f3a4 | xor eax, ebp $sequence_17 = { 8b4508 dd00 ebc6 c745e078410110 e9???????? c745e080410110 } // n = 6, score = 100 // 8b4508 | mov eax, dword ptr [ebp + 8] // dd00 | fld qword ptr [eax] // ebc6 | jmp 0xffffffc8 // c745e078410110 | mov dword ptr [ebp - 0x20], 0x10014178 // e9???????? | // c745e080410110 | mov dword ptr [ebp - 0x20], 0x10014180 $sequence_18 = { 6a7f 6a00 8d8d7dffffff 51 e8???????? 83c40c } // n = 6, score = 100 // 6a7f | add esp, 0xc // 6a00 | cdq // 8d8d7dffffff | mov ecx, 7 // 51 | add esp, 0xc // e8???????? | // 83c40c | cdq $sequence_19 = { 894c2444 c644241851 c6442419f0 c644241af4 c644241b89 c644241c60 c644241d77 } // n = 7, score = 100 // 894c2444 | lea ecx, dword ptr [ebp - 0x30] // c644241851 | inc ecx // c6442419f0 | mov ecx, 0x44 // c644241af4 | shr ecx, 0x1f // c644241b89 | add edx, ecx // c644241c60 | imul edx, edx, 0x1a // c644241d77 | sub esi, edx $sequence_20 = { 0f84b6fbffff 6800040000 8d8424bc0c0000 6a00 50 e8???????? } // n = 6, score = 100 // 0f84b6fbffff | je 0xfffffbbc // 6800040000 | push 0x400 // 8d8424bc0c0000 | lea eax, dword ptr [esp + 0xcbc] // 6a00 | push 0 // 50 | push eax // e8???????? | $sequence_21 = { 7508 83ee01 8b45e4 79e3 8b45f4 } // n = 5, score = 100 // 7508 | jne 0xa // 83ee01 | sub esi, 1 // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] // 79e3 | jns 0xffffffe5 // 8b45f4 | mov eax, dword ptr [ebp - 0xc] $sequence_22 = { 8b9554f8ffff 8a02 888564f8ffff 838554f8ffff01 80bd64f8ffff00 75e2 } // n = 6, score = 100 // 8b9554f8ffff | push edi // 8a02 | push eax // 888564f8ffff | add esp, 0xc // 838554f8ffff01 | cmp dword ptr [ebp - 0x4014], edi // 80bd64f8ffff00 | mov eax, dword ptr [ebp - 0x4540] // 75e2 | test eax, eax $sequence_23 = { f644241810 7437 8b0e 8b94246c020000 } // n = 4, score = 100 // f644241810 | add esp, 0xc // 7437 | cdq // 8b0e | mov ecx, 7 // 8b94246c020000 | add esp, 0xc $sequence_24 = { 488d0d0f7f0000 4533c9 48c744243000000000 4d63fd } // n = 4, score = 100 // 488d0d0f7f0000 | mov ecx, ebx // 4533c9 | dec eax // 48c744243000000000 | lea edx, dword ptr [0xe4de] // 4d63fd | dec eax $sequence_25 = { 8d8dc4f6ffff 51 6a00 6a00 6800000008 } // n = 5, score = 100 // 8d8dc4f6ffff | je 0x11 // 51 | push eax // 6a00 | call edi // 6a00 | push eax // 6800000008 | push 0x14 $sequence_26 = { 488985a0030000 33f6 4c8bf9 4d8be8 4c89442448 } // n = 5, score = 100 // 488985a0030000 | lea ecx, dword ptr [esp + 0x20] // 33f6 | cmp byte ptr [esp + 0x20], 0 // 4c8bf9 | jne 0xffffffe1 // 4d8be8 | dec eax // 4c89442448 | lea edx, dword ptr [esp + 0x20] $sequence_27 = { ff15???????? 41b94a000000 488d1575510000 458d41e4 488d4dc0 } // n = 5, score = 100 // ff15???????? | // 41b94a000000 | mov eax, 0x14f8b589 // 488d1575510000 | inc ecx // 458d41e4 | imul esp // 488d4dc0 | inc ecx $sequence_28 = { 4183c541 ff15???????? 448be0 b889b5f814 41f7ec } // n = 5, score = 100 // 4183c541 | inc ecx // ff15???????? | // 448be0 | add ebp, 0x41 // b889b5f814 | inc esp // 41f7ec | mov esp, eax $sequence_29 = { 83c404 8d4c0042 51 6a40 ff15???????? } // n = 5, score = 100 // 83c404 | add esp, 0xc // 8d4c0042 | cdq // 51 | mov ecx, 7 // 6a40 | idiv ecx // ff15???????? | $sequence_30 = { 8be5 5d c20c00 8d8380000000 } // n = 4, score = 100 // 8be5 | mov esp, ebp // 5d | pop ebp // c20c00 | ret 0xc // 8d8380000000 | lea eax, dword ptr [ebx + 0x80] $sequence_31 = { 83fbff 750e ff15???????? 5b 81c434020000 c3 } // n = 6, score = 100 // 83fbff | imul eax, eax, 0x3c // 750e | cmp eax, ecx // ff15???????? | // 5b | jg 0x92 // 81c434020000 | dec eax // c3 | mov ecx, ebp $sequence_32 = { b8e4160000 e8???????? 55 33ed } // n = 4, score = 100 // b8e4160000 | test eax, eax // e8???????? | // 55 | inc ebp // 33ed | cmove ebp, edi $sequence_33 = { 8b8dd8feffff 83c101 898dd8feffff 8b95e4feffff } // n = 4, score = 100 // 8b8dd8feffff | add esp, 0xc // 83c101 | add esp, 0x18 // 898dd8feffff | mov dword ptr [ebp - 0x424], 0x103 // 8b95e4feffff | lea eax, dword ptr [ebp - 0x424] $sequence_34 = { 99 f7b9e81b0000 8b45f4 0390ec1b0000 } // n = 4, score = 100 // 99 | mov ecx, 7 // f7b9e81b0000 | idiv ecx // 8b45f4 | add esp, 0xc // 0390ec1b0000 | cdq $sequence_35 = { 81ec5c060000 8b0d???????? a1???????? 8b15???????? 894c2404 33c9 89442400 } // n = 7, score = 100 // 81ec5c060000 | cdq // 8b0d???????? | // a1???????? | // 8b15???????? | // 894c2404 | mov ecx, 7 // 33c9 | add esp, 0xc // 89442400 | cdq $sequence_36 = { 488bcb ff15???????? 488d15dee40000 488d4c2420 488905???????? ff15???????? 807c242000 } // n = 7, score = 100 // 488bcb | dec eax // ff15???????? | // 488d15dee40000 | lea ecx, dword ptr [ebp - 0x40] // 488d4c2420 | cmp eax, ecx // 488905???????? | // ff15???????? | // 807c242000 | jg 0x92 $sequence_37 = { 81bd78f8ffff04010000 7302 eb05 e8???????? } // n = 4, score = 100 // 81bd78f8ffff04010000 | mov ecx, 7 // 7302 | add esp, 0xc // eb05 | cdq // e8???????? | $sequence_38 = { eb1e 837df861 7c08 837df87a 7f02 } // n = 5, score = 100 // eb1e | mov ecx, 7 // 837df861 | idiv ecx // 7c08 | mov edx, dword ptr [ebp - 0x7ac] // 837df87a | mov al, byte ptr [edx] // 7f02 | mov byte ptr [ebp - 0x79c], al $sequence_39 = { c1e91f 03d1 6bd21a 2bf2 } // n = 4, score = 100 // c1e91f | dec eax // 03d1 | lea ecx, dword ptr [esp + 0x20] // 6bd21a | dec eax // 2bf2 | lea ecx, dword ptr [0x7f0f] $sequence_40 = { 488d15b5540000 458d41ca 488d4dd0 ff15???????? 41b944000000 } // n = 5, score = 100 // 488d15b5540000 | dec eax // 458d41ca | mov ecx, ebx // 488d4dd0 | dec eax // ff15???????? | // 41b944000000 | lea edx, dword ptr [0xf1de] $sequence_41 = { 0f848e000000 6a00 6a00 6a00 68???????? 85c0 6a00 } // n = 7, score = 100 // 0f848e000000 | mov ecx, 7 // 6a00 | idiv ecx // 6a00 | mov dword ptr [esp + 0x44], ecx // 6a00 | mov byte ptr [esp + 0x18], 0x51 // 68???????? | // 85c0 | mov byte ptr [esp + 0x19], 0xf0 // 6a00 | mov byte ptr [esp + 0x1a], 0xf4 $sequence_42 = { 68???????? 56 89853cf7ffff ff15???????? 68???????? 56 } // n = 6, score = 100 // 68???????? | // 56 | push esi // 89853cf7ffff | mov dword ptr [ebp - 0x8c4], eax // ff15???????? | // 68???????? | // 56 | push esi $sequence_43 = { 0305???????? 3bc1 0f8f8a000000 f605????????04 745d 33d2 488d44246c } // n = 7, score = 100 // 0305???????? | // 3bc1 | mov ecx, 0x4a // 0f8f8a000000 | dec eax // f605????????04 | // 745d | lea edx, dword ptr [0x5175] // 33d2 | inc ebp // 488d44246c | lea eax, dword ptr [ecx - 0x1c] condition: 7 of them and filesize < 860160 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
