Actor(s): Lazarus Group
There is no description at this point.
rule win_bankshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.bankshot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 81ec48040000 a1???????? 33c5 8945f8 53 } // n = 5, score = 300 // 81ec48040000 | dec eax // a1???????? | // 33c5 | add esi, 4 // 8945f8 | dec ecx // 53 | dec ebp $sequence_1 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 } // n = 7, score = 300 // 8bf8 | xor eax, esp // 8d5101 | dec eax // 8a01 | mov dword ptr [esp + 0x40], eax // 41 | dec eax // 84c0 | mov ebx, ecx // 75f9 | dec eax // 57 | mov dword ptr [esp + 0x28], edx $sequence_2 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 } // n = 7, score = 200 // e9???????? | // 57 | lea edx, [eax + 0x1001e1c4] // 33ff | pop edi // 8bcf | lea edx, [eax + 0x1001e1c4] // 8bc7 | pop edi // 894de4 | mov ax, word ptr [edx] // 3998c0e10110 | lea edx, [edx + 2] $sequence_3 = { 85d2 7e6a 83fa20 724a 251f000080 } // n = 5, score = 200 // 85d2 | mov ebp, esp // 7e6a | sub esp, 0x448 // 83fa20 | xor eax, ebp // 724a | mov dword ptr [ebp - 8], eax // 251f000080 | push ebx $sequence_4 = { 4b 7515 8b45fc 817848b8e40110 7409 ff7048 e8???????? } // n = 7, score = 200 // 4b | pop ecx // 7515 | mov dword ptr [eax + 0x48], 0x1001e4b8 // 8b45fc | mov eax, dword ptr [ebp + 8] // 817848b8e40110 | mov word ptr [eax + 0x6c], cx // 7409 | mov eax, dword ptr [ebp + 8] // ff7048 | jmp 0x19 // e8???????? | $sequence_5 = { e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 } // n = 5, score = 200 // e8???????? | // 83c40c | or byte ptr [esi + edx + 0x19], al // 6b45e430 | inc edx // 8945e0 | movzx eax, byte ptr [ecx + 1] // 8d80d0e10110 | cmp edx, eax $sequence_6 = { 8d85ecfdffff 50 ff15???????? 8b35???????? b92e000000 } // n = 5, score = 200 // 8d85ecfdffff | xor eax, ebp // 50 | mov dword ptr [ebp - 8], eax // ff15???????? | // 8b35???????? | // b92e000000 | push ebx $sequence_7 = { e8???????? 83c40c e8???????? 99 b907000000 } // n = 5, score = 200 // e8???????? | // 83c40c | mov dword ptr [ebp - 0x20], esi // e8???????? | // 99 | mov dword ptr [ebp - 0x10], esi // b907000000 | mov dword ptr [ebp - 0xc], 0x10017dfc $sequence_8 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 } // n = 7, score = 200 // e8???????? | // 83c404 | mov word ptr [ecx], ax // 89861c020000 | mov dword ptr [eax + 0x48], 0x1001e4b8 // 8b45e0 | mov eax, dword ptr [ebp + 8] // 8d4e0c | mov word ptr [eax + 0x6c], cx // 6a06 | mov eax, dword ptr [ebp + 8] // 8d90c4e10110 | mov eax, dword ptr [ebp + 8] $sequence_9 = { 0f840e010000 680c400000 8d85e4bfffff 57 } // n = 4, score = 200 // 0f840e010000 | push eax // 680c400000 | mov dword ptr [ebp - 0xc7c0], eax // 8d85e4bfffff | mov eax, dword ptr [ebx + 8] // 57 | movups xmm0, xmmword ptr [ebp - 0xc7c8] $sequence_10 = { 50 6a00 68e9fd0000 ffd7 33c0 6800000020 } // n = 6, score = 200 // 50 | jne 3 // 6a00 | push edi // 68e9fd0000 | sub esp, 0x448 // ffd7 | xor eax, ebp // 33c0 | mov dword ptr [ebp - 8], eax // 6800000020 | push ebx $sequence_11 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 } // n = 7, score = 200 // c74048b8e40110 | mov dword ptr [ebp - 0x1c], ecx // 8b4508 | cmp dword ptr [eax + 0x1001e1c0], ebx // 6689486c | push 6 // 8b4508 | lea edx, [eax + 0x1001e1c4] // 66898872010000 | pop edi // 8b4508 | mov ax, word ptr [edx] // 83a04c03000000 | lea edx, [edx + 2] $sequence_12 = { 33c9 85d2 7e78 83fa20 7259 } // n = 5, score = 200 // 33c9 | mov edi, eax // 85d2 | lea edx, [ecx + 1] // 7e78 | mov al, byte ptr [ecx] // 83fa20 | inc ecx // 7259 | test al, al $sequence_13 = { 50 ff15???????? 89854038ffff 8b4308 0f10853838ffff c7854c38ffff01000000 56 } // n = 7, score = 200 // 50 | lea ecx, [ebp - 0x540] // ff15???????? | // 89854038ffff | mov dword ptr [ebp - 0x7d4], ecx // 8b4308 | lea edx, [ebp - 0x12c] // 0f10853838ffff | push ebp // c7854c38ffff01000000 | mov ebp, esp // 56 | sub esp, 0x448 $sequence_14 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 } // n = 7, score = 200 // 8b4508 | mov word ptr [eax + 0x6c], cx // c700???????? | // 8b4508 | mov eax, dword ptr [ebp + 8] // 898850030000 | mov eax, dword ptr [eax + 0x48] // 8b4508 | lock xadd dword ptr [eax], ebx // 59 | dec ebx // c74048b8e40110 | jne 0x1c $sequence_15 = { 8bec 81ec280c0000 a1???????? 33c5 8945fc 898df8f3ffff } // n = 6, score = 100 // 8bec | mov eax, dword ptr [ebp - 4] // 81ec280c0000 | mov ecx, dword ptr [eax*4 + 0x7188c8] // a1???????? | // 33c5 | mov al, byte ptr [esi] // 8945fc | inc esi // 898df8f3ffff | mov byte ptr [ecx + edi + 0x2c], al $sequence_16 = { 8b842440020000 53 6a00 6a02 } // n = 4, score = 100 // 8b842440020000 | xor eax, eax // 53 | jmp 0x28 // 6a00 | push 4 // 6a02 | pop eax $sequence_17 = { 8b0c8dc87f0110 80643128fd 5f 5e } // n = 4, score = 100 // 8b0c8dc87f0110 | push ebx // 80643128fd | push ebp // 5f | mov ebp, esp // 5e | sub esp, 0x448 $sequence_18 = { 6a00 52 6802000080 ff15???????? 85c0 7541 } // n = 6, score = 100 // 6a00 | cdq // 52 | mov ecx, 7 // 6802000080 | idiv ecx // ff15???????? | // 85c0 | add esp, 0xc // 7541 | cdq $sequence_19 = { 50 6af6 ff15???????? 8b04bd80f10110 834c0318ff 33c0 eb16 } // n = 7, score = 100 // 50 | je 0x17 // 6af6 | mov ebx, dword ptr [ebp + 0x10] // ff15???????? | // 8b04bd80f10110 | mov eax, dword ptr [eax*4 + 0x1001f180] // 834c0318ff | push esi // 33c0 | mov esi, dword ptr [ebp + 8] // eb16 | push edi $sequence_20 = { 0fb74582 440fb75d80 418bd3 6bd23c 03d0 8b05???????? 6bc03c } // n = 7, score = 100 // 0fb74582 | xor eax, eax // 440fb75d80 | dec eax // 418bd3 | mov dword ptr [esp + 0x438], esi // 6bd23c | mov edx, 0x4008 // 03d0 | mov ecx, 0x40 // 8b05???????? | // 6bc03c | dec eax $sequence_21 = { 8b410c 56 85c0 894c2404 } // n = 4, score = 100 // 8b410c | imul eax, eax, 0 // 56 | mov ecx, dword ptr [ebp + 8] // 85c0 | mov dword ptr [eax + 0x1001ec0c], ecx // 894c2404 | add esp, 0xc $sequence_22 = { 41b800020000 e8???????? 488d542430 41b93f000f00 } // n = 4, score = 100 // 41b800020000 | shr ecx, 0x1f // e8???????? | // 488d542430 | add edx, ecx // 41b93f000f00 | inc ecx $sequence_23 = { 8d4c247c 8d94242c010000 51 6a01 6a00 } // n = 5, score = 100 // 8d4c247c | mov ecx, 7 // 8d94242c010000 | idiv ecx // 51 | add esp, 0xc // 6a01 | cdq // 6a00 | mov ecx, 7 $sequence_24 = { 8945e8 837e0c00 0f84af000000 8b5df0 85db 7516 5f } // n = 7, score = 100 // 8945e8 | xor eax, eax // 837e0c00 | mov dword ptr [esp + 0x10], eax // 0f84af000000 | xor esi, esi // 8b5df0 | mov dword ptr [esp + 0x30], 1 // 85db | xor eax, eax // 7516 | mov dword ptr [esp + 0x10], eax // 5f | mov ecx, dword ptr [ecx*4 + 0x10017fc8] $sequence_25 = { 4833c4 4889442440 488bd9 4889542428 488d542420 } // n = 5, score = 100 // 4833c4 | imul eax, eax, 0x3c // 4889442440 | nop dword ptr [eax] // 488bd9 | inc ecx // 4889542428 | movzx ecx, byte ptr [ebx] // 488d542420 | cmp cl, 0x62 $sequence_26 = { ffd3 6800080000 898560f2ffff 8d8570f2ffff 6a00 } // n = 5, score = 100 // ffd3 | mov ebp, esp // 6800080000 | sub esp, 0x448 // 898560f2ffff | xor eax, ebp // 8d8570f2ffff | mov dword ptr [ebp - 8], eax // 6a00 | push ebx $sequence_27 = { 85c0 750c ff15???????? 8985e4fcffff eb0c ff15???????? } // n = 6, score = 100 // 85c0 | and eax, 2 // 750c | add esp, 0xc // ff15???????? | // 8985e4fcffff | cdq // eb0c | mov ecx, 7 // ff15???????? | $sequence_28 = { 4533c9 4533c0 4889b42438040000 ff15???????? ba08400000 b940000000 ff15???????? } // n = 7, score = 100 // 4533c9 | mov eax, 0x200 // 4533c0 | dec eax // 4889b42438040000 | lea edx, [esp + 0x30] // ff15???????? | // ba08400000 | inc ecx // b940000000 | mov ecx, 0xf003f // ff15???????? | $sequence_29 = { 33c0 89442410 e9???????? 33f6 c744243001000000 33c0 89442410 } // n = 7, score = 100 // 33c0 | mov ecx, ebx // 89442410 | dec eax // e9???????? | // 33f6 | lea edx, [0xf30a] // c744243001000000 | sub esp, 0x448 // 33c0 | xor eax, ebp // 89442410 | mov dword ptr [ebp - 8], eax $sequence_30 = { 0f1f4000 410fb60b 80f962 7c0f } // n = 4, score = 100 // 0f1f4000 | lea edx, [0xf862] // 410fb60b | dec eax // 80f962 | lea ecx, [esp + 0x20] // 7c0f | cmp byte ptr [esp + 0x20], 0 $sequence_31 = { 83e03f 6bc830 8b0495c87f0110 8b440818 } // n = 4, score = 100 // 83e03f | xor eax, ebp // 6bc830 | mov dword ptr [ebp - 8], eax // 8b0495c87f0110 | push ebx // 8b440818 | mov edi, eax $sequence_32 = { a1???????? c705????????01000000 85c0 a1???????? 0f848e000000 6a00 } // n = 6, score = 100 // a1???????? | // c705????????01000000 | // 85c0 | cdq // a1???????? | // 0f848e000000 | mov ecx, 7 // 6a00 | add esp, 0xc $sequence_33 = { 8bf0 b84fecc44e f7ee c1fa03 8bca c1e91f 03d1 } // n = 7, score = 100 // 8bf0 | dec eax // b84fecc44e | lea ecx, [esp + 0x20] // f7ee | mov esi, eax // c1fa03 | mov eax, 0x4ec4ec4f // 8bca | imul esi // c1e91f | sar edx, 3 // 03d1 | mov ecx, edx $sequence_34 = { 0f8595fcffff 8b8d9cf8ffff 85c9 0f8413050000 8b3c8d54187100 85ff 755d } // n = 7, score = 100 // 0f8595fcffff | add esp, 0xc // 8b8d9cf8ffff | cdq // 85c9 | mov ecx, 7 // 0f8413050000 | idiv ecx // 8b3c8d54187100 | add esp, 0xc // 85ff | cdq // 755d | mov ecx, 7 $sequence_35 = { ff15???????? 488d1536f70000 488d4c2420 488905???????? } // n = 4, score = 100 // ff15???????? | // 488d1536f70000 | dec eax // 488d4c2420 | lea edx, [0xf736] // 488905???????? | $sequence_36 = { 8b45fc 8b0c85c8887100 8a06 46 8844392c 2bf2 } // n = 6, score = 100 // 8b45fc | mov eax, 1 // 8b0c85c8887100 | push ecx // 8a06 | add esp, 0x14 // 46 | neg eax // 8844392c | sbb eax, eax // 2bf2 | pop edi $sequence_37 = { c644241c60 c644241d77 c644241e3e c644241f76 } // n = 4, score = 100 // c644241c60 | push eax // c644241d77 | push -0xa // c644241e3e | mov eax, dword ptr [edi*4 + 0x1001f180] // c644241f76 | or dword ptr [ebx + eax + 0x18], 0xffffffff $sequence_38 = { 8d45d0 c745d020000000 50 8d45dc 50 6a05 } // n = 6, score = 100 // 8d45d0 | lea edx, [ecx + 1] // c745d020000000 | mov al, byte ptr [ecx] // 50 | inc ecx // 8d45dc | test al, al // 50 | jne 3 // 6a05 | push edi $sequence_39 = { c78564ddffff00000000 8b8564ddffff 8b4dfc 33cd } // n = 4, score = 100 // c78564ddffff00000000 | add esp, 0xc // 8b8564ddffff | cdq // 8b4dfc | mov ecx, 7 // 33cd | idiv ecx $sequence_40 = { 8bce 52 68???????? e8???????? b801000000 } // n = 5, score = 100 // 8bce | mov byte ptr [esp + 0x1c], 0x60 // 52 | mov byte ptr [esp + 0x1d], 0x77 // 68???????? | // e8???????? | // b801000000 | mov byte ptr [esp + 0x1e], 0x3e $sequence_41 = { dd00 ebc6 c745e0e8ba0110 e9???????? c745e0f0ba0110 e9???????? c745e0f8ba0110 } // n = 7, score = 100 // dd00 | movzx eax, byte ptr [ecx + 1] // ebc6 | lea edx, [eax + 0x1001e1c4] // c745e0e8ba0110 | pop edi // e9???????? | // c745e0f0ba0110 | mov ax, word ptr [edx] // e9???????? | // c745e0f8ba0110 | lea edx, [edx + 2] $sequence_42 = { 51 e8???????? 83c40c c785a0f9ffff24020000 8d95a0f9ffff } // n = 5, score = 100 // 51 | push 0 // e8???????? | // 83c40c | push 0 // c785a0f9ffff24020000 | push 0 // 8d95a0f9ffff | mov eax, dword ptr [ebp - 0x798] $sequence_43 = { ff15???????? 6a00 6a00 6a00 8b8568f8ffff } // n = 5, score = 100 // ff15???????? | // 6a00 | push 1 // 6a00 | push 0 // 6a00 | mov ecx, esi // 8b8568f8ffff | push edx $sequence_44 = { 41018274af0100 4883c604 49ffcd 0f8577ffffff 85d2 0f84f4000000 488d0dc0a60000 } // n = 7, score = 100 // 41018274af0100 | movzx eax, word ptr [ebp - 0x7e] // 4883c604 | inc esp // 49ffcd | movzx ebx, word ptr [ebp - 0x80] // 0f8577ffffff | inc ecx // 85d2 | mov edx, ebx // 0f84f4000000 | imul edx, edx, 0x3c // 488d0dc0a60000 | add edx, eax condition: 7 of them and filesize < 860160 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY