Actor(s): Lazarus Group
There is no description at this point.
rule win_bankshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b0d???????? 51 8b0d???????? e8???????? } // n = 4, score = 200 // 8b0d???????? | // 51 | dec ebx // 8b0d???????? | // e8???????? | $sequence_1 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 } // n = 7, score = 200 // e9???????? | // 57 | lea ecx, [ecx + 2] // 33ff | lock xadd dword ptr [eax], ebx // 8bcf | dec ebx // 8bc7 | jne 0x1f // 894de4 | mov eax, dword ptr [ebp - 4] // 3998c0e10110 | cmp dword ptr [eax + 0x48], 0x1001e4b8 $sequence_2 = { e8???????? 83c404 e8???????? 99 f7fe } // n = 5, score = 200 // e8???????? | // 83c404 | push 0x100001 // e8???????? | // 99 | push 0x12c // f7fe | mov eax, dword ptr [esi + 0xc] $sequence_3 = { 6801001000 ff15???????? 85c0 7441 6a00 50 ff15???????? } // n = 7, score = 200 // 6801001000 | sbb ecx, ecx // ff15???????? | // 85c0 | and ecx, 0x803000 // 7441 | push ecx // 6a00 | lea ecx, [ebp - 0x2c] // 50 | push eax // ff15???????? | $sequence_4 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 } // n = 7, score = 200 // e8???????? | // 83c404 | and dword ptr [eax + 0x34c], 0 // 89861c020000 | mov eax, dword ptr [ebp - 4] // 8b45e0 | mov eax, dword ptr [eax + 0x48] // 8d4e0c | lock xadd dword ptr [eax], ebx // 6a06 | dec ebx // 8d90c4e10110 | jne 0x1c $sequence_5 = { 53 6aff 56 6a00 ff15???????? } // n = 5, score = 200 // 53 | je 0x4d // 6aff | mov eax, dword ptr [esi + 0xc] // 56 | test eax, eax // 6a00 | je 0x11 // ff15???????? | $sequence_6 = { 50 8913 ff15???????? 56 ff15???????? 8bc7 } // n = 6, score = 200 // 50 | push eax // 8913 | mov ebx, eax // ff15???????? | // 56 | push ebx // ff15???????? | // 8bc7 | push 1 $sequence_7 = { e8???????? 83c40c e8???????? 99 b907000000 f7f9 } // n = 6, score = 200 // e8???????? | // 83c40c | pop ecx // e8???????? | // 99 | mov dword ptr [eax + 0x48], 0x1001e4b8 // b907000000 | lea edx, [eax + 0x1001e1c4] // f7f9 | pop edi $sequence_8 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 8945e4 } // n = 7, score = 200 // 50 | jne 0x1c // e8???????? | // 83c40c | mov eax, dword ptr [ebp - 4] // 6b45e430 | cmp dword ptr [eax + 0x48], 0x1001e4b8 // 8945e0 | add esp, 0xc // 8d80d0e10110 | imul eax, dword ptr [ebp - 0x1c], 0x30 // 8945e4 | mov dword ptr [ebp - 0x20], eax $sequence_9 = { 817848b8e40110 7409 ff7048 e8???????? 59 } // n = 5, score = 200 // 817848b8e40110 | or byte ptr [esi + edx + 0x19], al // 7409 | imul eax, dword ptr [ebp - 0x1c], 0x30 // ff7048 | mov dword ptr [ebp - 0x20], eax // e8???????? | // 59 | lea eax, [eax + 0x1001e1d0] $sequence_10 = { c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 } // n = 6, score = 200 // c700???????? | // 8b4508 | mov al, byte ptr [edi + 0x1001e1bc] // 898850030000 | test ebx, ebx // 8b4508 | jne 9 // 59 | mov dword ptr [esi + 0x34], 0x10017b0c // c74048b8e40110 | push edi $sequence_11 = { 5b c3 ff15???????? 5f 5e b801000000 } // n = 6, score = 200 // 5b | push eax // c3 | push ebx // ff15???????? | // 5f | push 1 // 5e | push 0x100001 // b801000000 | test eax, eax $sequence_12 = { c74048b8e40110 8b4508 6689486c 8b4508 66898872010000 8b4508 83a04c03000000 } // n = 7, score = 200 // c74048b8e40110 | mov dword ptr [ebp - 0x1c], eax // 8b4508 | lea eax, [eax + 0x1001e1d0] // 6689486c | mov dword ptr [ebp - 0x1c], eax // 8b4508 | cmp byte ptr [eax], 0 // 66898872010000 | mov ecx, eax // 8b4508 | je 0x48 // 83a04c03000000 | mov al, byte ptr [ecx + 1] $sequence_13 = { 7418 6a08 68???????? 56 e8???????? 83c40c 85c0 } // n = 7, score = 200 // 7418 | lea eax, [esp + 0x381c] // 6a08 | push eax // 68???????? | // 56 | push esi // e8???????? | // 83c40c | mov ecx, dword ptr [ebp - 8] // 85c0 | mov edi, eax $sequence_14 = { 8a87bce10110 08441619 42 0fb64101 3bd0 76e5 83c102 } // n = 7, score = 200 // 8a87bce10110 | lea edx, [eax + 0x1001e1c4] // 08441619 | pop edi // 42 | mov ax, word ptr [edx] // 0fb64101 | lea edx, [edx + 2] // 3bd0 | mov word ptr [ecx], ax // 76e5 | push edi // 83c102 | xor edi, edi $sequence_15 = { 6a06 8d90c4e10110 5f 668b02 8d5202 } // n = 5, score = 200 // 6a06 | mov eax, dword ptr [ebp + 8] // 8d90c4e10110 | pop ecx // 5f | mov dword ptr [eax + 0x48], 0x1001e4b8 // 668b02 | cmp dword ptr [eax + 0x48], 0x1001e4b8 // 8d5202 | je 0x12 $sequence_16 = { ff15???????? 8b460c 8b3d???????? 85c0 740a 50 ffd7 } // n = 7, score = 200 // ff15???????? | // 8b460c | test eax, eax // 8b3d???????? | // 85c0 | je 0x28 // 740a | push 8 // 50 | push 0x100001 // ffd7 | test eax, eax $sequence_17 = { e8???????? 83c404 8bd8 53 6a01 } // n = 5, score = 200 // e8???????? | // 83c404 | push 8 // 8bd8 | lea eax, [esp + 0x10cc] // 53 | mov dword ptr [esp + 0x20], 0 // 6a01 | je 0x1a $sequence_18 = { 3d00040000 0f8712010000 c684056cf7ffff00 81bd64f7ffff09303b00 0f85fa000000 } // n = 5, score = 100 // 3d00040000 | dec eax // 0f8712010000 | mov ecx, dword ptr [esp + 0x140] // c684056cf7ffff00 | dec eax // 81bd64f7ffff09303b00 | xor ecx, esp // 0f85fa000000 | dec eax $sequence_19 = { 8b8544f8ffff 8985dcf7ffff 8b8d2cf8ffff 8a11 88956ef8ffff } // n = 5, score = 100 // 8b8544f8ffff | add esp, 0xc // 8985dcf7ffff | cdq // 8b8d2cf8ffff | mov ecx, 7 // 8a11 | add esp, 0xc // 88956ef8ffff | cdq $sequence_20 = { 33d2 41b803010000 4088b580010000 e8???????? 8d563a 488bcb ff15???????? } // n = 7, score = 100 // 33d2 | cmp dword ptr [ebx + 4], eax // 41b803010000 | jg 0xffffff74 // 4088b580010000 | mov eax, 1 // e8???????? | // 8d563a | xor edx, edx // 488bcb | inc ecx // ff15???????? | $sequence_21 = { ff74240c 8d84241c380000 50 56 } // n = 4, score = 100 // ff74240c | mov dword ptr [ebp - 0xd98], eax // 8d84241c380000 | lea edx, [ecx + 1] // 50 | mov dword ptr [ebx], 0 // 56 | lea eax, [esi + 0x2050] $sequence_22 = { 7410 33d2 ff15???????? 83f8ff 7510 488bcd } // n = 6, score = 100 // 7410 | mov eax, 0x103 // 33d2 | inc eax // ff15???????? | // 83f8ff | mov byte ptr [ebp + 0x180], dh // 7510 | lea edx, [esi + 0x3a] // 488bcd | dec eax $sequence_23 = { 89742420 eb08 c744242000000000 68???????? ff15???????? 85c0 } // n = 6, score = 100 // 89742420 | add esp, 0x150 // eb08 | push eax // c744242000000000 | call ebx // 68???????? | // ff15???????? | // 85c0 | lea ecx, [ebp - 0x54] $sequence_24 = { 750e 0fb744243a 394304 0f8f6bffffff b801000000 } // n = 5, score = 100 // 750e | mov ecx, ebp // 0fb744243a | dec eax // 394304 | mov ecx, eax // 0f8f6bffffff | jne 0x10 // b801000000 | movzx eax, word ptr [esp + 0x3a] $sequence_25 = { 8b4df8 8bf8 85ff 75d3 } // n = 4, score = 100 // 8b4df8 | push eax // 8bf8 | call dword ptr [ebp - 0x34] // 85ff | push 0xf24 // 75d3 | test eax, eax $sequence_26 = { 68???????? 53 89459c ffd7 } // n = 4, score = 100 // 68???????? | // 53 | je 0x54 // 89459c | cmp eax, 0x400 // ffd7 | ja 0x142 $sequence_27 = { 894c2420 ff15???????? 488bc8 ff15???????? eb07 } // n = 5, score = 100 // 894c2420 | dec eax // ff15???????? | // 488bc8 | mov ecx, ebp // ff15???????? | // eb07 | dec eax $sequence_28 = { 4d8bc6 ba5c341200 498bcd e8???????? e9???????? 488bc8 ff15???????? } // n = 7, score = 100 // 4d8bc6 | dec ebp // ba5c341200 | mov eax, esi // 498bcd | mov edx, 0x12345c // e8???????? | // e9???????? | // 488bc8 | dec ecx // ff15???????? | $sequence_29 = { 6bc03c 0305???????? 3bc2 7f13 8b05???????? 6bc03c 0305???????? } // n = 7, score = 100 // 6bc03c | test eax, eax // 0305???????? | // 3bc2 | jne 0x2d9 // 7f13 | inc esp // 8b05???????? | // 6bc03c | lea ecx, [eax + 0x68] // 0305???????? | $sequence_30 = { 51 8d95f4fdffff 52 8b4d0c e8???????? } // n = 5, score = 100 // 51 | mov byte ptr [ebp - 0x792], dl // 8d95f4fdffff | jle 0x14 // 52 | xor eax, eax // 8b4d0c | jmp 0x3f // e8???????? | $sequence_31 = { 68???????? 50 ffd3 8d4dac 898568f2ffff 8d5101 } // n = 6, score = 100 // 68???????? | // 50 | inc ecx // ffd3 | mov eax, 0x100 // 8d4dac | dec eax // 898568f2ffff | mov ecx, esi // 8d5101 | imul eax, eax, 0x3c $sequence_32 = { 1bc9 81e100308000 51 8d4dd4 } // n = 4, score = 100 // 1bc9 | mov byte ptr [ebp + eax - 0x894], 0 // 81e100308000 | cmp dword ptr [ebp - 0x89c], 0x3b3009 // 51 | jne 0x142 // 8d4dd4 | mov dword ptr [esp + 0x20], esi $sequence_33 = { 8d95e8f8ffff 52 8b4d10 e8???????? 85c0 } // n = 5, score = 100 // 8d95e8f8ffff | mov eax, dword ptr [ebp - 0x7bc] // 52 | mov dword ptr [ebp - 0x824], eax // 8b4d10 | mov ecx, dword ptr [ebp - 0x7d4] // e8???????? | // 85c0 | mov dl, byte ptr [ecx] $sequence_34 = { 488d55e0 488bcb ff15???????? 4885c0 0f85c9020000 448d4868 } // n = 6, score = 100 // 488d55e0 | mov ecx, ebx // 488bcb | je 0x12 // ff15???????? | // 4885c0 | xor edx, edx // 0f85c9020000 | cmp eax, -1 // 448d4868 | jne 0x19 $sequence_35 = { 7e04 33c0 eb2b 8b5508 0fbf4204 85c0 7e1b } // n = 7, score = 100 // 7e04 | mov ecx, 7 // 33c0 | add esp, 0xc // eb2b | cdq // 8b5508 | mov ecx, 7 // 0fbf4204 | idiv ecx // 85c0 | push ecx // 7e1b | mov edx, esi $sequence_36 = { 8bd6 c1fa06 6bc830 8b0495c8887100 8a440828 a848 7404 } // n = 7, score = 100 // 8bd6 | jne 0x18 // c1fa06 | mov eax, dword ptr [ebp - 4] // 6bc830 | cmp dword ptr [eax + 0x48], 0x1001e4b8 // 8b0495c8887100 | add esp, 0xc // 8a440828 | cdq // a848 | mov ecx, 7 // 7404 | idiv ecx $sequence_37 = { 50 e8???????? 83c404 83bd88f8ffff00 740d 8b8d88f8ffff 51 } // n = 7, score = 100 // 50 | sar edx, 6 // e8???????? | // 83c404 | imul ecx, eax, 0x30 // 83bd88f8ffff00 | mov eax, dword ptr [edx*4 + 0x7188c8] // 740d | mov al, byte ptr [eax + ecx + 0x28] // 8b8d88f8ffff | test al, 0x48 // 51 | je 0x19 $sequence_38 = { 0f857c010000 33d2 41b800010000 488bce e8???????? } // n = 5, score = 100 // 0f857c010000 | lea edx, [ebp - 0x20] // 33d2 | dec eax // 41b800010000 | mov ecx, ebx // 488bce | dec eax // e8???????? | $sequence_39 = { c70300000000 8d8650200000 50 ff55cc 68240f0000 85c0 742f } // n = 7, score = 100 // c70300000000 | cmp eax, edx // 8d8650200000 | jg 0x1a // 50 | imul eax, eax, 0x3c // ff55cc | dec eax // 68240f0000 | lea eax, [0xa478] // 85c0 | mov dword ptr [eax + ebx*4], 0 // 742f | xor eax, eax condition: 7 of them and filesize < 860160 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY