Actor(s): Lazarus Group
There is no description at this point.
rule win_bankshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-11-21" version = "1" description = "Detects win.bankshot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot" malpedia_rule_date = "20221118" malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af" malpedia_version = "20221125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bf8 8d5101 8a01 41 84c0 75f9 57 } // n = 7, score = 300 // 8bf8 | mov edi, eax // 8d5101 | lea edx, [ecx + 1] // 8a01 | mov al, byte ptr [ecx] // 41 | inc ecx // 84c0 | test al, al // 75f9 | jne 0xfffffffb // 57 | push edi $sequence_1 = { 8bec 81ec48040000 a1???????? 33c5 8945f8 53 } // n = 6, score = 300 // 8bec | mov ebp, esp // 81ec48040000 | sub esp, 0x448 // a1???????? | // 33c5 | xor eax, ebp // 8945f8 | mov dword ptr [ebp - 8], eax // 53 | push ebx $sequence_2 = { 0f85a5010000 c7856038ffff01000000 e9???????? ff15???????? } // n = 4, score = 200 // 0f85a5010000 | mov dword ptr [ebp - 0x208], edx // c7856038ffff01000000 | jmp 0xffffffa3 // e9???????? | // ff15???????? | $sequence_3 = { 6a00 68e9fd0000 ff15???????? 33c0 66890477 8d85ec7dffff 68???????? } // n = 7, score = 200 // 6a00 | sub esp, 0x448 // 68e9fd0000 | xor eax, ebp // ff15???????? | // 33c0 | mov dword ptr [ebp - 8], eax // 66890477 | push ebx // 8d85ec7dffff | mov ebp, esp // 68???????? | $sequence_4 = { 8a87bce10110 08441619 42 0fb64101 3bd0 } // n = 5, score = 200 // 8a87bce10110 | mov eax, dword ptr [ebp + 8] // 08441619 | mov word ptr [eax + 0x172], cx // 42 | mov eax, dword ptr [ebp + 8] // 0fb64101 | and dword ptr [eax + 0x34c], 0 // 3bd0 | jae 0x15 $sequence_5 = { 33cc e8???????? 8be5 5d c3 8b8c2494010000 b801000000 } // n = 7, score = 200 // 33cc | push ebx // e8???????? | // 8be5 | push ebp // 5d | mov ebp, esp // c3 | sub esp, 0x448 // 8b8c2494010000 | xor eax, ebp // b801000000 | mov dword ptr [ebp - 8], eax $sequence_6 = { e8???????? 83c404 89861c020000 8b45e0 8d4e0c 6a06 8d90c4e10110 } // n = 7, score = 200 // e8???????? | // 83c404 | mov dword ptr [ebp - 0x1c], ecx // 89861c020000 | cmp dword ptr [eax + 0x1001e1c0], ebx // 8b45e0 | je 0xf9 // 8d4e0c | inc ecx // 6a06 | add eax, 0x30 // 8d90c4e10110 | mov eax, edi $sequence_7 = { 0fb611 0fb6c0 eb17 81fa00010000 7313 8a87bce10110 } // n = 6, score = 200 // 0fb611 | movzx eax, al // 0fb6c0 | jmp 0x19 // eb17 | cmp edx, 0x100 // 81fa00010000 | jae 0x1b // 7313 | mov al, byte ptr [edi + 0x1001e1bc] // 8a87bce10110 | or byte ptr [esi + edx + 0x19], al $sequence_8 = { 0f11840de43fffff 0f10840df43fffff 660fefc1 0f11840df43fffff 83c120 } // n = 5, score = 200 // 0f11840de43fffff | mov al, byte ptr [ecx] // 0f10840df43fffff | inc ecx // 660fefc1 | test al, al // 0f11840df43fffff | jne 3 // 83c120 | push edi $sequence_9 = { 83c40c e8???????? 99 b907000000 } // n = 4, score = 200 // 83c40c | mov al, byte ptr [edi + 0x1001e1bc] // e8???????? | // 99 | or byte ptr [esi + edx + 0x19], al // b907000000 | inc edx $sequence_10 = { 8b4508 c700???????? 8b4508 898850030000 8b4508 59 c74048b8e40110 } // n = 7, score = 200 // 8b4508 | movzx eax, byte ptr [ecx + 1] // c700???????? | // 8b4508 | push edi // 898850030000 | xor edi, edi // 8b4508 | mov ecx, edi // 59 | mov eax, edi // c74048b8e40110 | mov dword ptr [ebp - 0x1c], ecx $sequence_11 = { e9???????? 57 33ff 8bcf 8bc7 894de4 3998c0e10110 } // n = 7, score = 200 // e9???????? | // 57 | jae 0x1b // 33ff | mov al, byte ptr [edi + 0x1001e1bc] // 8bcf | mov eax, dword ptr [ebp + 8] // 8bc7 | pop ecx // 894de4 | mov dword ptr [eax + 0x48], 0x1001e4b8 // 3998c0e10110 | mov eax, dword ptr [ebp + 8] $sequence_12 = { a0???????? 88856638ffff ff15???????? 8a8d6438ffff } // n = 4, score = 200 // a0???????? | // 88856638ffff | mov edi, eax // ff15???????? | // 8a8d6438ffff | lea edx, [ecx + 1] $sequence_13 = { 8b45fc 817848b8e40110 7409 ff7048 e8???????? 59 } // n = 6, score = 200 // 8b45fc | mov dword ptr [ebp - 0x1c], eax // 817848b8e40110 | cmp byte ptr [eax], 0 // 7409 | mov ecx, eax // ff7048 | je 0x3f // e8???????? | // 59 | mov al, byte ptr [ecx + 1] $sequence_14 = { 6915????????04010000 81c2???????? e8???????? 83c404 85c0 0f8427040000 } // n = 6, score = 200 // 6915????????04010000 | // 81c2???????? | // e8???????? | // 83c404 | sub esp, 0x448 // 85c0 | xor eax, ebp // 0f8427040000 | mov dword ptr [ebp - 8], eax $sequence_15 = { 50 e8???????? 83c40c 6b45e430 8945e0 8d80d0e10110 } // n = 6, score = 200 // 50 | cmp cl, 0x79 // e8???????? | // 83c40c | jg 0x14 // 6b45e430 | test eax, eax // 8945e0 | jne 0xffffff15 // 8d80d0e10110 | lea eax, [ebx + 5] $sequence_16 = { c74048b8e40110 8b4508 6689486c 8b4508 } // n = 4, score = 200 // c74048b8e40110 | pop ecx // 8b4508 | mov dword ptr [eax + 0x48], 0x1001e4b8 // 6689486c | mov eax, dword ptr [ebp + 8] // 8b4508 | mov word ptr [eax + 0x6c], cx $sequence_17 = { 6a00 8b95acf7ffff 52 ff15???????? 89859cf7ffff } // n = 5, score = 100 // 6a00 | add esp, 0xc // 8b95acf7ffff | cdq // 52 | mov ecx, 7 // ff15???????? | // 89859cf7ffff | add esp, 0xc $sequence_18 = { 488b05???????? 4833c4 488985a0030000 33f6 4c8bf9 4d8be8 } // n = 6, score = 100 // 488b05???????? | // 4833c4 | dec eax // 488985a0030000 | mov ecx, ebx // 33f6 | mov edx, dword ptr [ebx + 0x1afb0] // 4c8bf9 | dec eax // 4d8be8 | lea ecx, [0x7b38] $sequence_19 = { 488b442428 488b7c2438 4883c004 ffc6 4889442428 3bf3 0f8244ffffff } // n = 7, score = 100 // 488b442428 | test eax, eax // 488b7c2438 | je 0x8b // 4883c004 | dec eax // ffc6 | mov eax, dword ptr [esp + 0x28] // 4889442428 | dec eax // 3bf3 | mov edi, dword ptr [esp + 0x38] // 0f8244ffffff | dec eax $sequence_20 = { 488d542444 4d8bcd 448bc7 498bcf c744242001000000 } // n = 5, score = 100 // 488d542444 | dec eax // 4d8bcd | mov ecx, eax // 448bc7 | dec eax // 498bcf | xor eax, esp // c744242001000000 | dec eax $sequence_21 = { 8917 894704 8b442448 33c9 40 33d2 } // n = 6, score = 100 // 8917 | mov ecx, 7 // 894704 | idiv ecx // 8b442448 | add esp, 0xc // 33c9 | cdq // 40 | mov ecx, 7 // 33d2 | add esp, 0xc $sequence_22 = { 68???????? 52 50 e8???????? 83c41c f7d8 } // n = 6, score = 100 // 68???????? | // 52 | idiv ecx // 50 | test eax, eax // e8???????? | // 83c41c | mov dword ptr [esp + 0x18], edi // f7d8 | jle 0xc3 $sequence_23 = { 83c201 899598f8ffff 80bdbbf8ffff00 75bd 8d85fcfdffff } // n = 5, score = 100 // 83c201 | idiv ecx // 899598f8ffff | xor eax, eax // 80bdbbf8ffff00 | mov edx, dword ptr [ebp - 0xc08] // 75bd | cmp dword ptr [edx + 4], 0 // 8d85fcfdffff | test eax, eax $sequence_24 = { 89954cf3ffff 8b854cf3ffff 8a4801 888dadf3ffff } // n = 4, score = 100 // 89954cf3ffff | mov dword ptr [ebp - 0x20], eax // 8b854cf3ffff | lea eax, [eax + 0x1001e1d0] // 8a4801 | mov dword ptr [ebp - 0x1c], eax // 888dadf3ffff | cmp byte ptr [eax], 0 $sequence_25 = { 410fb60b 80f962 7c0f 80f979 7f0a } // n = 5, score = 100 // 410fb60b | mov dword ptr [ebp + 0x3a0], eax // 80f962 | xor esi, esi // 7c0f | dec esp // 80f979 | mov edi, ecx // 7f0a | dec ebp $sequence_26 = { 68???????? ff15???????? 85c0 7e11 68???????? } // n = 5, score = 100 // 68???????? | // ff15???????? | // 85c0 | pop ecx // 7e11 | imul eax, dword ptr [ebp - 0x1c], 0x30 // 68???????? | $sequence_27 = { 33d2 41b800040000 e8???????? 488d4c2450 33d2 41b804010000 } // n = 6, score = 100 // 33d2 | dec eax // 41b800040000 | lea edx, [ebx + 0x914] // e8???????? | // 488d4c2450 | mov edx, 0x12345c // 33d2 | dec ecx // 41b804010000 | mov ecx, ebp $sequence_28 = { 6a00 51 68e0ff0300 52 56 ff15???????? } // n = 6, score = 100 // 6a00 | cdq // 51 | mov ecx, 7 // 68e0ff0300 | add esp, 0xc // 52 | cdq // 56 | mov ecx, 7 // ff15???????? | $sequence_29 = { 50 57 ffd6 85c0 755f 8bf7 0f1f840000000000 } // n = 7, score = 100 // 50 | push eax // 57 | push edi // ffd6 | call esi // 85c0 | test eax, eax // 755f | jne 0x61 // 8bf7 | mov esi, edi // 0f1f840000000000 | nop dword ptr [eax + eax] $sequence_30 = { 56 57 68???????? 8bf9 899dd8f3ffff ffd3 68???????? } // n = 7, score = 100 // 56 | push esi // 57 | push edi // 68???????? | // 8bf9 | mov edi, ecx // 899dd8f3ffff | mov dword ptr [ebp - 0xc28], ebx // ffd3 | call ebx // 68???????? | $sequence_31 = { 68???????? 50 ff95dcf3ffff 8d8df8f3ffff 8bd8 } // n = 5, score = 100 // 68???????? | // 50 | push eax // ff95dcf3ffff | call dword ptr [ebp - 0xc24] // 8d8df8f3ffff | lea ecx, [ebp - 0xc08] // 8bd8 | mov ebx, eax $sequence_32 = { ff750c 33c0 394510 0f95c0 50 e8???????? 99 } // n = 7, score = 100 // ff750c | push dword ptr [ebp + 0xc] // 33c0 | xor eax, eax // 394510 | cmp dword ptr [ebp + 0x10], eax // 0f95c0 | setne al // 50 | push eax // e8???????? | // 99 | cdq $sequence_33 = { 33c0 e9???????? 8b95f8f3ffff 837a0400 } // n = 4, score = 100 // 33c0 | cmp dword ptr [eax + 0x48], 0x1001e4b8 // e9???????? | // 8b95f8f3ffff | je 0x15 // 837a0400 | push dword ptr [eax + 0x48] $sequence_34 = { 85c0 897c2418 0f8ebd000000 33db 3bf3 0f84b3000000 33c0 } // n = 7, score = 100 // 85c0 | mov word ptr [eax + 0x6c], cx // 897c2418 | mov eax, dword ptr [ebp + 8] // 0f8ebd000000 | mov word ptr [eax + 0x172], cx // 33db | mov eax, dword ptr [ebp + 8] // 3bf3 | imul eax, dword ptr [ebp - 0x1c], 0x30 // 0f84b3000000 | mov dword ptr [ebp - 0x20], eax // 33c0 | lea eax, [eax + 0x1001e1d0] $sequence_35 = { c744242400000000 8b4704 8b1f 89442434 ff15???????? 8be8 } // n = 6, score = 100 // c744242400000000 | mov dword ptr [ebp - 0x1c], eax // 8b4704 | cmp byte ptr [eax], 0 // 8b1f | mov ecx, eax // 89442434 | add esp, 0xc // ff15???????? | // 8be8 | cdq $sequence_36 = { 396c2414 7423 b98b000000 33c0 } // n = 4, score = 100 // 396c2414 | xor ebx, ebx // 7423 | cmp esi, ebx // b98b000000 | je 0xc3 // 33c0 | xor eax, eax $sequence_37 = { ba5c341200 498bcd e8???????? e9???????? 488bc8 } // n = 5, score = 100 // ba5c341200 | jb 0xffffff51 // 498bcd | dec eax // e8???????? | // e9???????? | // 488bc8 | lea edx, [ebx + 0x20] $sequence_38 = { 51 ff15???????? 2385c0f3ffff 8985c0f3ffff 8b95ccf3ffff } // n = 5, score = 100 // 51 | cdq // ff15???????? | // 2385c0f3ffff | mov ecx, 7 // 8985c0f3ffff | idiv ecx // 8b95ccf3ffff | add esp, 0xc $sequence_39 = { eb05 4a8d543202 ff15???????? 4885c0 0f8482000000 } // n = 5, score = 100 // eb05 | jmp 7 // 4a8d543202 | dec edx // ff15???????? | // 4885c0 | lea edx, [edx + esi + 2] // 0f8482000000 | dec eax $sequence_40 = { e8???????? 68f0000000 8d83300e0000 6a00 } // n = 4, score = 100 // e8???????? | // 68f0000000 | push 0xf0 // 8d83300e0000 | lea eax, [ebx + 0xe30] // 6a00 | push 0 $sequence_41 = { 8bb5dcf2ffff 8b95d8f2ffff 8bca c1e902 f3a5 8bca } // n = 6, score = 100 // 8bb5dcf2ffff | jle 0x13 // 8b95d8f2ffff | mov dword ptr [ebp - 0xcb4], edx // 8bca | mov eax, dword ptr [ebp - 0xcb4] // c1e902 | mov cl, byte ptr [eax + 1] // f3a5 | mov byte ptr [ebp - 0xc53], cl // 8bca | lea eax, [ebp - 0x2290] $sequence_42 = { 66894c247a 0f57c0 66894c2468 8d8c2480000000 51 8d4c243c 660f13442440 } // n = 7, score = 100 // 66894c247a | mov word ptr [esp + 0x7a], cx // 0f57c0 | xorps xmm0, xmm0 // 66894c2468 | mov word ptr [esp + 0x68], cx // 8d8c2480000000 | lea ecx, [esp + 0x80] // 51 | push ecx // 8d4c243c | lea ecx, [esp + 0x3c] // 660f13442440 | movlpd qword ptr [esp + 0x40], xmm0 $sequence_43 = { 488d5320 488bcb e8???????? 8b93b0af0100 488d0d387b0000 e8???????? 488d9314090000 } // n = 7, score = 100 // 488d5320 | add eax, 4 // 488bcb | inc esi // e8???????? | // 8b93b0af0100 | dec eax // 488d0d387b0000 | mov dword ptr [esp + 0x28], eax // e8???????? | // 488d9314090000 | cmp esi, ebx $sequence_44 = { 88542458 c644245978 c644245ae1 c644245bdd c744240484140000 0f848d000000 } // n = 6, score = 100 // 88542458 | mov dword ptr [esp + 0x24], 0 // c644245978 | mov eax, dword ptr [edi + 4] // c644245ae1 | mov ebx, dword ptr [edi] // c644245bdd | mov dword ptr [esp + 0x34], eax // c744240484140000 | mov ebp, eax // 0f848d000000 | mov dword ptr [edi], edx condition: 7 of them and filesize < 860160 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY