There is no description at this point.
rule win_betabot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2019-07-05" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator 0.2a" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot" malpedia_version = "20190620" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 8bf8 3bfe 74?? 8d45f8 50 56 } // n = 7, score = 400 // e8???????? | // 8bf8 | mov edi, eax // 3bfe | cmp edi, esi // 74?? | // 8d45f8 | lea eax, [ebp - 8] // 50 | push eax // 56 | push esi $sequence_1 = { 85c0 74?? 56 0fbe30 8b5508 40 0fbe0a } // n = 7, score = 400 // 85c0 | test eax, eax // 74?? | // 56 | push esi // 0fbe30 | movsx esi, byte ptr [eax] // 8b5508 | mov edx, dword ptr [ebp + 8] // 40 | inc eax // 0fbe0a | movsx ecx, byte ptr [edx] $sequence_2 = { 8bec 8b4508 81ec28020000 53 33db 56 57 } // n = 7, score = 400 // 8bec | mov ebp, esp // 8b4508 | mov eax, dword ptr [ebp + 8] // 81ec28020000 | sub esp, 0x228 // 53 | push ebx // 33db | xor ebx, ebx // 56 | push esi // 57 | push edi $sequence_3 = { 8d041a 8d7108 f7c7feffffff 76?? 0fb716 83fa01 72?? } // n = 7, score = 400 // 8d041a | lea eax, [edx + ebx] // 8d7108 | lea esi, [ecx + 8] // f7c7feffffff | test edi, 0xfffffffe // 76?? | // 0fb716 | movzx edx, word ptr [esi] // 83fa01 | cmp edx, 1 // 72?? | $sequence_4 = { e8???????? 33c0 e9???????? 68c0570100 e8???????? 8985acfcffff 83bdacfcffff00 } // n = 7, score = 400 // e8???????? | // 33c0 | xor eax, eax // e9???????? | // 68c0570100 | push 0x157c0 // e8???????? | // 8985acfcffff | mov dword ptr [ebp - 0x354], eax // 83bdacfcffff00 | cmp dword ptr [ebp - 0x354], 0 $sequence_5 = { 8d85d0fdffff 50 8b85a4fcffff 8b8db4fcffff ff3481 8b85ecfeffff e8???????? } // n = 7, score = 400 // 8d85d0fdffff | lea eax, [ebp - 0x230] // 50 | push eax // 8b85a4fcffff | mov eax, dword ptr [ebp - 0x35c] // 8b8db4fcffff | mov ecx, dword ptr [ebp - 0x34c] // ff3481 | push dword ptr [ecx + eax*4] // 8b85ecfeffff | mov eax, dword ptr [ebp - 0x114] // e8???????? | $sequence_6 = { c645ff01 eb?? 33f6 46 57 ff15???????? eb?? } // n = 7, score = 400 // c645ff01 | mov byte ptr [ebp - 1], 1 // eb?? | // 33f6 | xor esi, esi // 46 | inc esi // 57 | push edi // ff15???????? | // eb?? | $sequence_7 = { 8d8588feffff 50 e8???????? 397508 74?? 8b4d08 e8???????? } // n = 7, score = 400 // 8d8588feffff | lea eax, [ebp - 0x178] // 50 | push eax // e8???????? | // 397508 | cmp dword ptr [ebp + 8], esi // 74?? | // 8b4d08 | mov ecx, dword ptr [ebp + 8] // e8???????? | $sequence_8 = { ff7510 56 56 ff15???????? 5f eb?? 83c8ff } // n = 7, score = 400 // ff7510 | push dword ptr [ebp + 0x10] // 56 | push esi // 56 | push esi // ff15???????? | // 5f | pop edi // eb?? | // 83c8ff | or eax, 0xffffffff $sequence_9 = { 83f806 73?? 32c0 c3 a1???????? 85c0 74?? } // n = 7, score = 400 // 83f806 | cmp eax, 6 // 73?? | // 32c0 | xor al, al // c3 | ret // a1???????? | // 85c0 | test eax, eax // 74?? | condition: 7 of them }
rule win_betabot_w0 { meta: author = "Venom23" date = "2013-06-21" description = "Neurevt Malware Sig" hash0 = "db9a816d58899f1ba92bc338e89f856a" hash1 = "d7b427ce3175fa7704da6b19a464938e" hash2 = "13027beb8aa5e891e8e641c05ccffde3" hash3 = "d1004b63d6d3cb90e6012c68e19ab453" hash4 = "a1286fd94984fd2de857f7b846062b5e" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Neurevt.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $string0 = "BullGuard" wide $string1 = "cmd.exe" wide $string4 = "eUSERPROFILE" wide $string5 = "%c:\\%s.lnk" wide $string6 = "services.exe" wide $string9 = "Multiples archivos corruptos han sido encontrados en la carpeta \"Mis Documentos\". Para evitar perder" wide $string10 = "F-PROT Antivirus Tray application" wide $string12 = "-k NetworkService" wide $string13 = "firefox.exe" $string14 = "uWinMgr.exe" wide $string15 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060410 Firefox/1.0.8" $string16 = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11" $string18 = "Data Path" wide condition: 10 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Your suggestion will be reviewed before being published. Thank you for contributing!