SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bleachgap (Back to overview)

BleachGap

VTCollection    

There is no description at this point.

References
2022-08-25K7 SecurityGaurav Yaday
BleachGap Revamped
BleachGap
Yara Rules
[TLP:WHITE] win_bleachgap_auto (20230808 | Detects win.bleachgap.)
rule win_bleachgap_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.bleachgap."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bleachgap"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec ff750c e8???????? 8bc8 83f9ff 7506 32c0 }
            // n = 7, score = 100
            //   8bec                 | mov                 ebp, esp
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   83f9ff               | cmp                 ecx, -1
            //   7506                 | jne                 8
            //   32c0                 | xor                 al, al

        $sequence_1 = { c645fc04 8b8d70fbffff 83f910 722f 8b955cfbffff 41 8bc2 }
            // n = 7, score = 100
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   8b8d70fbffff         | mov                 ecx, dword ptr [ebp - 0x490]
            //   83f910               | cmp                 ecx, 0x10
            //   722f                 | jb                  0x31
            //   8b955cfbffff         | mov                 edx, dword ptr [ebp - 0x4a4]
            //   41                   | inc                 ecx
            //   8bc2                 | mov                 eax, edx

        $sequence_2 = { e9???????? ff7104 8d442414 6800010000 50 e8???????? 8d442410 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   ff7104               | push                dword ptr [ecx + 4]
            //   8d442414             | lea                 eax, [esp + 0x14]
            //   6800010000           | push                0x100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d442410             | lea                 eax, [esp + 0x10]

        $sequence_3 = { c68539ffffff7a c6853affffff5f c6853bffffff55 c6853cffffff41 c6853dffffff57 c6853effffff3c c6853fffffff41 }
            // n = 7, score = 100
            //   c68539ffffff7a       | mov                 byte ptr [ebp - 0xc7], 0x7a
            //   c6853affffff5f       | mov                 byte ptr [ebp - 0xc6], 0x5f
            //   c6853bffffff55       | mov                 byte ptr [ebp - 0xc5], 0x55
            //   c6853cffffff41       | mov                 byte ptr [ebp - 0xc4], 0x41
            //   c6853dffffff57       | mov                 byte ptr [ebp - 0xc3], 0x57
            //   c6853effffff3c       | mov                 byte ptr [ebp - 0xc2], 0x3c
            //   c6853fffffff41       | mov                 byte ptr [ebp - 0xc1], 0x41

        $sequence_4 = { eb0d 8b450c 8945b8 c745b400000000 84c9 8d4dd4 0f44f2 }
            // n = 7, score = 100
            //   eb0d                 | jmp                 0xf
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8945b8               | mov                 dword ptr [ebp - 0x48], eax
            //   c745b400000000       | mov                 dword ptr [ebp - 0x4c], 0
            //   84c9                 | test                cl, cl
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   0f44f2               | cmove               esi, edx

        $sequence_5 = { c6431000 894924 c645fc02 8d45e0 c645e801 0f57c0 660fd607 }
            // n = 7, score = 100
            //   c6431000             | mov                 byte ptr [ebx + 0x10], 0
            //   894924               | mov                 dword ptr [ecx + 0x24], ecx
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   c645e801             | mov                 byte ptr [ebp - 0x18], 1
            //   0f57c0               | xorps               xmm0, xmm0
            //   660fd607             | movq                qword ptr [edi], xmm0

        $sequence_6 = { 88442426 8b442410 0413 3457 88442427 8b442410 0414 }
            // n = 7, score = 100
            //   88442426             | mov                 byte ptr [esp + 0x26], al
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   0413                 | add                 al, 0x13
            //   3457                 | xor                 al, 0x57
            //   88442427             | mov                 byte ptr [esp + 0x27], al
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   0414                 | add                 al, 0x14

        $sequence_7 = { b801000000 d3e0 8502 0f8459ffffff 8b4614 8b5714 8b0e }
            // n = 7, score = 100
            //   b801000000           | mov                 eax, 1
            //   d3e0                 | shl                 eax, cl
            //   8502                 | test                dword ptr [edx], eax
            //   0f8459ffffff         | je                  0xffffff5f
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   8b5714               | mov                 edx, dword ptr [edi + 0x14]
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_8 = { ff750c 50 e8???????? 83c410 85c0 0f84d9010000 53 }
            // n = 7, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   85c0                 | test                eax, eax
            //   0f84d9010000         | je                  0x1df
            //   53                   | push                ebx

        $sequence_9 = { 8a13 8bc1 8b4df0 43 41 894df4 3810 }
            // n = 7, score = 100
            //   8a13                 | mov                 dl, byte ptr [ebx]
            //   8bc1                 | mov                 eax, ecx
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   43                   | inc                 ebx
            //   41                   | inc                 ecx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   3810                 | cmp                 byte ptr [eax], dl

    condition:
        7 of them and filesize < 4538368
}
Download all Yara Rules