There is no description at this point.
rule win_brbbot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.brbbot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brbbot" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7509 488d0daad10000 eb02 33c9 e8???????? 4883c438 } // n = 6, score = 100 // 7509 | inc esp // 488d0daad10000 | cmp dword ptr [esp + 0x78], esp // eb02 | jne 0x434 // 33c9 | test ebx, ebx // e8???????? | // 4883c438 | je 0x792 $sequence_1 = { f2ae 48f7d1 48ffc9 4c8bc1 498d8e10040000 488bd5 e8???????? } // n = 7, score = 100 // f2ae | push ebx // 48f7d1 | dec eax // 48ffc9 | sub esp, 0x20 // 4c8bc1 | mov ebx, ecx // 498d8e10040000 | dec eax // 488bd5 | lea ecx, [0x71f9] // e8???????? | $sequence_2 = { 48f7d1 4c8d41ff 488d8b04010000 e8???????? } // n = 4, score = 100 // 48f7d1 | dec eax // 4c8d41ff | mov ecx, dword ptr [ebp + 0x28] // 488d8b04010000 | dec eax // e8???????? | $sequence_3 = { 885c2470 448bee 448bfe e8???????? 488b05???????? 4889442458 } // n = 6, score = 100 // 885c2470 | or ecx, 0xffffffff // 448bee | dec ecx // 448bfe | lea edi, [esi + 0x410] // e8???????? | // 488b05???????? | // 4889442458 | dec eax $sequence_4 = { 48895808 488970e8 33ff 488978b8 4c8960e0 } // n = 5, score = 100 // 48895808 | dec eax // 488970e8 | lea eax, [0x7377] // 33ff | ret // 488978b8 | dec eax // 4c8960e0 | mov ebx, dword ptr [edi + 8] $sequence_5 = { 48f7d1 48ffc9 4881f904010000 0f8724010000 4883c9ff } // n = 5, score = 100 // 48f7d1 | mov dword ptr [esp + 0x38], edi // 48ffc9 | mov dword ptr [esp + 0x30], 0x8404f700 // 4881f904010000 | xor edi, edi // 0f8724010000 | jmp 0x50e // 4883c9ff | mov edi, 0x80070057 $sequence_6 = { 81fa01010000 7d13 4863ca 8a44191c 42888401c0230100 } // n = 5, score = 100 // 81fa01010000 | mov eax, ecx // 7d13 | dec esp // 4863ca | lea ecx, [0xffff48b2] // 8a44191c | dec ecx // 42888401c0230100 | mov ecx, ecx $sequence_7 = { 488bfa ff15???????? 4c8d4704 488bc8 ba08000000 ff15???????? } // n = 6, score = 100 // 488bfa | jne 0x4f5 // ff15???????? | // 4c8d4704 | mov dword ptr [eax - 0x58], 3 // 488bc8 | dec esp // ba08000000 | mov esp, eax // ff15???????? | $sequence_8 = { 4c8b7540 8bd8 85c0 0f88d6020000 4c8d4da8 } // n = 5, score = 100 // 4c8b7540 | movsx edx, byte ptr [edx + ecx + 0xe460] // 8bd8 | sar edx, 4 // 85c0 | mov dword ptr [esp + 0x58], edx // 0f88d6020000 | mov ecx, edx // 4c8d4da8 | test edx, edx $sequence_9 = { 33d2 488bce e8???????? ff15???????? 4c8bc6 488bc8 33d2 } // n = 7, score = 100 // 33d2 | or ecx, 0xffffffff // 488bce | dec eax // e8???????? | // ff15???????? | // 4c8bc6 | mov ebx, ecx // 488bc8 | dec eax // 33d2 | test eax, eax condition: 7 of them and filesize < 198656 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY