There is no description at this point.
rule win_brbbot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.brbbot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brbbot" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488905???????? ff15???????? 488bc8 ff15???????? 488d1574450000 488bce } // n = 6, score = 100 // 488905???????? | // ff15???????? | // 488bc8 | mov esi, edi // ff15???????? | // 488d1574450000 | dec ecx // 488bce | sar esi, 5 $sequence_1 = { 7406 ff15???????? 85ff 790d 85ed } // n = 5, score = 100 // 7406 | arpl cx, cx // ff15???????? | // 85ff | dec eax // 790d | lea edx, [eax + ecx*8] // 85ed | inc edx $sequence_2 = { 488b5540 488b5d28 4883c9ff 488bfa 33c0 f2ae 48f7d1 } // n = 7, score = 100 // 488b5540 | test eax, eax // 488b5d28 | je 0x9c6 // 4883c9ff | mov edx, 8 // 488bfa | inc ecx // 33c0 | mov eax, 0x3e8 // f2ae | dec eax // 48f7d1 | mov ecx, eax $sequence_3 = { 7404 f0440108 488d4158 41b806000000 488d15fab60000 } // n = 5, score = 100 // 7404 | dec eax // f0440108 | add ebx, eax // 488d4158 | jmp 0xf32 // 41b806000000 | dec ebx // 488d15fab60000 | mov eax, dword ptr [eax + edi*8 + 0x15ac0] $sequence_4 = { 488d0d7dde0000 e8???????? 85c0 740e ba01000000 488bcd } // n = 6, score = 100 // 488d0d7dde0000 | dec eax // e8???????? | // 85c0 | or ecx, 0xffffffff // 740e | dec eax // ba01000000 | mov edi, ebp // 488bcd | dec eax $sequence_5 = { 33d2 ff15???????? 4c8b7c2458 4d85ed 7430 4883c9ff } // n = 6, score = 100 // 33d2 | dec eax // ff15???????? | // 4c8b7c2458 | lea edi, [0x10432] // 4d85ed | dec eax // 7430 | lea esi, [0x1042f] // 4883c9ff | inc ecx $sequence_6 = { 8bd9 ff15???????? 4c8d4304 ba08000000 488bc8 ff15???????? 448b442420 } // n = 7, score = 100 // 8bd9 | dec eax // ff15???????? | // 4c8d4304 | mov ecx, eax // ba08000000 | dec eax // 488bc8 | mov dword ptr [ebp], eax // ff15???????? | // 448b442420 | dec eax $sequence_7 = { 4883c9ff 85c0 757a 33c0 41c70701000000 498dbe04010000 } // n = 6, score = 100 // 4883c9ff | jne 0x122c // 85c0 | dec esp // 757a | mov dword ptr [eax - 0x28], ebp // 33c0 | inc ecx // 41c70701000000 | mov ebp, 1 // 498dbe04010000 | dec eax $sequence_8 = { 81fffc000000 0f84b8010000 488d2dbdbe0000 41bc14030000 4c8d0560780000 488bcd 418bd4 } // n = 7, score = 100 // 81fffc000000 | mov edi, esp // 0f84b8010000 | inc ecx // 488d2dbdbe0000 | mov eax, 0x103 // 41bc14030000 | mov byte ptr [esp + 0x40], 0 // 4c8d0560780000 | xor ecx, ecx // 488bcd | dec eax // 418bd4 | mov dword ptr [esp + 0x30], 0 $sequence_9 = { 33d2 488bce e8???????? ff15???????? 4c8bc6 488bc8 33d2 } // n = 7, score = 100 // 33d2 | inc ebp // 488bce | mov eax, ebp // e8???????? | // ff15???????? | // 4c8bc6 | inc ecx // 488bc8 | mov edx, ebp // 33d2 | dec eax condition: 7 of them and filesize < 198656 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY