Actor(s): Tonto Team
There is no description at this point.
rule win_calmthorn_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.calmthorn." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { eb1e 8b852c1affff 83c001 8b8d301affff 83d100 89852c1affff 898d301affff } // n = 7, score = 100 // eb1e | jmp 0x20 // 8b852c1affff | mov eax, dword ptr [ebp - 0xe5d4] // 83c001 | add eax, 1 // 8b8d301affff | mov ecx, dword ptr [ebp - 0xe5d0] // 83d100 | adc ecx, 0 // 89852c1affff | mov dword ptr [ebp - 0xe5d4], eax // 898d301affff | mov dword ptr [ebp - 0xe5d0], ecx $sequence_1 = { ff24856ee44f00 8bce e8???????? eb45 834e28ff 895e24 885e30 } // n = 7, score = 100 // ff24856ee44f00 | jmp dword ptr [eax*4 + 0x4fe46e] // 8bce | mov ecx, esi // e8???????? | // eb45 | jmp 0x47 // 834e28ff | or dword ptr [esi + 0x28], 0xffffffff // 895e24 | mov dword ptr [esi + 0x24], ebx // 885e30 | mov byte ptr [esi + 0x30], bl $sequence_2 = { eb1e 8b8d641cffff 83c101 8b95681cffff 83d200 898d641cffff 8995681cffff } // n = 7, score = 100 // eb1e | jmp 0x20 // 8b8d641cffff | mov ecx, dword ptr [ebp - 0xe39c] // 83c101 | add ecx, 1 // 8b95681cffff | mov edx, dword ptr [ebp - 0xe398] // 83d200 | adc edx, 0 // 898d641cffff | mov dword ptr [ebp - 0xe39c], ecx // 8995681cffff | mov dword ptr [ebp - 0xe398], edx $sequence_3 = { ebba 0fb69591fdffff 83fa01 7556 0f57c0 660f13853c8effff eb1e } // n = 7, score = 100 // ebba | jmp 0xffffffbc // 0fb69591fdffff | movzx edx, byte ptr [ebp - 0x26f] // 83fa01 | cmp edx, 1 // 7556 | jne 0x58 // 0f57c0 | xorps xmm0, xmm0 // 660f13853c8effff | movlpd qword ptr [ebp - 0x71c4], xmm0 // eb1e | jmp 0x20 $sequence_4 = { ebba 0fb6952cfdffff 83fa01 7552 c78500c2ffff00000000 eb0f 8b8500c2ffff } // n = 7, score = 100 // ebba | jmp 0xffffffbc // 0fb6952cfdffff | movzx edx, byte ptr [ebp - 0x2d4] // 83fa01 | cmp edx, 1 // 7552 | jne 0x54 // c78500c2ffff00000000 | mov dword ptr [ebp - 0x3e00], 0 // eb0f | jmp 0x11 // 8b8500c2ffff | mov eax, dword ptr [ebp - 0x3e00] $sequence_5 = { ebba 0fb69546fdffff 83fa01 7552 c785c8d1ffff00000000 eb0f 8b85c8d1ffff } // n = 7, score = 100 // ebba | jmp 0xffffffbc // 0fb69546fdffff | movzx edx, byte ptr [ebp - 0x2ba] // 83fa01 | cmp edx, 1 // 7552 | jne 0x54 // c785c8d1ffff00000000 | mov dword ptr [ebp - 0x2e38], 0 // eb0f | jmp 0x11 // 8b85c8d1ffff | mov eax, dword ptr [ebp - 0x2e38] $sequence_6 = { e8???????? 83c404 398514f6ffff 7d20 8b85f89dffff 83c001 8985f89dffff } // n = 7, score = 100 // e8???????? | // 83c404 | add esp, 4 // 398514f6ffff | cmp dword ptr [ebp - 0x9ec], eax // 7d20 | jge 0x22 // 8b85f89dffff | mov eax, dword ptr [ebp - 0x6208] // 83c001 | add eax, 1 // 8985f89dffff | mov dword ptr [ebp - 0x6208], eax $sequence_7 = { ebba 0fb68d7afdffff 83f901 7556 0f57c0 660f13852487ffff eb1e } // n = 7, score = 100 // ebba | jmp 0xffffffbc // 0fb68d7afdffff | movzx ecx, byte ptr [ebp - 0x286] // 83f901 | cmp ecx, 1 // 7556 | jne 0x58 // 0f57c0 | xorps xmm0, xmm0 // 660f13852487ffff | movlpd qword ptr [ebp - 0x78dc], xmm0 // eb1e | jmp 0x20 $sequence_8 = { eb1e 8b95d47effff 83c201 8b85d87effff 83d000 8995d47effff 8985d87effff } // n = 7, score = 100 // eb1e | jmp 0x20 // 8b95d47effff | mov edx, dword ptr [ebp - 0x812c] // 83c201 | add edx, 1 // 8b85d87effff | mov eax, dword ptr [ebp - 0x8128] // 83d000 | adc eax, 0 // 8995d47effff | mov dword ptr [ebp - 0x812c], edx // 8985d87effff | mov dword ptr [ebp - 0x8128], eax $sequence_9 = { ebba 0fb68d9efdffff 83f901 7556 0f57c0 660f13858c94ffff eb1e } // n = 7, score = 100 // ebba | jmp 0xffffffbc // 0fb68d9efdffff | movzx ecx, byte ptr [ebp - 0x262] // 83f901 | cmp ecx, 1 // 7556 | jne 0x58 // 0f57c0 | xorps xmm0, xmm0 // 660f13858c94ffff | movlpd qword ptr [ebp - 0x6b74], xmm0 // eb1e | jmp 0x20 condition: 7 of them and filesize < 2322432 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY