There is no description at this point.
rule win_chainshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.chainshot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7408 ffd0 8905???????? b83e000080 eb14 e8???????? 85c0 } // n = 7, score = 300 // 7408 | inc ecx // ffd0 | lea edx, [ecx + 6] // 8905???????? | // b83e000080 | dec esp // eb14 | lea eax, [ebp - 0x18] // e8???????? | // 85c0 | lea edx, [ebx + 3] $sequence_1 = { 85c0 0f8886000000 8b06 85c0 7503 8b4610 8bd8 } // n = 7, score = 300 // 85c0 | mov al, bl // 0f8886000000 | dec eax // 8b06 | add esp, 0x38 // 85c0 | je 0x38 // 7503 | dec eax // 8b4610 | lea ecx, [ebp + 0x60] // 8bd8 | inc eax $sequence_2 = { 85c0 7833 837e1000 740c } // n = 4, score = 300 // 85c0 | cmp edi, 0x400 // 7833 | jge 0x1205 // 837e1000 | dec eax // 740c | cmp dword ptr [ebx], 0 $sequence_3 = { 85c0 750a b90b080080 e9???????? } // n = 4, score = 300 // 85c0 | inc esp // 750a | mov ebx, dword ptr [esp + 0x20] // b90b080080 | jle 0x9c5 // e9???????? | $sequence_4 = { e9???????? bd01000000 c70703000000 ebe9 bd01000000 } // n = 5, score = 300 // e9???????? | // bd01000000 | push edi // c70703000000 | push ebx // ebe9 | mov edx, 4 // bd01000000 | push esi $sequence_5 = { b908000080 894c2420 eb5b 803d????????00 } // n = 4, score = 300 // b908000080 | dec eax // 894c2420 | lea ecx, [0x1efc4] // eb5b | inc eax // 803d????????00 | $sequence_6 = { ffc9 7433 ffc9 7438 ffc9 742b ffc9 } // n = 7, score = 300 // ffc9 | pop edi // 7433 | mov eax, esi // ffc9 | pop esi // 7438 | pop ebx // ffc9 | mov esp, ebp // 742b | pop ebp // ffc9 | mov esi, 0x80000015 $sequence_7 = { e9???????? bd01000000 c7071a000000 e9???????? bd01000000 } // n = 5, score = 300 // e9???????? | // bd01000000 | dec eax // c7071a000000 | lea ecx, [ebp - 0x20] // e9???????? | // bd01000000 | mov edx, 0x104 $sequence_8 = { b84d5a0000 663b01 740a bbdc000080 e9???????? } // n = 5, score = 300 // b84d5a0000 | lea ecx, [ebp - 0x10] // 663b01 | dec eax // 740a | lea edx, [0xdfc] // bbdc000080 | mov ecx, dword ptr [ebp + 0x50] // e9???????? | $sequence_9 = { c1e204 0bd1 8915???????? 8bc3 } // n = 4, score = 300 // c1e204 | mov eax, 0x1fe // 0bd1 | xor edx, edx // 8915???????? | // 8bc3 | lea ecx, [esp + 0x30] condition: 7 of them and filesize < 802816 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY