There is no description at this point.
rule win_cova_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.cova." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cova" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4803c7 420fb71440 8b461c 488d0c07 8b0491 } // n = 5, score = 100 // 4803c7 | je 0x8e6 // 420fb71440 | dec eax // 8b461c | mov ebx, dword ptr [esp + 0x68] // 488d0c07 | mov word ptr [ebx + 0x206], si // 8b0491 | test al, al $sequence_1 = { ff5710 4c8d442438 448bd8 4503db 33d2 } // n = 5, score = 100 // ff5710 | dec eax // 4c8d442438 | mov ecx, dword ptr [eax + ecx*8] // 448bd8 | dec eax // 4503db | mov dword ptr [esp + 8], ebx // 33d2 | dec eax $sequence_2 = { 488d3d90580000 eb0e 488b03 4885c0 } // n = 4, score = 100 // 488d3d90580000 | push edi // eb0e | dec eax // 488b03 | sub esp, 0x20 // 4885c0 | dec eax $sequence_3 = { ff55c0 89442440 85c0 7407 3d80000000 751d 4c8be6 } // n = 7, score = 100 // ff55c0 | dec ecx // 89442440 | mov ecx, ebp // 85c0 | test eax, eax // 7407 | je 0x21d // 3d80000000 | inc ebp // 751d | xor ecx, ecx // 4c8be6 | dec esp $sequence_4 = { 4533c9 33c9 488978c8 ff9608010000 85c0 757d } // n = 6, score = 100 // 4533c9 | dec eax // 33c9 | lea edx, [ebp + 0x12f0] // 488978c8 | dec eax // ff9608010000 | lea ecx, [ebp + 0x360] // 85c0 | dec ecx // 757d | mov ebx, ecx $sequence_5 = { 49894bf0 33db 498bf1 448d4b01 498be8 ba22100000 } // n = 6, score = 100 // 49894bf0 | lock dec dword ptr [eax] // 33db | jne 0x300 // 498bf1 | inc ebx // 448d4b01 | xor cl, byte ptr [ecx + eax] // 498be8 | inc ecx // ba22100000 | xor cl, al $sequence_6 = { f7e7 c1ea05 6bd264 2bfa ff9598000000 488d8b08020000 } // n = 6, score = 100 // f7e7 | dec eax // c1ea05 | mov eax, dword ptr [ebx - 0x10] // 6bd264 | dec eax // 2bfa | lea edi, [ebx + 0x58] // ff9598000000 | mov esi, 6 // 488d8b08020000 | dec eax $sequence_7 = { 4885ff 740e ff5500 4c8bc7 } // n = 4, score = 100 // 4885ff | inc ebp // 740e | test ecx, ecx // ff5500 | jne 0x7b // 4c8bc7 | xor eax, 0x51e99d8 $sequence_8 = { 0f8590000000 448af6 4d85ed 7409 } // n = 4, score = 100 // 0f8590000000 | lea ecx, [esp + 0x58] // 448af6 | dec esp // 4d85ed | lea eax, [esp + 0x78] // 7409 | je 0x30c $sequence_9 = { 4c8d4340 8d5708 488bc8 ff5650 48894500 4885c0 743b } // n = 7, score = 100 // 4c8d4340 | mov dword ptr [ebp + 0xc], ebx // 8d5708 | dec esp // 488bc8 | mov dword ptr [ebp + 4], ebx // ff5650 | rep stosd dword ptr es:[edi], eax // 48894500 | dec eax // 4885c0 | lea edi, [0x69f2] // 743b | dec eax condition: 7 of them and filesize < 123904 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY