There is no description at this point.
rule win_dispcashbr_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2024-10-31" version = "1" description = "Detects win.dispcashbr." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr" malpedia_rule_date = "20241030" malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4" malpedia_version = "20241030" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 83ec08 c7442408ceffffff c7442404???????? } // n = 4, score = 200 // e8???????? | // 83ec08 | sub esp, 8 // c7442408ceffffff | mov dword ptr [esp + 8], 0xffffffce // c7442404???????? | $sequence_1 = { e8???????? 83ec08 c7442408eaffffff c7442404???????? } // n = 4, score = 200 // e8???????? | // 83ec08 | sub esp, 8 // c7442408eaffffff | mov dword ptr [esp + 8], 0xffffffea // c7442404???????? | $sequence_2 = { 83ec04 c744240404000000 890424 e8???????? 83ec08 c7442408d9ffffff c7442404???????? } // n = 7, score = 200 // 83ec04 | sub esp, 4 // c744240404000000 | mov dword ptr [esp + 4], 4 // 890424 | mov dword ptr [esp], eax // e8???????? | // 83ec08 | sub esp, 8 // c7442408d9ffffff | mov dword ptr [esp + 8], 0xffffffd9 // c7442404???????? | $sequence_3 = { c744240404000000 890424 e8???????? 83ec08 c7442408f3ffffff c7442404???????? } // n = 6, score = 200 // c744240404000000 | mov dword ptr [esp + 4], 4 // 890424 | mov dword ptr [esp], eax // e8???????? | // 83ec08 | sub esp, 8 // c7442408f3ffffff | mov dword ptr [esp + 8], 0xfffffff3 // c7442404???????? | $sequence_4 = { e8???????? 83ec04 c744240404000000 890424 e8???????? 83ec08 c7442408ceffffff } // n = 7, score = 200 // e8???????? | // 83ec04 | sub esp, 4 // c744240404000000 | mov dword ptr [esp + 4], 4 // 890424 | mov dword ptr [esp], eax // e8???????? | // 83ec08 | sub esp, 8 // c7442408ceffffff | mov dword ptr [esp + 8], 0xffffffce $sequence_5 = { 83ec08 c7442408caffffff c7442404???????? a1???????? 83c020 890424 e8???????? } // n = 7, score = 200 // 83ec08 | sub esp, 8 // c7442408caffffff | mov dword ptr [esp + 8], 0xffffffca // c7442404???????? | // a1???????? | // 83c020 | add eax, 0x20 // 890424 | mov dword ptr [esp], eax // e8???????? | $sequence_6 = { c7442408c8ffffff c7442404???????? a1???????? 83c020 890424 e8???????? } // n = 6, score = 200 // c7442408c8ffffff | mov dword ptr [esp + 8], 0xffffffc8 // c7442404???????? | // a1???????? | // 83c020 | add eax, 0x20 // 890424 | mov dword ptr [esp], eax // e8???????? | $sequence_7 = { 890424 e8???????? eb45 c70424f5ffffff } // n = 4, score = 200 // 890424 | mov dword ptr [esp], eax // e8???????? | // eb45 | jmp 0x47 // c70424f5ffffff | mov dword ptr [esp], 0xfffffff5 $sequence_8 = { 83ec08 c7442408ccffffff c7442404???????? a1???????? } // n = 4, score = 200 // 83ec08 | sub esp, 8 // c7442408ccffffff | mov dword ptr [esp + 8], 0xffffffcc // c7442404???????? | // a1???????? | $sequence_9 = { e8???????? 83ec08 c7442408ccffffff c7442404???????? } // n = 4, score = 200 // e8???????? | // 83ec08 | sub esp, 8 // c7442408ccffffff | mov dword ptr [esp + 8], 0xffffffcc // c7442404???????? | condition: 7 of them and filesize < 123904 }
rule win_dispcashbr_w0 { meta: description = "Detects of ATM Malware DispCashBR" author = "Frank Boldewin (@r3c0nst)" reference = "https://twitter.com/r3c0nst/status/1232944566208286720" date = "2020-02-27" hash = "7cea6510434f2c8f28c9dbada7973449bb1f844cfe589cdc103c9946c2673036" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr" malpedia_version = "20200227" malpedia_sharing = "TLP:WHITE" malpedia_license = "" strings: $String1 = "(*) Dispensando: %lu" ascii nocase $String2 = "COMANDO EXECUTADO COM SUCESSO" ascii nocase $String3 = "[+] FOI SACADO: %lu R$ [+]" ascii nocase $DbgStr1 = "_Get_Information_cdm_cuinfo" ascii nocase $DbgStr2 = "_GET_INFORMATION_SHUTTER" ascii nocase $Code1 = {C7 44 24 08 00 00 00 00 C7 44 24 04 2F 01 00 00 89 04 24 E8} // CDM Info1 $Code2 = {C7 44 24 08 00 00 00 00 C7 44 24 04 17 05 00 00 89 04 24 E8} // CDM Info2 $Code3 = {89 4C 24 08 C7 44 24 04 2E 01 00 00 89 04 24 E8} // Dispense Cash condition: uint16(0) == 0x5A4D and filesize < 100KB and 2 of ($String*) and 1 of ($DbgStr*) and all of ($Code*) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY