Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY
There is no description at this point.
rule win_disttrack_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.disttrack." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 52 6a00 6a00 6848000700 } // n = 4, score = 200 // 52 | xor ecx, ecx // 6a00 | mov dword ptr [esp + 0x28], 0x8000000 // 6a00 | mov dword ptr [esp + 0x20], ebx // 6848000700 | test eax, eax $sequence_1 = { ff15???????? 5d 5b 8bc7 5f 5e } // n = 6, score = 200 // ff15???????? | // 5d | dec eax // 5b | arpl word ptr [eax + 4], cx // 8bc7 | dec eax // 5f | lea eax, [0x127b0] // 5e | dec eax $sequence_2 = { 68???????? ff15???????? 8d45dc 50 ff15???????? 8b4ddc } // n = 6, score = 200 // 68???????? | // ff15???????? | // 8d45dc | jle 0x68 // 50 | dec eax // ff15???????? | // 8b4ddc | mov eax, dword ptr [esi] $sequence_3 = { e8???????? 6a07 e8???????? 59 c3 6a10 } // n = 6, score = 200 // e8???????? | // 6a07 | push 7 // e8???????? | // 59 | pop ecx // c3 | ret // 6a10 | push 0x10 $sequence_4 = { e8???????? 83c404 50 e8???????? 83c404 68???????? ff15???????? } // n = 7, score = 200 // e8???????? | // 83c404 | xor eax, eax // 50 | dec ecx // e8???????? | // 83c404 | mov edx, esp // 68???????? | // ff15???????? | $sequence_5 = { 488bc8 e8???????? ebd1 498b94dca0940100 } // n = 4, score = 100 // 488bc8 | and dword ptr [ebx + 8], 0 // e8???????? | // ebd1 | dec eax // 498b94dca0940100 | lea eax, [0x145cf] $sequence_6 = { 41bd08000000 4180fdfe 760d 488d0d392e0100 e8???????? } // n = 5, score = 100 // 41bd08000000 | test eax, eax // 4180fdfe | jne 0x27 // 760d | mov esi, 1 // 488d0d392e0100 | dec eax // e8???????? | $sequence_7 = { 7442 488d157a840000 488bcf e8???????? 85c0 7525 } // n = 6, score = 100 // 7442 | dec eax // 488d157a840000 | lea ecx, [0x14ac7] // 488bcf | jne 0x19 // e8???????? | // 85c0 | dec eax // 7525 | lea ecx, [0x14ab1] $sequence_8 = { 895c2440 895c2444 899c24d8000000 899c24b0000000 899c24b8000000 } // n = 5, score = 100 // 895c2440 | mov dword ptr [esp + 0x40], ebx // 895c2444 | mov dword ptr [esp + 0x44], ebx // 899c24d8000000 | mov dword ptr [esp + 0xd8], ebx // 899c24b0000000 | mov dword ptr [esp + 0xb0], ebx // 899c24b8000000 | mov dword ptr [esp + 0xb8], ebx $sequence_9 = { 884c30ff 3bf3 72e6 8b75ec 6a00 } // n = 5, score = 100 // 884c30ff | pop edi // 3bf3 | pop esi // 72e6 | lea eax, [ebp - 0x24] // 8b75ec | push eax // 6a00 | mov ecx, dword ptr [ebp - 0x24] $sequence_10 = { c3 8b04cd44ec4200 5d c3 0544ffffff } // n = 5, score = 100 // c3 | mov eax, edi // 8b04cd44ec4200 | pop edi // 5d | pop esi // c3 | add esp, 4 // 0544ffffff | push eax $sequence_11 = { 57 4883ec20 488d0dc74a0100 e8???????? 48833d????????00 7510 488d0db14a0100 } // n = 7, score = 100 // 57 | inc edx // 4883ec20 | jmp 0xffffffe3 // 488d0dc74a0100 | push edi // e8???????? | // 48833d????????00 | // 7510 | dec eax // 488d0db14a0100 | sub esp, 0x20 $sequence_12 = { 0fb7da 6683fa30 0f862b010000 8b44241c 33c9 66894c4422 66895c4420 } // n = 7, score = 100 // 0fb7da | mov eax, edi // 6683fa30 | pop edi // 0f862b010000 | pop esi // 8b44241c | push ebx // 33c9 | pop ebp // 66894c4422 | pop ebx // 66895c4420 | mov eax, edi $sequence_13 = { 885df3 8b4104 80781900 8bf9 7514 38580c } // n = 6, score = 100 // 885df3 | add esp, 4 // 8b4104 | push eax // 80781900 | add esp, 4 // 8bf9 | add esp, 4 // 7514 | push eax // 38580c | add esp, 4 $sequence_14 = { c7450800000000 e8???????? 68???????? 8d4df4 51 c745f46c924100 } // n = 6, score = 100 // c7450800000000 | mov dword ptr [ebp + 8], 0 // e8???????? | // 68???????? | // 8d4df4 | lea ecx, [ebp - 0xc] // 51 | push ecx // c745f46c924100 | mov dword ptr [ebp - 0xc], 0x41926c $sequence_15 = { e8???????? 03f0 56 e8???????? 83c404 c745fc00000000 } // n = 6, score = 100 // e8???????? | // 03f0 | add esp, 4 // 56 | push eax // e8???????? | // 83c404 | add esp, 4 // c745fc00000000 | lea eax, [ebp - 0x24] $sequence_16 = { 51 ff15???????? 8b55d4 8955e4 8b45d8 } // n = 5, score = 100 // 51 | add esp, 4 // ff15???????? | // 8b55d4 | add esp, 4 // 8955e4 | push eax // 8b45d8 | add esp, 4 $sequence_17 = { 8bc1 eb0c 0fb6c9 0fbe8968004200 } // n = 4, score = 100 // 8bc1 | mov eax, ecx // eb0c | jmp 0xe // 0fb6c9 | movzx ecx, cl // 0fbe8968004200 | movsx ecx, byte ptr [ecx + 0x420068] $sequence_18 = { 8b4004 80781900 74ee 80791900 7505 8bc8 } // n = 6, score = 100 // 8b4004 | push edx // 80781900 | push 0 // 74ee | push 0 // 80791900 | push 0x70048 // 7505 | pop ebp // 8bc8 | pop ebx $sequence_19 = { 4533c0 498bd4 33c9 c744242800000008 895c2420 ff15???????? 85c0 } // n = 7, score = 100 // 4533c0 | dec eax // 498bd4 | mov dword ptr [ebx], eax // 33c9 | dec eax // c744242800000008 | lea ecx, [esp + 0x28] // 895c2420 | inc ecx // ff15???????? | // 85c0 | mov ebp, 8 $sequence_20 = { 75f9 2bc2 56 57 8d7801 } // n = 5, score = 100 // 75f9 | jne 0xfffffffb // 2bc2 | sub eax, edx // 56 | push esi // 57 | push edi // 8d7801 | lea edi, [eax + 1] $sequence_21 = { be01000000 4883630800 488d05cf450100 488903 488d4c2428 } // n = 5, score = 100 // be01000000 | je 0x44 // 4883630800 | dec eax // 488d05cf450100 | lea edx, [0x847a] // 488903 | dec eax // 488d4c2428 | mov ecx, edi $sequence_22 = { 48634804 488d05b0270100 48894419e8 4883c430 } // n = 4, score = 100 // 48634804 | inc ecx // 488d05b0270100 | cmp ch, 0xfe // 48894419e8 | jbe 0x19 // 4883c430 | dec eax $sequence_23 = { 52 50 68???????? ff15???????? 8d34f5b0044200 89442420 33ff } // n = 7, score = 100 // 52 | push edx // 50 | push eax // 68???????? | // ff15???????? | // 8d34f5b0044200 | lea esi, [esi*8 + 0x4204b0] // 89442420 | mov dword ptr [esp + 0x20], eax // 33ff | xor edi, edi $sequence_24 = { 7d13 4863ca 8a44191c 42888401602a0200 ffc2 ebe1 } // n = 6, score = 100 // 7d13 | jge 0x15 // 4863ca | dec eax // 8a44191c | arpl dx, cx // 42888401602a0200 | mov al, byte ptr [ecx + ebx + 0x1c] // ffc2 | inc edx // ebe1 | mov byte ptr [ecx + eax + 0x22a60], al $sequence_25 = { 8d842498030000 64a300000000 8b4508 33db 89442430 } // n = 5, score = 100 // 8d842498030000 | lea eax, [esp + 0x398] // 64a300000000 | mov dword ptr fs:[0], eax // 8b4508 | mov eax, dword ptr [ebp + 8] // 33db | xor ebx, ebx // 89442430 | mov dword ptr [esp + 0x30], eax $sequence_26 = { 3bc3 0f8476010000 68???????? 68???????? } // n = 4, score = 100 // 3bc3 | cmp eax, ebx // 0f8476010000 | je 0x17c // 68???????? | // 68???????? | condition: 7 of them and filesize < 1112064 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
