Actor(s): Shamoon, Magic Hound, Timberworm, COBALT GIPSY
There is no description at this point.
rule win_disttrack_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.disttrack." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? 8d45dc 50 ff15???????? 8b4ddc } // n = 5, score = 200 // ff15???????? | // 8d45dc | lea eax, dword ptr [ebp - 0x24] // 50 | push eax // ff15???????? | // 8b4ddc | mov ecx, dword ptr [ebp - 0x24] $sequence_1 = { e8???????? 6a07 e8???????? 59 c3 6a10 68???????? } // n = 7, score = 200 // e8???????? | // 6a07 | push 7 // e8???????? | // 59 | pop ecx // c3 | ret // 6a10 | push 0x10 // 68???????? | $sequence_2 = { ff15???????? 5d 5b 8bc7 5f 5e } // n = 6, score = 200 // ff15???????? | // 5d | pop ebp // 5b | pop ebx // 8bc7 | mov eax, edi // 5f | pop edi // 5e | pop esi $sequence_3 = { 83c404 50 e8???????? 83c404 68???????? ff15???????? } // n = 6, score = 200 // 83c404 | add esp, 4 // 50 | push eax // e8???????? | // 83c404 | add esp, 4 // 68???????? | // ff15???????? | $sequence_4 = { 52 6a00 6a00 6848000700 } // n = 4, score = 200 // 52 | push edx // 6a00 | push 0 // 6a00 | push 0 // 6848000700 | push 0x70048 $sequence_5 = { 58 5e 5d c3 6a0c } // n = 5, score = 200 // 58 | pop eax // 5e | pop esi // 5d | pop ebp // c3 | ret // 6a0c | push 0xc $sequence_6 = { e9???????? 8b4d48 33d2 448d4201 e8???????? 4c8d0df8b7feff } // n = 6, score = 100 // e9???????? | // 8b4d48 | mov ecx, dword ptr [esp + 0x70] // 33d2 | inc ecx // 448d4201 | mov eax, 0x12 // e8???????? | // 4c8d0df8b7feff | dec eax $sequence_7 = { 488b4c2470 488d15a3700100 ff15???????? 488b4c2470 ff15???????? } // n = 5, score = 100 // 488b4c2470 | dec eax // 488d15a3700100 | test eax, eax // ff15???????? | // 488b4c2470 | jne 0x37 // ff15???????? | $sequence_8 = { 8d3c8500864300 8b07 c1e606 f644300401 } // n = 4, score = 100 // 8d3c8500864300 | add esp, 4 // 8b07 | lea eax, dword ptr [ebp - 0x24] // c1e606 | push eax // f644300401 | mov ecx, dword ptr [ebp - 0x24] $sequence_9 = { c744242003000000 ff15???????? 4883f8ff 740d 488bc8 ff15???????? } // n = 6, score = 100 // c744242003000000 | mov dword ptr [esp + 0x20], 3 // ff15???????? | // 4883f8ff | dec eax // 740d | cmp eax, -1 // 488bc8 | je 0xf // ff15???????? | $sequence_10 = { 6685c9 75f1 8d442420 8d5002 } // n = 4, score = 100 // 6685c9 | test cx, cx // 75f1 | jne 0xfffffff3 // 8d442420 | lea eax, dword ptr [esp + 0x20] // 8d5002 | lea edx, dword ptr [eax + 2] $sequence_11 = { 8d45f3 885dec e8???????? 8a00 0430 8845ed } // n = 6, score = 100 // 8d45f3 | lea eax, dword ptr [ebp - 0xd] // 885dec | mov byte ptr [ebp - 0x14], bl // e8???????? | // 8a00 | mov al, byte ptr [eax] // 0430 | add al, 0x30 // 8845ed | mov byte ptr [ebp - 0x13], al $sequence_12 = { 6bc93c 2b4818 03480c 6bc93c 8b4010 8d54015a 69d2e8030000 } // n = 7, score = 100 // 6bc93c | dec eax // 2b4818 | mov ecx, eax // 03480c | imul ecx, ecx, 0x3c // 6bc93c | sub ecx, dword ptr [eax + 0x18] // 8b4010 | add ecx, dword ptr [eax + 0xc] // 8d54015a | imul ecx, ecx, 0x3c // 69d2e8030000 | mov eax, dword ptr [eax + 0x10] $sequence_13 = { 488d1538720000 488bce 488905???????? ff15???????? 488bc8 ff15???????? } // n = 6, score = 100 // 488d1538720000 | lea edx, dword ptr [esp + 0x58] // 488bce | dec eax // 488905???????? | // ff15???????? | // 488bc8 | mov ecx, dword ptr [esp + 0x70] // ff15???????? | $sequence_14 = { c1e106 030cb5a08d4200 eb02 8bca } // n = 4, score = 100 // c1e106 | shl ecx, 6 // 030cb5a08d4200 | add ecx, dword ptr [esi*4 + 0x428da0] // eb02 | jmp 4 // 8bca | mov ecx, edx $sequence_15 = { e8???????? 83c410 8d8424fc000000 50 } // n = 4, score = 100 // e8???????? | // 83c410 | add esp, 0x10 // 8d8424fc000000 | lea eax, dword ptr [esp + 0xfc] // 50 | push eax $sequence_16 = { 88043b 833d????????10 8b35???????? 7305 be???????? } // n = 5, score = 100 // 88043b | mov byte ptr [ebx + edi], al // 833d????????10 | // 8b35???????? | // 7305 | jae 7 // be???????? | $sequence_17 = { 488bd8 4889442458 4885c0 7532 4821442458 488d542458 } // n = 6, score = 100 // 488bd8 | lea edx, dword ptr [ecx + eax + 0x5a] // 4889442458 | imul edx, edx, 0x3e8 // 4885c0 | dec eax // 7532 | mov ebx, eax // 4821442458 | dec eax // 488d542458 | mov dword ptr [esp + 0x58], eax $sequence_18 = { e8???????? 32c0 eb43 bb01000000 391d???????? } // n = 5, score = 100 // e8???????? | // 32c0 | dec eax // eb43 | lea edx, dword ptr [0x170a3] // bb01000000 | dec eax // 391d???????? | $sequence_19 = { 8d8dd0feffff e9???????? 8b4da8 83e958 e9???????? 8b542408 8d420c } // n = 7, score = 100 // 8d8dd0feffff | lea ecx, dword ptr [ebp - 0x130] // e9???????? | // 8b4da8 | mov ecx, dword ptr [ebp - 0x58] // 83e958 | sub ecx, 0x58 // e9???????? | // 8b542408 | mov edx, dword ptr [esp + 8] // 8d420c | lea eax, dword ptr [edx + 0xc] $sequence_20 = { 83c148 51 8b4dfc e8???????? 8be5 } // n = 5, score = 100 // 83c148 | push eax // 51 | add esp, 4 // 8b4dfc | add esp, 4 // e8???????? | // 8be5 | push eax $sequence_21 = { e8???????? 41b812000000 488bd3 488d0d55b80100 } // n = 4, score = 100 // e8???????? | // 41b812000000 | dec eax // 488bd3 | and dword ptr [esp + 0x58], eax // 488d0d55b80100 | dec eax $sequence_22 = { 33c0 5d c3 8b04c57caa4100 } // n = 4, score = 100 // 33c0 | xor eax, eax // 5d | pop ebp // c3 | ret // 8b04c57caa4100 | mov eax, dword ptr [eax*8 + 0x41aa7c] $sequence_23 = { c78424a003000006000000 8b4c2434 8b5104 8d44244c 50 c7441438fcc24100 } // n = 6, score = 100 // c78424a003000006000000 | mov dword ptr [esp + 0x3a0], 6 // 8b4c2434 | mov ecx, dword ptr [esp + 0x34] // 8b5104 | mov edx, dword ptr [ecx + 4] // 8d44244c | lea eax, dword ptr [esp + 0x4c] // 50 | push eax // c7441438fcc24100 | mov dword ptr [esp + edx + 0x38], 0x41c2fc $sequence_24 = { e8???????? 50 68???????? 6a00 6a00 ff15???????? 6888130000 } // n = 7, score = 100 // e8???????? | // 50 | push eax // 68???????? | // 6a00 | push 0 // 6a00 | push 0 // ff15???????? | // 6888130000 | push 0x1388 $sequence_25 = { 8b0c8d40174200 c1e006 0fbe440104 83e040 5d } // n = 5, score = 100 // 8b0c8d40174200 | mov ecx, dword ptr [ecx*4 + 0x421740] // c1e006 | shl eax, 6 // 0fbe440104 | movsx eax, byte ptr [ecx + eax + 4] // 83e040 | and eax, 0x40 // 5d | pop ebp condition: 7 of them and filesize < 1112064 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY