Actor(s): Sofacy
There is no description at this point.
rule win_downdelph_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.downdelph." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 8b95e0fbffff 8bc3 e8???????? } // n = 4, score = 100 // e8???????? | // 8b95e0fbffff | mov edx, dword ptr [ebp - 0x420] // 8bc3 | mov eax, ebx // e8???????? | $sequence_1 = { 33c9 ba08000000 e8???????? b834000000 e8???????? } // n = 5, score = 100 // 33c9 | xor ecx, ecx // ba08000000 | mov edx, 8 // e8???????? | // b834000000 | mov eax, 0x34 // e8???????? | $sequence_2 = { e8???????? 83c404 8b4500 e8???????? 8b5500 } // n = 5, score = 100 // e8???????? | // 83c404 | add esp, 4 // 8b4500 | mov eax, dword ptr [ebp] // e8???????? | // 8b5500 | mov edx, dword ptr [ebp] $sequence_3 = { 8d55d8 e8???????? 8b5708 88041a } // n = 4, score = 100 // 8d55d8 | lea edx, dword ptr [ebp - 0x28] // e8???????? | // 8b5708 | mov edx, dword ptr [edi + 8] // 88041a | mov byte ptr [edx + ebx], al $sequence_4 = { 33c0 8906 8d45f8 ba???????? e8???????? 6a00 6a00 } // n = 7, score = 100 // 33c0 | xor eax, eax // 8906 | mov dword ptr [esi], eax // 8d45f8 | lea eax, dword ptr [ebp - 8] // ba???????? | // e8???????? | // 6a00 | push 0 // 6a00 | push 0 $sequence_5 = { 8b55f4 e8???????? bb01000000 eb1a 8b06 } // n = 5, score = 100 // 8b55f4 | mov edx, dword ptr [ebp - 0xc] // e8???????? | // bb01000000 | mov ebx, 1 // eb1a | jmp 0x1c // 8b06 | mov eax, dword ptr [esi] $sequence_6 = { 50 8bcf 83e908 a1???????? 8b04b0 ba08000000 e8???????? } // n = 7, score = 100 // 50 | push eax // 8bcf | mov ecx, edi // 83e908 | sub ecx, 8 // a1???????? | // 8b04b0 | mov eax, dword ptr [eax + esi*4] // ba08000000 | mov edx, 8 // e8???????? | $sequence_7 = { a1???????? 8b04b0 ba08000000 e8???????? 8b45f0 50 68???????? } // n = 7, score = 100 // a1???????? | // 8b04b0 | mov eax, dword ptr [eax + esi*4] // ba08000000 | mov edx, 8 // e8???????? | // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // 50 | push eax // 68???????? | $sequence_8 = { 7c1a 40 8945f8 8b03 8d04b8 8b13 } // n = 6, score = 100 // 7c1a | jl 0x1c // 40 | inc eax // 8945f8 | mov dword ptr [ebp - 8], eax // 8b03 | mov eax, dword ptr [ebx] // 8d04b8 | lea eax, dword ptr [eax + edi*4] // 8b13 | mov edx, dword ptr [ebx] $sequence_9 = { e8???????? eb01 47 8b45f4 e8???????? 3bf8 7ed8 } // n = 7, score = 100 // e8???????? | // eb01 | jmp 3 // 47 | inc edi // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // e8???????? | // 3bf8 | cmp edi, eax // 7ed8 | jle 0xffffffda condition: 7 of them and filesize < 172032 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY