There is no description at this point.
rule win_explosive_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.explosive_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.explosive_rat" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d4c2440 89742458 895c2454 885c2444 e8???????? 396c2430 720d } // n = 7, score = 100 // 8d4c2440 | lea ecx, [esp + 0x40] // 89742458 | mov dword ptr [esp + 0x58], esi // 895c2454 | mov dword ptr [esp + 0x54], ebx // 885c2444 | mov byte ptr [esp + 0x44], bl // e8???????? | // 396c2430 | cmp dword ptr [esp + 0x30], ebp // 720d | jb 0xf $sequence_1 = { 3bf1 7221 81b82caf0100ff7f0000 7415 81b830af010000800000 7409 5f } // n = 7, score = 100 // 3bf1 | cmp esi, ecx // 7221 | jb 0x23 // 81b82caf0100ff7f0000 | cmp dword ptr [eax + 0x1af2c], 0x7fff // 7415 | je 0x17 // 81b830af010000800000 | cmp dword ptr [eax + 0x1af30], 0x8000 // 7409 | je 0xb // 5f | pop edi $sequence_2 = { 33c0 8a03 8d4db0 50 e8???????? 8b4db0 8b45b4 } // n = 7, score = 100 // 33c0 | xor eax, eax // 8a03 | mov al, byte ptr [ebx] // 8d4db0 | lea ecx, [ebp - 0x50] // 50 | push eax // e8???????? | // 8b4db0 | mov ecx, dword ptr [ebp - 0x50] // 8b45b4 | mov eax, dword ptr [ebp - 0x4c] $sequence_3 = { 8d8d20ffffff e8???????? f68560ffffff01 c745fc03000000 7415 83a560fffffffe 57 } // n = 7, score = 100 // 8d8d20ffffff | lea ecx, [ebp - 0xe0] // e8???????? | // f68560ffffff01 | test byte ptr [ebp - 0xa0], 1 // c745fc03000000 | mov dword ptr [ebp - 4], 3 // 7415 | je 0x17 // 83a560fffffffe | and dword ptr [ebp - 0xa0], 0xfffffffe // 57 | push edi $sequence_4 = { 7303 8d45bc 8b4dcc 8d0448 3bf8 740e 6aff } // n = 7, score = 100 // 7303 | jae 5 // 8d45bc | lea eax, [ebp - 0x44] // 8b4dcc | mov ecx, dword ptr [ebp - 0x34] // 8d0448 | lea eax, [eax + ecx*2] // 3bf8 | cmp edi, eax // 740e | je 0x10 // 6aff | push -1 $sequence_5 = { e8???????? 85c0 59 59 750b 8b833ccf4500 e9???????? } // n = 7, score = 100 // e8???????? | // 85c0 | test eax, eax // 59 | pop ecx // 59 | pop ecx // 750b | jne 0xd // 8b833ccf4500 | mov eax, dword ptr [ebx + 0x45cf3c] // e9???????? | $sequence_6 = { eb31 81bd4cffffff00010000 752b 8b7520 85f6 895594 897d98 } // n = 7, score = 100 // eb31 | jmp 0x33 // 81bd4cffffff00010000 | cmp dword ptr [ebp - 0xb4], 0x100 // 752b | jne 0x2d // 8b7520 | mov esi, dword ptr [ebp + 0x20] // 85f6 | test esi, esi // 895594 | mov dword ptr [ebp - 0x6c], edx // 897d98 | mov dword ptr [ebp - 0x68], edi $sequence_7 = { 83662000 5f 5e c3 b8???????? e8???????? 51 } // n = 7, score = 100 // 83662000 | and dword ptr [esi + 0x20], 0 // 5f | pop edi // 5e | pop esi // c3 | ret // b8???????? | // e8???????? | // 51 | push ecx $sequence_8 = { f644241002 742c 8b4c2410 8b44244c 83e1fd 3bc6 894c2410 } // n = 7, score = 100 // f644241002 | test byte ptr [esp + 0x10], 2 // 742c | je 0x2e // 8b4c2410 | mov ecx, dword ptr [esp + 0x10] // 8b44244c | mov eax, dword ptr [esp + 0x4c] // 83e1fd | and ecx, 0xfffffffd // 3bc6 | cmp eax, esi // 894c2410 | mov dword ptr [esp + 0x10], ecx $sequence_9 = { 8b4e10 c70100000000 8b5620 c70200000000 8b4e30 c70100000000 8b5638 } // n = 7, score = 100 // 8b4e10 | mov ecx, dword ptr [esi + 0x10] // c70100000000 | mov dword ptr [ecx], 0 // 8b5620 | mov edx, dword ptr [esi + 0x20] // c70200000000 | mov dword ptr [edx], 0 // 8b4e30 | mov ecx, dword ptr [esi + 0x30] // c70100000000 | mov dword ptr [ecx], 0 // 8b5638 | mov edx, dword ptr [esi + 0x38] condition: 7 of them and filesize < 855040 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY