There is no description at this point.
rule win_fireball_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.fireball." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 52 8bce e8???????? b101 e8???????? } // n = 5, score = 100 // 52 | push edx // 8bce | mov ecx, esi // e8???????? | // b101 | mov cl, 1 // e8???????? | $sequence_1 = { 30a830ac30b0 30b830cc30e8 30f0 30f4 3010 3118 311c31 } // n = 7, score = 100 // 30a830ac30b0 | xor byte ptr [eax - 0x4fcf53d0], ch // 30b830cc30e8 | xor byte ptr [eax - 0x17cf33d0], bh // 30f0 | xor al, dh // 30f4 | xor ah, dh // 3010 | xor byte ptr [eax], dl // 3118 | xor dword ptr [eax], ebx // 311c31 | xor dword ptr [ecx + esi], ebx $sequence_2 = { 8b0f 8bc1 c1f805 83e11f 8b0485000a2500 c1e106 80640804fe } // n = 7, score = 100 // 8b0f | mov ecx, dword ptr [edi] // 8bc1 | mov eax, ecx // c1f805 | sar eax, 5 // 83e11f | and ecx, 0x1f // 8b0485000a2500 | mov eax, dword ptr [eax*4 + 0x250a00] // c1e106 | shl ecx, 6 // 80640804fe | and byte ptr [eax + ecx + 4], 0xfe $sequence_3 = { 68???????? 8d8c24a4000000 c78424b800000007000000 c78424b400000000000000 } // n = 4, score = 100 // 68???????? | // 8d8c24a4000000 | lea ecx, [esp + 0xa4] // c78424b800000007000000 | mov dword ptr [esp + 0xb8], 7 // c78424b400000000000000 | mov dword ptr [esp + 0xb4], 0 $sequence_4 = { c78424a400000000000000 6689842494000000 837c247808 720c ff742464 e8???????? } // n = 6, score = 100 // c78424a400000000000000 | mov dword ptr [esp + 0xa4], 0 // 6689842494000000 | mov word ptr [esp + 0x94], ax // 837c247808 | cmp dword ptr [esp + 0x78], 8 // 720c | jb 0xe // ff742464 | push dword ptr [esp + 0x64] // e8???????? | $sequence_5 = { 53 ff15???????? 85c0 0f85c2feffff } // n = 4, score = 100 // 53 | push ebx // ff15???????? | // 85c0 | test eax, eax // 0f85c2feffff | jne 0xfffffec8 $sequence_6 = { c78518f5ffff07000000 c78514f5ffff00000000 66898504f5ffff 83bdf4f5ffff08 720e } // n = 5, score = 100 // c78518f5ffff07000000 | mov dword ptr [ebp - 0xae8], 7 // c78514f5ffff00000000 | mov dword ptr [ebp - 0xaec], 0 // 66898504f5ffff | mov word ptr [ebp - 0xafc], ax // 83bdf4f5ffff08 | cmp dword ptr [ebp - 0xa0c], 8 // 720e | jb 0x10 $sequence_7 = { c68558fbffff00 7504 33c9 eb12 8d8d64f9ffff } // n = 5, score = 100 // c68558fbffff00 | mov byte ptr [ebp - 0x4a8], 0 // 7504 | jne 6 // 33c9 | xor ecx, ecx // eb12 | jmp 0x14 // 8d8d64f9ffff | lea ecx, [ebp - 0x69c] $sequence_8 = { 8d442417 50 8d542434 8d8c2498000000 c744244c07000000 c744244800000000 e8???????? } // n = 7, score = 100 // 8d442417 | lea eax, [esp + 0x17] // 50 | push eax // 8d542434 | lea edx, [esp + 0x34] // 8d8c2498000000 | lea ecx, [esp + 0x98] // c744244c07000000 | mov dword ptr [esp + 0x4c], 7 // c744244800000000 | mov dword ptr [esp + 0x48], 0 // e8???????? | $sequence_9 = { 8bf1 c785e8fbffff00000000 e8???????? 83c40c 8d85ecfbffff 6808020000 } // n = 6, score = 100 // 8bf1 | mov esi, ecx // c785e8fbffff00000000 | mov dword ptr [ebp - 0x418], 0 // e8???????? | // 83c40c | add esp, 0xc // 8d85ecfbffff | lea eax, [ebp - 0x414] // 6808020000 | push 0x208 condition: 7 of them and filesize < 335872 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY