There is no description at this point.
rule win_floki_bot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-08-17" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot" malpedia_rule_date = "20200817" malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5" malpedia_version = "20200817" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b4714 40 894608 8b461c 2b4608 5f 894618 } // n = 7, score = 1100 // 8b4714 | mov eax, dword ptr [edi + 0x14] // 40 | inc eax // 894608 | mov dword ptr [esi + 8], eax // 8b461c | mov eax, dword ptr [esi + 0x1c] // 2b4608 | sub eax, dword ptr [esi + 8] // 5f | pop edi // 894618 | mov dword ptr [esi + 0x18], eax $sequence_1 = { 6a04 5b e8???????? 8ad8 84db 0f8403010000 f6450c08 } // n = 7, score = 1100 // 6a04 | push 4 // 5b | pop ebx // e8???????? | // 8ad8 | mov bl, al // 84db | test bl, bl // 0f8403010000 | je 0x109 // f6450c08 | test byte ptr [ebp + 0xc], 8 $sequence_2 = { bfe9fd0000 2bc3 57 e8???????? 8b4d0c 46 } // n = 6, score = 1100 // bfe9fd0000 | mov edi, 0xfde9 // 2bc3 | sub eax, ebx // 57 | push edi // e8???????? | // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 46 | inc esi $sequence_3 = { 895f4c e8???????? 5e 895f48 5b c3 55 } // n = 7, score = 1100 // 895f4c | mov dword ptr [edi + 0x4c], ebx // e8???????? | // 5e | pop esi // 895f48 | mov dword ptr [edi + 0x48], ebx // 5b | pop ebx // c3 | ret // 55 | push ebp $sequence_4 = { 7618 83c0fe 50 83c308 53 e8???????? 8bf0 } // n = 7, score = 1100 // 7618 | jbe 0x1a // 83c0fe | add eax, -2 // 50 | push eax // 83c308 | add ebx, 8 // 53 | push ebx // e8???????? | // 8bf0 | mov esi, eax $sequence_5 = { 0f845a010000 84c0 0f8452010000 0fb6c0 0fb6cb 6603c1 } // n = 6, score = 1100 // 0f845a010000 | je 0x160 // 84c0 | test al, al // 0f8452010000 | je 0x158 // 0fb6c0 | movzx eax, al // 0fb6cb | movzx ecx, bl // 6603c1 | add ax, cx $sequence_6 = { e8???????? 017308 8b7508 e8???????? 5f 5e } // n = 6, score = 1100 // e8???????? | // 017308 | add dword ptr [ebx + 8], esi // 8b7508 | mov esi, dword ptr [ebp + 8] // e8???????? | // 5f | pop edi // 5e | pop esi $sequence_7 = { e8???????? 8b15???????? 33c0 ff05???????? a3???????? 83faff 7422 } // n = 7, score = 1100 // e8???????? | // 8b15???????? | // 33c0 | xor eax, eax // ff05???????? | // a3???????? | // 83faff | cmp edx, -1 // 7422 | je 0x24 $sequence_8 = { e8???????? 8b7710 e8???????? 8b771c e8???????? } // n = 5, score = 1100 // e8???????? | // 8b7710 | mov esi, dword ptr [edi + 0x10] // e8???????? | // 8b771c | mov esi, dword ptr [edi + 0x1c] // e8???????? | $sequence_9 = { 8345fc04 e8???????? 8b55f0 33c9 3bc8 1bc0 f7d8 } // n = 7, score = 1100 // 8345fc04 | add dword ptr [ebp - 4], 4 // e8???????? | // 8b55f0 | mov edx, dword ptr [ebp - 0x10] // 33c9 | xor ecx, ecx // 3bc8 | cmp ecx, eax // 1bc0 | sbb eax, eax // f7d8 | neg eax condition: 7 of them and filesize < 286720 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY