There is no description at this point.
rule win_floxif_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.floxif." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 8945d0 837dd0ff 7514 c645b800 8d4d08 e8???????? } // n = 7, score = 100 // e8???????? | // 8945d0 | mov dword ptr [ebp - 0x30], eax // 837dd0ff | cmp dword ptr [ebp - 0x30], -1 // 7514 | jne 0x16 // c645b800 | mov byte ptr [ebp - 0x48], 0 // 8d4d08 | lea ecx, [ebp + 8] // e8???????? | $sequence_1 = { 2b4d08 c1f904 8b550c 2bd1 52 } // n = 5, score = 100 // 2b4d08 | sub ecx, dword ptr [ebp + 8] // c1f904 | sar ecx, 4 // 8b550c | mov edx, dword ptr [ebp + 0xc] // 2bd1 | sub edx, ecx // 52 | push edx $sequence_2 = { 8b4d08 c6410301 8b4508 83c004 5f 5e 5b } // n = 7, score = 100 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // c6410301 | mov byte ptr [ecx + 3], 1 // 8b4508 | mov eax, dword ptr [ebp + 8] // 83c004 | add eax, 4 // 5f | pop edi // 5e | pop esi // 5b | pop ebx $sequence_3 = { e8???????? 8a4584 5f 5e } // n = 4, score = 100 // e8???????? | // 8a4584 | mov al, byte ptr [ebp - 0x7c] // 5f | pop edi // 5e | pop esi $sequence_4 = { 8b45fc 50 ff15???????? 85c0 7404 b001 eb04 } // n = 7, score = 100 // 8b45fc | mov eax, dword ptr [ebp - 4] // 50 | push eax // ff15???????? | // 85c0 | test eax, eax // 7404 | je 6 // b001 | mov al, 1 // eb04 | jmp 6 $sequence_5 = { e8???????? 68???????? e8???????? 83c404 e8???????? a2???????? c745f800000000 } // n = 7, score = 100 // e8???????? | // 68???????? | // e8???????? | // 83c404 | add esp, 4 // e8???????? | // a2???????? | // c745f800000000 | mov dword ptr [ebp - 8], 0 $sequence_6 = { a0???????? 85c0 7522 8b8d70feffff 51 8d4dc4 e8???????? } // n = 7, score = 100 // a0???????? | // 85c0 | test eax, eax // 7522 | jne 0x24 // 8b8d70feffff | mov ecx, dword ptr [ebp - 0x190] // 51 | push ecx // 8d4dc4 | lea ecx, [ebp - 0x3c] // e8???????? | $sequence_7 = { e8???????? 8d4d08 e8???????? 8be5 5d c3 55 } // n = 7, score = 100 // e8???????? | // 8d4d08 | lea ecx, [ebp + 8] // e8???????? | // 8be5 | mov esp, ebp // 5d | pop ebp // c3 | ret // 55 | push ebp $sequence_8 = { e8???????? 83ec10 8bf4 6a04 83ec10 8bcc 8d55f0 } // n = 7, score = 100 // e8???????? | // 83ec10 | sub esp, 0x10 // 8bf4 | mov esi, esp // 6a04 | push 4 // 83ec10 | sub esp, 0x10 // 8bcc | mov ecx, esp // 8d55f0 | lea edx, [ebp - 0x10] $sequence_9 = { c645ce13 c645cf0e c645d06b 8d45c0 50 e8???????? 83c404 } // n = 7, score = 100 // c645ce13 | mov byte ptr [ebp - 0x32], 0x13 // c645cf0e | mov byte ptr [ebp - 0x31], 0xe // c645d06b | mov byte ptr [ebp - 0x30], 0x6b // 8d45c0 | lea eax, [ebp - 0x40] // 50 | push eax // e8???????? | // 83c404 | add esp, 4 condition: 7 of them and filesize < 352256 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY