There is no description at this point.
rule win_fobber_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.fobber." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { fc f2ae 31c0 e303 4f 89f8 5f } // n = 7, score = 1100 // fc | cld // f2ae | repne scasb al, byte ptr es:[edi] // 31c0 | xor eax, eax // e303 | jecxz 5 // 4f | dec edi // 89f8 | mov eax, edi // 5f | pop edi $sequence_1 = { fc f2ae f7d1 49 89c8 } // n = 5, score = 1100 // fc | cld // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx // 49 | dec ecx // 89c8 | mov eax, ecx $sequence_2 = { 3002 c0c803 0453 42 } // n = 4, score = 1100 // 3002 | xor byte ptr [edx], al // c0c803 | ror al, 3 // 0453 | add al, 0x53 // 42 | inc edx $sequence_3 = { ff750c 6800300000 ff7508 6a00 } // n = 4, score = 1100 // ff750c | push dword ptr [ebp + 0xc] // 6800300000 | push 0x3000 // ff7508 | push dword ptr [ebp + 8] // 6a00 | push 0 $sequence_4 = { 89e5 ff7510 ff750c ff7508 e8???????? 85c0 } // n = 6, score = 1100 // 89e5 | mov ebp, esp // ff7510 | push dword ptr [ebp + 0x10] // ff750c | push dword ptr [ebp + 0xc] // ff7508 | push dword ptr [ebp + 8] // e8???????? | // 85c0 | test eax, eax $sequence_5 = { 51 8b7d08 30c0 31c9 } // n = 4, score = 1100 // 51 | push ecx // 8b7d08 | mov edi, dword ptr [ebp + 8] // 30c0 | xor al, al // 31c9 | xor ecx, ecx $sequence_6 = { 89e5 51 8b4510 8b5508 8b4d0c 3002 } // n = 6, score = 1100 // 89e5 | mov ebp, esp // 51 | push ecx // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 8b5508 | mov edx, dword ptr [ebp + 8] // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 3002 | xor byte ptr [edx], al $sequence_7 = { 85c0 740f 89c1 8b450c fc } // n = 5, score = 1100 // 85c0 | test eax, eax // 740f | je 0x11 // 89c1 | mov ecx, eax // 8b450c | mov eax, dword ptr [ebp + 0xc] // fc | cld $sequence_8 = { 740a 8a08 3acb 0f8592000000 47 3b7d0c } // n = 6, score = 100 // 740a | je 0xc // 8a08 | mov cl, byte ptr [eax] // 3acb | cmp cl, bl // 0f8592000000 | jne 0x98 // 47 | inc edi // 3b7d0c | cmp edi, dword ptr [ebp + 0xc] $sequence_9 = { 8bec a1???????? 80383f 7414 } // n = 4, score = 100 // 8bec | mov ebp, esp // a1???????? | // 80383f | cmp byte ptr [eax], 0x3f // 7414 | je 0x16 $sequence_10 = { 0f846b4d0100 8d45e4 50 8d45dc } // n = 4, score = 100 // 0f846b4d0100 | je 0x14d71 // 8d45e4 | lea eax, dword ptr [ebp - 0x1c] // 50 | push eax // 8d45dc | lea eax, dword ptr [ebp - 0x24] $sequence_11 = { 3c2b 0f8454010000 3c2d 0f844c010000 3ac3 } // n = 5, score = 100 // 3c2b | cmp al, 0x2b // 0f8454010000 | je 0x15a // 3c2d | cmp al, 0x2d // 0f844c010000 | je 0x152 // 3ac3 | cmp al, bl $sequence_12 = { 24ff 44 a0???????? bfdf021850 } // n = 4, score = 100 // 24ff | and al, 0xff // 44 | inc esp // a0???????? | // bfdf021850 | mov edi, 0x501802df $sequence_13 = { fe00 006683 7b02 3a750f 0fb703 } // n = 5, score = 100 // fe00 | inc byte ptr [eax] // 006683 | add byte ptr [esi - 0x7d], ah // 7b02 | jnp 4 // 3a750f | cmp dh, byte ptr [ebp + 0xf] // 0fb703 | movzx eax, word ptr [ebx] $sequence_14 = { fa 03740789 48 045d } // n = 4, score = 100 // fa | cli // 03740789 | add esi, dword ptr [edi + eax - 0x77] // 48 | dec eax // 045d | add al, 0x5d $sequence_15 = { 724c d58e 57 33714b 8aa07b74cafc } // n = 5, score = 100 // 724c | jb 0x4e // d58e | aad 0x8e // 57 | push edi // 33714b | xor esi, dword ptr [ecx + 0x4b] // 8aa07b74cafc | mov ah, byte ptr [eax - 0x3358b85] condition: 7 of them and filesize < 188416 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY