Actor(s): DragonOK, Samurai Panda
There is no description at this point.
rule win_former_first_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-10-07" version = "1" description = "Detects win.former_first_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat" malpedia_rule_date = "20211007" malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535" malpedia_version = "20211008" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bf2 8bfb 81c208020000 b982000000 81c308020000 f3a5 } // n = 6, score = 200 // 8bf2 | test byte ptr [ebx + 0x78], 4 // 8bfb | je 0x1f // 81c208020000 | dec eax // b982000000 | mov eax, dword ptr [ebx + 0x20] // 81c308020000 | dec eax // f3a5 | mov dword ptr [eax], esi $sequence_1 = { e8???????? 83c408 85c0 7513 8b4308 50 } // n = 6, score = 200 // e8???????? | // 83c408 | mov eax, dword ptr [ebx + 0x20] // 85c0 | dec eax // 7513 | mov dword ptr [eax], esi // 8b4308 | add ecx, ebp // 50 | mov dword ptr [eax], ecx $sequence_2 = { 50 8bd6 8d8d10ffffff e8???????? 8b8d0cffffff } // n = 5, score = 200 // 50 | mov dword ptr [eax], ecx // 8bd6 | test byte ptr [ebx + 0x78], 4 // 8d8d10ffffff | je 0x1f // e8???????? | // 8b8d0cffffff | dec eax $sequence_3 = { 8b85e4eeffff 83c40c 6a00 8d8dfceeffff 51 6800100000 8d95f4efffff } // n = 7, score = 200 // 8b85e4eeffff | mov dword ptr [eax], ecx // 83c40c | dec eax // 6a00 | mov eax, dword ptr [ebx + 0x40] // 8d8dfceeffff | dec eax // 51 | cmp dword ptr [eax], 0 // 6800100000 | add ecx, edi // 8d95f4efffff | mov dword ptr [eax], ecx $sequence_4 = { c70700000000 8b3d???????? 51 ffd7 8b95f8eeffff 8b4220 50 } // n = 7, score = 200 // c70700000000 | add ecx, ebp // 8b3d???????? | // 51 | mov dword ptr [eax], ecx // ffd7 | test byte ptr [ebx + 0x78], 4 // 8b95f8eeffff | je 0x1f // 8b4220 | add ecx, ebp // 50 | mov dword ptr [eax], ecx $sequence_5 = { 89b5a8feffff 89b5acfeffff 89b5b0feffff 89b5b4feffff } // n = 4, score = 200 // 89b5a8feffff | inc ebx // 89b5acfeffff | dec esp // 89b5b0feffff | cmp ebx, ebx // 89b5b4feffff | jl 0xffffffcd $sequence_6 = { 85c0 0f8514feffff 56 ff15???????? 8b4dfc 5f } // n = 6, score = 200 // 85c0 | test byte ptr [ebx + 0x78], 4 // 0f8514feffff | je 0x1f // 56 | dec eax // ff15???????? | // 8b4dfc | mov eax, dword ptr [ebx + 0x20] // 5f | add ecx, ebp $sequence_7 = { 8bf8 8d9d10ffffff e8???????? 6800100000 } // n = 4, score = 200 // 8bf8 | dec eax // 8d9d10ffffff | mov eax, dword ptr [ebx + 0x40] // e8???????? | // 6800100000 | add ecx, edi $sequence_8 = { 03c2 83e003 3bc2 7516 418bc2 } // n = 5, score = 100 // 03c2 | mov byte ptr [ebx], dl // 83e003 | inc edx // 3bc2 | xor byte ptr [ecx + eax], dl // 7516 | inc edx // 418bc2 | mov cl, byte ptr [ecx + eax] $sequence_9 = { 03ca 0fb6c9 428a1401 4130143b } // n = 4, score = 100 // 03ca | mov dword ptr [esp + 0x68], eax // 0fb6c9 | inc ecx // 428a1401 | cmp eax, ebp // 4130143b | jb 0x55 $sequence_10 = { 03c1 89442468 413bc5 7250 } // n = 4, score = 100 // 03c1 | inc ecx // 89442468 | movzx ecx, dl // 413bc5 | inc edx // 7250 | xor dl, byte ptr [ecx + eax] $sequence_11 = { 03cf 8908 488b4340 48833800 } // n = 4, score = 100 // 03cf | inc ecx // 8908 | xor byte ptr [ebx + edi], dl // 488b4340 | add ecx, edx // 48833800 | movzx ecx, cl $sequence_12 = { 02c8 488d05f0f60100 02c9 4002ce } // n = 4, score = 100 // 02c8 | mov eax, dword ptr [ecx + 0x10] // 488d05f0f60100 | cmp dword ptr [eax + 0x94], 0 // 02c9 | add cl, al // 4002ce | dec eax $sequence_13 = { 02ca 4402d1 410fb6ca 42321401 } // n = 4, score = 100 // 02ca | dec eax // 4402d1 | cmp edi, eax // 410fb6ca | add cl, al // 42321401 | dec eax $sequence_14 = { 017130 83793005 7407 33c0 } // n = 4, score = 100 // 017130 | add dword ptr [ecx + 0x30], esi // 83793005 | cmp dword ptr [ecx + 0x30], 5 // 7407 | je 9 // 33c0 | xor eax, eax $sequence_15 = { 03cd 8908 f6437804 7417 } // n = 4, score = 100 // 03cd | jne 0x1a // 8908 | inc ecx // f6437804 | mov eax, edx // 7417 | add eax, edx condition: 7 of them and filesize < 626688 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY