There is no description at this point.
There are currently no references.
rule win_gamotrol_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.gamotrol." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 5e c3 6a04 b8???????? e8???????? e8???????? 50 } // n = 7, score = 100 // 5e | pop esi // c3 | ret // 6a04 | push 4 // b8???????? | // e8???????? | // e8???????? | // 50 | push eax $sequence_1 = { ff15???????? 8b4b54 6a04 6800100000 51 56 } // n = 6, score = 100 // ff15???????? | // 8b4b54 | mov ecx, dword ptr [ebx + 0x54] // 6a04 | push 4 // 6800100000 | push 0x1000 // 51 | push ecx // 56 | push esi $sequence_2 = { 90 8bec 85f6 41 49 6843700000 83c40a } // n = 7, score = 100 // 90 | nop // 8bec | mov ebp, esp // 85f6 | test esi, esi // 41 | inc ecx // 49 | dec ecx // 6843700000 | push 0x7043 // 83c40a | add esp, 0xa $sequence_3 = { 6aff 68???????? 68???????? 6a00 ff15???????? 6a00 53 } // n = 7, score = 100 // 6aff | push -1 // 68???????? | // 68???????? | // 6a00 | push 0 // ff15???????? | // 6a00 | push 0 // 53 | push ebx $sequence_4 = { 8be5 90 5d 6803010000 } // n = 4, score = 100 // 8be5 | mov esp, ebp // 90 | nop // 5d | pop ebp // 6803010000 | push 0x103 $sequence_5 = { 8d9540fbffff 52 68???????? ffd6 33c0 8945ad 8945b1 } // n = 7, score = 100 // 8d9540fbffff | lea edx, [ebp - 0x4c0] // 52 | push edx // 68???????? | // ffd6 | call esi // 33c0 | xor eax, eax // 8945ad | mov dword ptr [ebp - 0x53], eax // 8945b1 | mov dword ptr [ebp - 0x4f], eax $sequence_6 = { c6854fffffff61 c68550ffffff67 889d51ffffff c68552ffffff56 c68553ffffff69 889d54ffffff } // n = 6, score = 100 // c6854fffffff61 | mov byte ptr [ebp - 0xb1], 0x61 // c68550ffffff67 | mov byte ptr [ebp - 0xb0], 0x67 // 889d51ffffff | mov byte ptr [ebp - 0xaf], bl // c68552ffffff56 | mov byte ptr [ebp - 0xae], 0x56 // c68553ffffff69 | mov byte ptr [ebp - 0xad], 0x69 // 889d54ffffff | mov byte ptr [ebp - 0xac], bl $sequence_7 = { 0fbec2 0fb680a0ed2e00 83e00f 8b4db8 6bc009 0fb68408c0ed2e00 6a08 } // n = 7, score = 100 // 0fbec2 | movsx eax, dl // 0fb680a0ed2e00 | movzx eax, byte ptr [eax + 0x2eeda0] // 83e00f | and eax, 0xf // 8b4db8 | mov ecx, dword ptr [ebp - 0x48] // 6bc009 | imul eax, eax, 9 // 0fb68408c0ed2e00 | movzx eax, byte ptr [eax + ecx + 0x2eedc0] // 6a08 | push 8 $sequence_8 = { 8b01 57 ff5004 5f 5e c3 8b442404 } // n = 7, score = 100 // 8b01 | mov eax, dword ptr [ecx] // 57 | push edi // ff5004 | call dword ptr [eax + 4] // 5f | pop edi // 5e | pop esi // c3 | ret // 8b442404 | mov eax, dword ptr [esp + 4] $sequence_9 = { 49 41 49 90 8be5 90 } // n = 6, score = 100 // 49 | dec ecx // 41 | inc ecx // 49 | dec ecx // 90 | nop // 8be5 | mov esp, ebp // 90 | nop condition: 7 of them and filesize < 376832 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY