There is no description at this point.
rule win_gcleaner_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.gcleaner." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d8d70feffff 8d45b0 0f4345b0 51 50 } // n = 5, score = 600 // 8d8d70feffff | lea ecx, [ebp - 0x190] // 8d45b0 | lea eax, [ebp - 0x50] // 0f4345b0 | cmovae eax, dword ptr [ebp - 0x50] // 51 | push ecx // 50 | push eax $sequence_1 = { 8bd0 c645fc04 8d4dd8 e8???????? 83c410 } // n = 5, score = 600 // 8bd0 | mov edx, eax // c645fc04 | mov byte ptr [ebp - 4], 4 // 8d4dd8 | lea ecx, [ebp - 0x28] // e8???????? | // 83c410 | add esp, 0x10 $sequence_2 = { 660fd64010 8345e418 eb10 8d4dc8 } // n = 4, score = 600 // 660fd64010 | movq qword ptr [eax + 0x10], xmm0 // 8345e418 | add dword ptr [ebp - 0x1c], 0x18 // eb10 | jmp 0x12 // 8d4dc8 | lea ecx, [ebp - 0x38] $sequence_3 = { 660fd64610 c742e000000000 c742e40f000000 c642d000 8b42e8 894618 } // n = 6, score = 600 // 660fd64610 | movq qword ptr [esi + 0x10], xmm0 // c742e000000000 | mov dword ptr [edx - 0x20], 0 // c742e40f000000 | mov dword ptr [edx - 0x1c], 0xf // c642d000 | mov byte ptr [edx - 0x30], 0 // 8b42e8 | mov eax, dword ptr [edx - 0x18] // 894618 | mov dword ptr [esi + 0x18], eax $sequence_4 = { e8???????? 8d8d60ffffff e8???????? 6a00 6a00 } // n = 5, score = 600 // e8???????? | // 8d8d60ffffff | lea ecx, [ebp - 0xa0] // e8???????? | // 6a00 | push 0 // 6a00 | push 0 $sequence_5 = { c642d000 8b42e8 894618 8d42ec 83c61c 3bc7 } // n = 6, score = 600 // c642d000 | mov byte ptr [edx - 0x30], 0 // 8b42e8 | mov eax, dword ptr [edx - 0x18] // 894618 | mov dword ptr [esi + 0x18], eax // 8d42ec | lea eax, [edx - 0x14] // 83c61c | add esi, 0x1c // 3bc7 | cmp eax, edi $sequence_6 = { eb10 8d4dc8 51 50 } // n = 4, score = 600 // eb10 | jmp 0x12 // 8d4dc8 | lea ecx, [ebp - 0x38] // 51 | push ecx // 50 | push eax $sequence_7 = { 7438 8035????????2e 8035????????2e 8035????????2e 8035????????2e 8035????????2e 8035????????2e } // n = 7, score = 600 // 7438 | je 0x3a // 8035????????2e | // 8035????????2e | // 8035????????2e | // 8035????????2e | // 8035????????2e | // 8035????????2e | $sequence_8 = { 52 51 e8???????? 83c408 85ff 0f8807010000 } // n = 6, score = 600 // 52 | push edx // 51 | push ecx // e8???????? | // 83c408 | add esp, 8 // 85ff | test edi, edi // 0f8807010000 | js 0x10d $sequence_9 = { c645fc02 83fa10 722c 8b4dc8 42 8bc1 } // n = 6, score = 600 // c645fc02 | mov byte ptr [ebp - 4], 2 // 83fa10 | cmp edx, 0x10 // 722c | jb 0x2e // 8b4dc8 | mov ecx, dword ptr [ebp - 0x38] // 42 | inc edx // 8bc1 | mov eax, ecx condition: 7 of them and filesize < 540672 }
rule win_gcleaner_w0 { meta: author = "Johannes Bader @viql" date = "2022-05-29" version = "v1.0" description = "detects GCleaner" tlp = "TLP:WHITE" malpedia_family = "win.gcleaner" hash1_md5 = "8151e61aec021fa04bce8a30ea052e9d" hash1_sha1 = "4b972d2e74a286e9663d25913610b409e713befd" hash1_sha256 = "868fceaa4c01c2e2ceee3a27ac24ec9c16c55401a7e5a7ca05f14463f88c180f" hash2_md5 = "7526665a9d5d3d4b0cfffb2192c0c2b3" hash2_sha1 = "13bf754b44526a7a8b5b96cec0e482312c14838c" hash2_sha256 = "bb5cd698b03b3a47a2e55a6be3d62f3ee7c55630eb831b787e458f96aefe631b" hash3_md5 = "a39e68ae37310b79c72025c6dfba0a2a" hash3_sha1 = "ae007e61c16514a182d21ee4e802b7fcb07f3871" hash3_sha256 = "c5395d24c0a1302d23f95c1f95de0f662dc457ef785138b0e58b0324965c8a84" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner" malpedia_rule_date = "20220922" malpedia_hash = "" malpedia_version = "20220922" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $accept = "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1" $accept_lang = "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8" $accept_charset = "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1" $accept_encoding = "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0" $unkown = "<unknown>" $cmd1 = "\" & exit" $cmd2 = "\" /f & erase " $cmd3 = "/c taskkill /im \"" $anti1 = " Far " $anti2 = "roxifier" $anti3 = "HTTP Analyzer" $anti4 = "Wireshark" $anti5 = "NetworkMiner" $mix1 = "mixshop" $mix2 = "mixtwo" $mix3 = "mixnull" $mix4 = "mixazed" condition: uint16(0) == 0x5A4D and 15 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
