There is no description at this point.
rule win_gh0sttimes_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-08-05" version = "1" description = "Detects win.gh0sttimes." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes" malpedia_rule_date = "20220805" malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71" malpedia_version = "20220808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 8b4628 8b3d???????? 83c420 6a00 } // n = 5, score = 800 // e8???????? | // 8b4628 | mov eax, dword ptr [esi + 0x28] // 8b3d???????? | // 83c420 | add esp, 0x20 // 6a00 | push 0 $sequence_1 = { 8b00 ebe7 83c70c 56 8bdf e8???????? } // n = 6, score = 800 // 8b00 | mov eax, dword ptr [eax] // ebe7 | jmp 0xffffffe9 // 83c70c | add edi, 0xc // 56 | push esi // 8bdf | mov ebx, edi // e8???????? | $sequence_2 = { 50 ffd3 8b3d???????? 8d868c000000 50 } // n = 5, score = 800 // 50 | push eax // ffd3 | call ebx // 8b3d???????? | // 8d868c000000 | lea eax, [esi + 0x8c] // 50 | push eax $sequence_3 = { 83c304 83c604 81fb00010000 880439 0f8c08ffffff 8b4dfc 5f } // n = 7, score = 800 // 83c304 | add ebx, 4 // 83c604 | add esi, 4 // 81fb00010000 | cmp ebx, 0x100 // 880439 | mov byte ptr [ecx + edi], al // 0f8c08ffffff | jl 0xffffff0e // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 5f | pop edi $sequence_4 = { e8???????? 897dfc 8b5d08 8b7324 8b4e04 83c310 8d45d8 } // n = 7, score = 800 // e8???????? | // 897dfc | mov dword ptr [ebp - 4], edi // 8b5d08 | mov ebx, dword ptr [ebp + 8] // 8b7324 | mov esi, dword ptr [ebx + 0x24] // 8b4e04 | mov ecx, dword ptr [esi + 4] // 83c310 | add ebx, 0x10 // 8d45d8 | lea eax, [ebp - 0x28] $sequence_5 = { 0fb61401 0fb61c06 03d3 81e2ff000080 7908 } // n = 5, score = 800 // 0fb61401 | movzx edx, byte ptr [ecx + eax] // 0fb61c06 | movzx ebx, byte ptr [esi + eax] // 03d3 | add edx, ebx // 81e2ff000080 | and edx, 0x800000ff // 7908 | jns 0xa $sequence_6 = { 8b8d8cfeffff 8b8588feffff 894e24 6a01 8d8dabfeffff } // n = 5, score = 800 // 8b8d8cfeffff | mov ecx, dword ptr [ebp - 0x174] // 8b8588feffff | mov eax, dword ptr [ebp - 0x178] // 894e24 | mov dword ptr [esi + 0x24], ecx // 6a01 | push 1 // 8d8dabfeffff | lea ecx, [ebp - 0x155] $sequence_7 = { e9???????? 33ff 8bc6 c745f00f000000 897dec c645dc00 8d4801 } // n = 7, score = 800 // e9???????? | // 33ff | xor edi, edi // 8bc6 | mov eax, esi // c745f00f000000 | mov dword ptr [ebp - 0x10], 0xf // 897dec | mov dword ptr [ebp - 0x14], edi // c645dc00 | mov byte ptr [ebp - 0x24], 0 // 8d4801 | lea ecx, [eax + 1] $sequence_8 = { 488b4c2430 488b03 48c1e807 c1e004 } // n = 4, score = 600 // 488b4c2430 | mov eax, dword ptr [esp + 0x30] // 488b03 | dec eax // 48c1e807 | mov dword ptr [eax + 0xb58], ecx // c1e004 | dec eax $sequence_9 = { 488b4c2430 488b03 48c1e80a c1e002 } // n = 4, score = 600 // 488b4c2430 | shl eax, 4 // 488b03 | not eax // 48c1e80a | dec eax // c1e002 | mov ecx, dword ptr [esp + 0x30] $sequence_10 = { 488b4c2430 4881c1b0090000 488b442430 488988580b0000 } // n = 4, score = 600 // 488b4c2430 | mov eax, dword ptr [esp + 0x30] // 4881c1b0090000 | dec eax // 488b442430 | mov dword ptr [eax + 0xb70], ecx // 488988580b0000 | dec eax $sequence_11 = { 488b4c2430 4881c1a40a0000 488b442430 488988700b0000 } // n = 4, score = 600 // 488b4c2430 | dec eax // 4881c1a40a0000 | mov eax, dword ptr [esp + 0x40] // 488b442430 | dec eax // 488988700b0000 | mov eax, dword ptr [eax + 0x28] $sequence_12 = { 488b4c2430 4881c1bc000000 488b442430 488988400b0000 } // n = 4, score = 600 // 488b4c2430 | dec eax // 4881c1bc000000 | mov dword ptr [eax + 0xb70], ecx // 488b442430 | dec eax // 488988400b0000 | mov ecx, dword ptr [esp + 0x30] $sequence_13 = { 488b4c2430 488b03 48c1e809 c1e003 } // n = 4, score = 600 // 488b4c2430 | mov ecx, dword ptr [esp + 0x30] // 488b03 | dec eax // 48c1e809 | add ecx, 0xbc // c1e003 | dec eax $sequence_14 = { 48c7402000000000 488b442440 c7404802000000 488b442440 488b4028 } // n = 5, score = 600 // 48c7402000000000 | dec eax // 488b442440 | mov dword ptr [eax + 0x20], 0 // c7404802000000 | dec eax // 488b442440 | mov eax, dword ptr [esp + 0x40] // 488b4028 | mov dword ptr [eax + 0x48], 2 $sequence_15 = { 488b4c2430 488b03 48c1e80b 03c0 } // n = 4, score = 600 // 488b4c2430 | mov ecx, dword ptr [esp + 0x30] // 488b03 | dec eax // 48c1e80b | mov eax, dword ptr [ebx] // 03c0 | dec eax condition: 7 of them and filesize < 548864 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY