Actor(s): Lazarus Group
There is no description at this point.
rule win_ghost_secret_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.ghost_secret." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_secret" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d852cf1ffff 50 e8???????? 8d8548fbffff 50 e8???????? 59 } // n = 7, score = 200 // 8d852cf1ffff | lea eax, [ebp - 0xed4] // 50 | push eax // e8???????? | // 8d8548fbffff | lea eax, [ebp - 0x4b8] // 50 | push eax // e8???????? | // 59 | pop ecx $sequence_1 = { c68424af050000fd c68424b0050000f6 c68424b105000093 c68424b205000038 c68424b305000032 c68424b405000048 c68424b5050000e5 } // n = 7, score = 200 // c68424af050000fd | mov byte ptr [esp + 0x5af], 0xfd // c68424b0050000f6 | mov byte ptr [esp + 0x5b0], 0xf6 // c68424b105000093 | mov byte ptr [esp + 0x5b1], 0x93 // c68424b205000038 | mov byte ptr [esp + 0x5b2], 0x38 // c68424b305000032 | mov byte ptr [esp + 0x5b3], 0x32 // c68424b405000048 | mov byte ptr [esp + 0x5b4], 0x48 // c68424b5050000e5 | mov byte ptr [esp + 0x5b5], 0xe5 $sequence_2 = { c68424b902000066 c68424ba02000072 c68424bb0200001a c68424bc0200004a } // n = 4, score = 200 // c68424b902000066 | mov byte ptr [esp + 0x2b9], 0x66 // c68424ba02000072 | mov byte ptr [esp + 0x2ba], 0x72 // c68424bb0200001a | mov byte ptr [esp + 0x2bb], 0x1a // c68424bc0200004a | mov byte ptr [esp + 0x2bc], 0x4a $sequence_3 = { c68424e903000052 c68424ea03000082 c68424eb03000058 c68424ec0300008e } // n = 4, score = 200 // c68424e903000052 | mov byte ptr [esp + 0x3e9], 0x52 // c68424ea03000082 | mov byte ptr [esp + 0x3ea], 0x82 // c68424eb03000058 | mov byte ptr [esp + 0x3eb], 0x58 // c68424ec0300008e | mov byte ptr [esp + 0x3ec], 0x8e $sequence_4 = { c684243e030000f0 c684243f030000f2 c68424400300003b c6842441030000c7 c6842454050000ab c684245505000087 c6842456050000d6 } // n = 7, score = 200 // c684243e030000f0 | mov byte ptr [esp + 0x33e], 0xf0 // c684243f030000f2 | mov byte ptr [esp + 0x33f], 0xf2 // c68424400300003b | mov byte ptr [esp + 0x340], 0x3b // c6842441030000c7 | mov byte ptr [esp + 0x341], 0xc7 // c6842454050000ab | mov byte ptr [esp + 0x554], 0xab // c684245505000087 | mov byte ptr [esp + 0x555], 0x87 // c6842456050000d6 | mov byte ptr [esp + 0x556], 0xd6 $sequence_5 = { 85c0 740b 33c0 5f 5e 5b 8be5 } // n = 7, score = 200 // 85c0 | test eax, eax // 740b | je 0xd // 33c0 | xor eax, eax // 5f | pop edi // 5e | pop esi // 5b | pop ebx // 8be5 | mov esp, ebp $sequence_6 = { ff15???????? e9???????? a1???????? 33db 3bc7 7e0e 50 } // n = 7, score = 200 // ff15???????? | // e9???????? | // a1???????? | // 33db | xor ebx, ebx // 3bc7 | cmp eax, edi // 7e0e | jle 0x10 // 50 | push eax $sequence_7 = { c684247c05000006 c684247d0500003e c684247e05000012 c684247f05000053 c684248005000092 c684248105000042 c6842482050000e8 } // n = 7, score = 200 // c684247c05000006 | mov byte ptr [esp + 0x57c], 6 // c684247d0500003e | mov byte ptr [esp + 0x57d], 0x3e // c684247e05000012 | mov byte ptr [esp + 0x57e], 0x12 // c684247f05000053 | mov byte ptr [esp + 0x57f], 0x53 // c684248005000092 | mov byte ptr [esp + 0x580], 0x92 // c684248105000042 | mov byte ptr [esp + 0x581], 0x42 // c6842482050000e8 | mov byte ptr [esp + 0x582], 0xe8 $sequence_8 = { c644247460 c64424751f c6442476e7 c64424778a c6442478dd c68424f40000006a 888c24f5000000 } // n = 7, score = 200 // c644247460 | mov byte ptr [esp + 0x74], 0x60 // c64424751f | mov byte ptr [esp + 0x75], 0x1f // c6442476e7 | mov byte ptr [esp + 0x76], 0xe7 // c64424778a | mov byte ptr [esp + 0x77], 0x8a // c6442478dd | mov byte ptr [esp + 0x78], 0xdd // c68424f40000006a | mov byte ptr [esp + 0xf4], 0x6a // 888c24f5000000 | mov byte ptr [esp + 0xf5], cl $sequence_9 = { 83c408 5f 5e 81c400200000 c3 81ecfc000000 } // n = 6, score = 200 // 83c408 | add esp, 8 // 5f | pop edi // 5e | pop esi // 81c400200000 | add esp, 0x2000 // c3 | ret // 81ecfc000000 | sub esp, 0xfc condition: 7 of them and filesize < 278528 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY