There is no description at this point.
rule win_ghostemperor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.ghostemperor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b801000000 4883c428 5b 5d 5f 5e } // n = 6, score = 200 // b801000000 | mov dword ptr [esi + 8], 0 // 4883c428 | mov dword ptr [esi + 0x10], 0 // 5b | test edi, edi // 5d | je 0x1b // 5f | dec eax // 5e | mov ecx, esi $sequence_1 = { 31d2 41b801000000 4531c9 ff15???????? } // n = 4, score = 200 // 31d2 | inc ecx // 41b801000000 | shr edx, 3 // 4531c9 | inc ecx // ff15???????? | $sequence_2 = { 41c1ea03 4183e007 4585d2 0f84b9000000 } // n = 4, score = 200 // 41c1ea03 | ret // 4183e007 | dec eax // 4585d2 | test ecx, ecx // 0f84b9000000 | je 0xf $sequence_3 = { 8b5b10 4885db 7431 c7471800000000 89d9 } // n = 5, score = 200 // 8b5b10 | dec eax // 4885db | mov dword ptr [esi + 8], 0 // 7431 | dec ecx // c7471800000000 | mov ecx, ecx // 89d9 | dec eax $sequence_4 = { e8???????? 48c7470800000000 c7471000000000 4c8d7e18 4c89f9 ff15???????? 448b4648 } // n = 7, score = 200 // e8???????? | // 48c7470800000000 | mov eax, edx // c7471000000000 | inc ebp // 4c8d7e18 | lea ebx, [edx - 1] // 4c89f9 | inc ecx // ff15???????? | // 448b4648 | test dl, 3 $sequence_5 = { 4885c9 740d e8???????? 48c7460800000000 } // n = 4, score = 200 // 4885c9 | dec eax // 740d | lea eax, [0x5457] // e8???????? | // 48c7460800000000 | dec eax $sequence_6 = { 4989c9 4889d0 458d5aff 41f6c203 7427 4489d1 83e103 } // n = 7, score = 200 // 4989c9 | mov ebx, ecx // 4889d0 | dec eax // 458d5aff | mov dword ptr [ecx], eax // 41f6c203 | dec eax // 7427 | lea ecx, [ebp + 0x72] // 4489d1 | inc ecx // 83e103 | mov edi, 2 $sequence_7 = { 4883c410 c3 ff25???????? ff25???????? ff25???????? ff25???????? ff25???????? } // n = 7, score = 200 // 4883c410 | dec eax // c3 | mov edx, ebp // ff25???????? | // ff25???????? | // ff25???????? | // ff25???????? | // ff25???????? | $sequence_8 = { 4889c1 4863c6 488d0440 48c1e004 4801c8 eb02 31c0 } // n = 7, score = 200 // 4889c1 | dec eax // 4863c6 | sub eax, ecx // 488d0440 | movzx edx, word ptr [edi] // 48c1e004 | dec eax // 4801c8 | add esp, 0x10 // eb02 | ret // 31c0 | dec esp $sequence_9 = { 31f6 31d2 660f1f440000 488b3cf0 49313cf1 } // n = 5, score = 200 // 31f6 | je 0x34 // 31d2 | inc esp // 660f1f440000 | mov ecx, edx // 488b3cf0 | and ecx, 3 // 49313cf1 | dec eax $sequence_10 = { c74424504900df00 c744245436004d00 c74424586b007100 c744245cf5003400 } // n = 4, score = 100 // c74424504900df00 | mov ebp, edx // c744245436004d00 | mov esi, 0x208 // c74424586b007100 | mov ecx, esi // c744245cf5003400 | mov dword ptr [esp + 0x50], 0xdf0049 $sequence_11 = { 0f8883020000 33d2 c78594000000f1008500 c78598000000a8003f00 448d630e c7859c000000f7003100 } // n = 6, score = 100 // 0f8883020000 | mov dword ptr [esp + 0x54], 0x4d0036 // 33d2 | mov dword ptr [esp + 0x58], 0x71006b // c78594000000f1008500 | mov dword ptr [esp + 0x5c], 0x3400f5 // c78598000000a8003f00 | js 0x289 // 448d630e | xor edx, edx // c7859c000000f7003100 | mov dword ptr [ebp + 0x94], 0x8500f1 $sequence_12 = { 01c1 89ca c1ea1f c1f904 } // n = 4, score = 100 // 01c1 | mov eax, dword ptr [ebp + 0x2b0] // 89ca | dec eax // c1ea1f | mov eax, dword ptr [ebp + 0x2b0] // c1f904 | dec eax $sequence_13 = { 488d4dd0 48895dd8 895de0 4c8bea e8???????? be08020000 8bce } // n = 7, score = 100 // 488d4dd0 | dec eax // 48895dd8 | lea ecx, [ebp - 0x30] // 895de0 | dec eax // 4c8bea | mov dword ptr [ebp - 0x28], ebx // e8???????? | // be08020000 | mov dword ptr [ebp - 0x20], ebx // 8bce | dec esp $sequence_14 = { 00c2 488b8568020000 8854080c 488b85b0020000 } // n = 4, score = 100 // 00c2 | xor dword ptr [ecx + esi*8], edi // 488b8568020000 | mov cl, byte ptr [eax + 4] // 8854080c | inc ecx // 488b85b0020000 | xor byte ptr [ecx + 4], cl $sequence_15 = { 00c1 488b8568020000 488b95b0020000 884c100c 488b85b0020000 488b85b0020000 488b85b0020000 } // n = 7, score = 100 // 00c1 | and eax, 7 // 488b8568020000 | inc ebp // 488b95b0020000 | test edx, edx // 884c100c | je 0xca // 488b85b0020000 | mov ebx, dword ptr [ebx + 0x10] // 488b85b0020000 | dec eax // 488b85b0020000 | test ebx, ebx $sequence_16 = { 85c0 7417 418bce 448bc7 48034e08 488bd5 e8???????? } // n = 7, score = 100 // 85c0 | dec ebp // 7417 | mov ebx, dword ptr [edx + 0x10] // 418bce | dec ebp // 448bc7 | test ebx, ebx // 48034e08 | je 0xb // 488bd5 | dec eax // e8???????? | $sequence_17 = { 7212 4d8b5a10 4d85db 7409 48895c2448 5b } // n = 6, score = 100 // 7212 | ret // 4d8b5a10 | or eax, 0xffffffff // 4d85db | jmp 0xfffffff7 // 7409 | mov eax, 1 // 48895c2448 | jmp 0xfffffff7 // 5b | jb 0x14 $sequence_18 = { 01c3 69cbe8030000 81c130750000 4883ec20 } // n = 4, score = 100 // 01c3 | or ecx, 1 // 69cbe8030000 | add cl, al // 81c130750000 | dec eax // 4883ec20 | mov eax, dword ptr [ebp + 0x268] $sequence_19 = { 01d1 89ca c1e205 89cb } // n = 4, score = 100 // 01d1 | dec eax // 89ca | mov dword ptr [ebp + 0xc8], eax // c1e205 | mov eax, dword ptr [ebp + 0x2c8] // 89cb | add dl, al $sequence_20 = { 7449 8b5c2448 488bc7 d1eb ffcb } // n = 5, score = 100 // 7449 | mov dword ptr [ebp + 0x98], 0x3f00a8 // 8b5c2448 | inc esp // 488bc7 | lea esp, [ebx + 0xe] // d1eb | mov dword ptr [ebp + 0x9c], 0x3100f7 // ffcb | je 0x4b $sequence_21 = { 48895c2408 57 4883ec20 488d0557540000 488bd9 488901 } // n = 6, score = 100 // 48895c2408 | mov dword ptr [esp + 0x48], ebx // 57 | pop ebx // 4883ec20 | test eax, eax // 488d0557540000 | je 0x19 // 488bd9 | inc ecx // 488901 | mov ecx, esi $sequence_22 = { c3 83c8ff ebf5 b801000000 ebee } // n = 5, score = 100 // c3 | mov ebx, dword ptr [esp + 0x48] // 83c8ff | dec eax // ebf5 | mov eax, edi // b801000000 | shr ebx, 1 // ebee | dec ebx condition: 7 of them and filesize < 1115136 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY