There is no description at this point.
rule win_ghostemperor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.ghostemperor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4c8b1424 4c8b5c2408 4883c410 c3 ff25???????? ff25???????? } // n = 6, score = 300 // 4c8b1424 | dec esp // 4c8b5c2408 | mov edx, dword ptr [esp] // 4883c410 | dec esp // c3 | mov ebx, dword ptr [esp + 8] // ff25???????? | // ff25???????? | $sequence_1 = { 4829c4 4889e0 488908 eb00 eb00 488b00 4889c1 } // n = 7, score = 200 // 4829c4 | dec eax // 4889e0 | add esp, 0x10 // 488908 | ret // eb00 | dec esp // eb00 | mov ebx, dword ptr [esp + 8] // 488b00 | dec eax // 4889c1 | add esp, 0x10 $sequence_2 = { eb00 488d45f0 4883c017 eb00 eb00 c60000 eb00 } // n = 7, score = 200 // eb00 | mov byte ptr [esp + 0x41], al // 488d45f0 | mov al, byte ptr [esp + 0x37] // 4883c017 | xor al, 0xca // eb00 | mov byte ptr [esp + 0x42], al // eb00 | mov al, byte ptr [esp + 0x38] // c60000 | mov byte ptr [ebx + 2], 0x72 // eb00 | mov byte ptr [ebx + 5], 0x6c $sequence_3 = { c644242f65 66c7442424576f c644242677 66c74424333634 } // n = 4, score = 200 // c644242f65 | ret // 66c7442424576f | dec eax // c644242677 | add esp, 0x10 // 66c74424333634 | ret $sequence_4 = { 88442441 8a442437 34ca 88442442 8a442438 } // n = 5, score = 200 // 88442441 | mov ebx, dword ptr [esp + 8] // 8a442437 | dec eax // 34ca | add esp, 0x10 // 88442442 | ret // 8a442438 | jne 0xfffffff2 $sequence_5 = { 4889842498010000 c78424a00100006407c336 89f8 3552504e51 898424a4010000 c78424a8010000815a9744 } // n = 6, score = 200 // 4889842498010000 | dec esp // c78424a00100006407c336 | mov ebx, dword ptr [esp + 8] // 89f8 | dec eax // 3552504e51 | add esp, 0x10 // 898424a4010000 | ret // c78424a8010000815a9744 | dec esp $sequence_6 = { c6430272 c643056c c6430165 c6036b } // n = 4, score = 200 // c6430272 | dec esp // c643056c | mov edx, dword ptr [esp] // c6430165 | dec esp // c6036b | mov ebx, dword ptr [esp + 8] $sequence_7 = { c643096c b810000000 e8???????? 4829c4 4889e6 } // n = 5, score = 200 // c643096c | mov ebx, dword ptr [esp + 8] // b810000000 | dec eax // e8???????? | // 4829c4 | add esp, 0x10 // 4889e6 | ret $sequence_8 = { b801000000 4883c428 5b 5d 5f 5e } // n = 6, score = 200 // b801000000 | mov edx, dword ptr [eax + 0x50] // 4883c428 | dec ebp // 5b | test edx, edx // 5d | je 0x17 // 5f | inc ecx // 5e | cmp dword ptr [edx], 0x48 $sequence_9 = { 488b05???????? 8a5008 488d4810 ff15???????? 488b4f08 4c8d8d58010000 41b800020000 } // n = 7, score = 100 // 488b05???????? | // 8a5008 | dec eax // 488d4810 | lea eax, [ebp - 0x10] // ff15???????? | // 488b4f08 | dec eax // 4c8d8d58010000 | add eax, 0x17 // 41b800020000 | jmp 0xa $sequence_10 = { 89c1 81e9dbf78dcf 0f84fa040000 eb00 } // n = 4, score = 100 // 89c1 | dec eax // 81e9dbf78dcf | add esp, 0x10 // 0f84fa040000 | ret // eb00 | dec esp $sequence_11 = { 89c1 81e9db0b7c24 0f84d7040000 eb00 89c1 81e994ad3e25 } // n = 6, score = 100 // 89c1 | jb 0x17 // 81e9db0b7c24 | dec ecx // 0f84d7040000 | mov eax, dword ptr [edx + 0x40] // eb00 | test al, al // 89c1 | je 0xffffff57 // 81e994ad3e25 | movzx edx, word ptr [esi] $sequence_12 = { 488b45e8 488d4de8 498b9db8000000 ff5008 0f1003 498bd5 0f1100 } // n = 7, score = 100 // 488b45e8 | mov byte ptr [esp + 0x26], 0x77 // 488d4de8 | mov word ptr [esp + 0x33], 0x3436 // 498b9db8000000 | dec eax // ff5008 | mov dword ptr [esp + 0x198], eax // 0f1003 | mov dword ptr [esp + 0x1a0], 0x36c30764 // 498bd5 | mov eax, edi // 0f1100 | xor eax, 0x514e5052 $sequence_13 = { 89c1 81e9dd16eca8 0f849f090000 eb00 } // n = 4, score = 100 // 89c1 | mov ebx, dword ptr [esp + 8] // 81e9dd16eca8 | dec eax // 0f849f090000 | add esp, 0x10 // eb00 | ret $sequence_14 = { 498b4108 4c8b5050 4d85d2 7412 41833a48 720c 498b4240 } // n = 7, score = 100 // 498b4108 | add eax, 0x17 // 4c8b5050 | mov byte ptr [eax], 0 // 4d85d2 | jmp 5 // 7412 | dec eax // 41833a48 | lea eax, [ebp - 0x10] // 720c | mov byte ptr [edi + 5], 0x32 // 498b4240 | mov byte ptr [edi + 4], 0x33 $sequence_15 = { 745f 483bc1 755a 4883623800 bb010000c0 488b82b8000000 895a30 } // n = 7, score = 100 // 745f | jmp 0xa // 483bc1 | dec eax // 755a | mov eax, dword ptr [eax] // 4883623800 | dec eax // bb010000c0 | mov ecx, eax // 488b82b8000000 | mov byte ptr [esp + 0x2f], 0x65 // 895a30 | mov word ptr [esp + 0x24], 0x6f57 $sequence_16 = { 7410 4c8bc7 488bd6 488bcd } // n = 4, score = 100 // 7410 | sub esp, eax // 4c8bc7 | dec eax // 488bd6 | mov esi, esp // 488bcd | jmp 2 $sequence_17 = { 488b8560010000 4803c9 488904ce 48897cce08 } // n = 4, score = 100 // 488b8560010000 | jmp 0xc // 4803c9 | mov byte ptr [eax], 0 // 488904ce | jmp 0x11 // 48897cce08 | dec eax $sequence_18 = { 89c1 81e9dd2a2c49 0f84df0a0000 eb00 } // n = 4, score = 100 // 89c1 | jmp 0xe // 81e9dd2a2c49 | mov ecx, eax // 0f84df0a0000 | sub ecx, 0x253ead94 // eb00 | mov ecx, eax $sequence_19 = { 84c0 0f844fffffff 0fb716 6685d2 742b } // n = 5, score = 100 // 84c0 | mov byte ptr [edi + 6], 0x2e // 0f844fffffff | mov byte ptr [edi + 8], 0x6c // 0fb716 | mov byte ptr [edi], 0x55 // 6685d2 | je 0x61 // 742b | dec eax $sequence_20 = { 89c1 81e9db7e3a6b 0f84b2050000 eb00 } // n = 4, score = 100 // 89c1 | mov eax, 1 // 81e9db7e3a6b | jmp 0x3c // 0f84b2050000 | dec eax // eb00 | add esp, 0x10 $sequence_21 = { 85c0 7413 ffc6 4881c700010000 81fe80000000 } // n = 5, score = 100 // 85c0 | mov dword ptr [esp + 0x1a4], eax // 7413 | mov dword ptr [esp + 0x1a8], 0x44975a81 // ffc6 | mov byte ptr [ebx + 9], 0x6c // 4881c700010000 | mov eax, 0x10 // 81fe80000000 | dec eax $sequence_22 = { 89c1 81e9dbb0d5cc 0f8472050000 eb00 } // n = 4, score = 100 // 89c1 | mov ebx, dword ptr [esp + 8] // 81e9dbb0d5cc | dec eax // 0f8472050000 | add esp, 0x10 // eb00 | ret condition: 7 of them and filesize < 1115136 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY