There is no description at this point.
rule win_himera_loader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.himera_loader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 83c408 8b4dfc 6689411e 6a10 } // n = 5, score = 200 // e8???????? | // 83c408 | add esp, 8 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 6689411e | mov word ptr [ecx + 0x1e], ax // 6a10 | push 0x10 $sequence_1 = { 64a300000000 894de0 c745dc0c000000 c645e45e c645e55d } // n = 5, score = 200 // 64a300000000 | mov dword ptr fs:[0], eax // 894de0 | mov dword ptr [ebp - 0x20], ecx // c745dc0c000000 | mov dword ptr [ebp - 0x24], 0xc // c645e45e | mov byte ptr [ebp - 0x1c], 0x5e // c645e55d | mov byte ptr [ebp - 0x1b], 0x5d $sequence_2 = { 8b4d08 0fb71401 52 e8???????? 83c408 8b4dfc 66894130 } // n = 7, score = 200 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 0fb71401 | movzx edx, word ptr [ecx + eax] // 52 | push edx // e8???????? | // 83c408 | add esp, 8 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 66894130 | mov word ptr [ecx + 0x30], ax $sequence_3 = { 8d85dcfdffff 50 8d8df8feffff 51 8d95f8feffff 52 8d8deffdffff } // n = 7, score = 200 // 8d85dcfdffff | lea eax, [ebp - 0x224] // 50 | push eax // 8d8df8feffff | lea ecx, [ebp - 0x108] // 51 | push ecx // 8d95f8feffff | lea edx, [ebp - 0x108] // 52 | push edx // 8d8deffdffff | lea ecx, [ebp - 0x211] $sequence_4 = { c20400 e8???????? 85c0 0f84c1510000 } // n = 4, score = 200 // c20400 | ret 4 // e8???????? | // 85c0 | test eax, eax // 0f84c1510000 | je 0x51c7 $sequence_5 = { c645eb1c c645ec2e 64a12c000000 8b08 8b15???????? 3b9104000000 7e4c } // n = 7, score = 200 // c645eb1c | mov byte ptr [ebp - 0x15], 0x1c // c645ec2e | mov byte ptr [ebp - 0x14], 0x2e // 64a12c000000 | mov eax, dword ptr fs:[0x2c] // 8b08 | mov ecx, dword ptr [eax] // 8b15???????? | // 3b9104000000 | cmp edx, dword ptr [ecx + 4] // 7e4c | jle 0x4e $sequence_6 = { 50 8d45f4 64a300000000 894de0 c745dc0a000000 c645e440 c645e55a } // n = 7, score = 200 // 50 | push eax // 8d45f4 | lea eax, [ebp - 0xc] // 64a300000000 | mov dword ptr fs:[0], eax // 894de0 | mov dword ptr [ebp - 0x20], ecx // c745dc0a000000 | mov dword ptr [ebp - 0x24], 0xa // c645e440 | mov byte ptr [ebp - 0x1c], 0x40 // c645e55a | mov byte ptr [ebp - 0x1b], 0x5a $sequence_7 = { c7459c49000000 c645a463 c645a541 c645a654 c645a747 c645a842 c645a942 } // n = 7, score = 200 // c7459c49000000 | mov dword ptr [ebp - 0x64], 0x49 // c645a463 | mov byte ptr [ebp - 0x5c], 0x63 // c645a541 | mov byte ptr [ebp - 0x5b], 0x41 // c645a654 | mov byte ptr [ebp - 0x5a], 0x54 // c645a747 | mov byte ptr [ebp - 0x59], 0x47 // c645a842 | mov byte ptr [ebp - 0x58], 0x42 // c645a942 | mov byte ptr [ebp - 0x57], 0x42 $sequence_8 = { c645e801 c645e90e c645ea18 c645eb1a c645ec00 c645ed1e c645ee2e } // n = 7, score = 200 // c645e801 | mov byte ptr [ebp - 0x18], 1 // c645e90e | mov byte ptr [ebp - 0x17], 0xe // c645ea18 | mov byte ptr [ebp - 0x16], 0x18 // c645eb1a | mov byte ptr [ebp - 0x15], 0x1a // c645ec00 | mov byte ptr [ebp - 0x14], 0 // c645ed1e | mov byte ptr [ebp - 0x13], 0x1e // c645ee2e | mov byte ptr [ebp - 0x12], 0x2e $sequence_9 = { c745fc00000000 eb09 8b45fc 83c001 8945fc 837dfc25 7321 } // n = 7, score = 200 // c745fc00000000 | mov dword ptr [ebp - 4], 0 // eb09 | jmp 0xb // 8b45fc | mov eax, dword ptr [ebp - 4] // 83c001 | add eax, 1 // 8945fc | mov dword ptr [ebp - 4], eax // 837dfc25 | cmp dword ptr [ebp - 4], 0x25 // 7321 | jae 0x23 condition: 7 of them and filesize < 385024 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY