Actor(s): Wekby, EMISSARY PANDA
There is no description at this point.
rule win_httpbrowser_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.httpbrowser." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 56 ffb5bcfbffff ff15???????? f7d8 1bc0 f7d8 } // n = 6, score = 200 // 56 | push esi // ffb5bcfbffff | push dword ptr [ebp - 0x444] // ff15???????? | // f7d8 | neg eax // 1bc0 | sbb eax, eax // f7d8 | neg eax $sequence_1 = { 68???????? 8d85e4fbffff 50 ffd7 6a40 8d8578fbffff } // n = 6, score = 200 // 68???????? | // 8d85e4fbffff | lea eax, dword ptr [ebp - 0x41c] // 50 | push eax // ffd7 | call edi // 6a40 | push 0x40 // 8d8578fbffff | lea eax, dword ptr [ebp - 0x488] $sequence_2 = { 56 ff15???????? 83c40c 6a05 } // n = 4, score = 200 // 56 | push esi // ff15???????? | // 83c40c | add esp, 0xc // 6a05 | push 5 $sequence_3 = { 0f84c2000000 8d85ecfdffff 68???????? 50 ff15???????? 8bf8 } // n = 6, score = 200 // 0f84c2000000 | je 0xc8 // 8d85ecfdffff | lea eax, dword ptr [ebp - 0x214] // 68???????? | // 50 | push eax // ff15???????? | // 8bf8 | mov edi, eax $sequence_4 = { 50 ffd7 33c0 53 668985ecfdffff 8d85eefdffff } // n = 6, score = 200 // 50 | push eax // ffd7 | call edi // 33c0 | xor eax, eax // 53 | push ebx // 668985ecfdffff | mov word ptr [ebp - 0x214], ax // 8d85eefdffff | lea eax, dword ptr [ebp - 0x212] $sequence_5 = { 59 be???????? f3a5 66a5 33c0 } // n = 5, score = 200 // 59 | pop ecx // be???????? | // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 66a5 | movsw word ptr es:[edi], word ptr [esi] // 33c0 | xor eax, eax $sequence_6 = { ffd6 85c0 745e 39bda0feffff 7519 } // n = 5, score = 200 // ffd6 | call esi // 85c0 | test eax, eax // 745e | je 0x60 // 39bda0feffff | cmp dword ptr [ebp - 0x160], edi // 7519 | jne 0x1b $sequence_7 = { 8dbda8fcffff a5 a5 a5 a5 385d08 } // n = 6, score = 200 // 8dbda8fcffff | lea edi, dword ptr [ebp - 0x358] // a5 | movsd dword ptr es:[edi], dword ptr [esi] // a5 | movsd dword ptr es:[edi], dword ptr [esi] // a5 | movsd dword ptr es:[edi], dword ptr [esi] // a5 | movsd dword ptr es:[edi], dword ptr [esi] // 385d08 | cmp byte ptr [ebp + 8], bl $sequence_8 = { ff15???????? 6a00 6880000000 6a02 6a00 6a02 8d9514fdffff } // n = 7, score = 100 // ff15???????? | // 6a00 | push 0 // 6880000000 | push 0x80 // 6a02 | push 2 // 6a00 | push 0 // 6a02 | push 2 // 8d9514fdffff | lea edx, dword ptr [ebp - 0x2ec] $sequence_9 = { 5d 5d 9d 5d 50 55 8bec } // n = 7, score = 100 // 5d | pop ebp // 5d | pop ebp // 9d | popfd // 5d | pop ebp // 50 | push eax // 55 | push ebp // 8bec | mov ebp, esp $sequence_10 = { ff15???????? 8b7d0c 8d45ec 6a00 50 8d4df8 57 } // n = 7, score = 100 // ff15???????? | // 8b7d0c | mov edi, dword ptr [ebp + 0xc] // 8d45ec | lea eax, dword ptr [ebp - 0x14] // 6a00 | push 0 // 50 | push eax // 8d4df8 | lea ecx, dword ptr [ebp - 8] // 57 | push edi $sequence_11 = { 85d2 8955fc 0f859d000000 50 } // n = 4, score = 100 // 85d2 | test edx, edx // 8955fc | mov dword ptr [ebp - 4], edx // 0f859d000000 | jne 0xa3 // 50 | push eax $sequence_12 = { 33c0 8dbdedc7ffff c685ecc7ffff00 f3ab 8b5510 c745f000280000 } // n = 6, score = 100 // 33c0 | xor eax, eax // 8dbdedc7ffff | lea edi, dword ptr [ebp - 0x3813] // c685ecc7ffff00 | mov byte ptr [ebp - 0x3814], 0 // f3ab | rep stosd dword ptr es:[edi], eax // 8b5510 | mov edx, dword ptr [ebp + 0x10] // c745f000280000 | mov dword ptr [ebp - 0x10], 0x2800 $sequence_13 = { 5d 9d 5d 8b75ec bb01000000 56 } // n = 6, score = 100 // 5d | pop ebp // 9d | popfd // 5d | pop ebp // 8b75ec | mov esi, dword ptr [ebp - 0x14] // bb01000000 | mov ebx, 1 // 56 | push esi $sequence_14 = { ff15???????? b9ff070000 33c0 8dbda0c5ffff f3ab 66ab } // n = 6, score = 100 // ff15???????? | // b9ff070000 | mov ecx, 0x7ff // 33c0 | xor eax, eax // 8dbda0c5ffff | lea edi, dword ptr [ebp - 0x3a60] // f3ab | rep stosd dword ptr es:[edi], eax // 66ab | stosw word ptr es:[edi], ax $sequence_15 = { 5d 8b4dfc 51 52 8b5508 6aff 52 } // n = 7, score = 100 // 5d | pop ebp // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 51 | push ecx // 52 | push edx // 8b5508 | mov edx, dword ptr [ebp + 8] // 6aff | push -1 // 52 | push edx condition: 7 of them and filesize < 188416 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY