Actor(s): Wekby, EMISSARY PANDA
There is no description at this point.
rule win_httpbrowser_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.httpbrowser." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 33c0 befe010000 56 66898578fdffff 8d857afdffff } // n = 5, score = 200 // 33c0 | xor eax, eax // befe010000 | mov esi, 0x1fe // 56 | push esi // 66898578fdffff | mov word ptr [ebp - 0x288], ax // 8d857afdffff | lea eax, [ebp - 0x286] $sequence_1 = { 8365e400 53 56 8b7508 57 8d86a40e0000 } // n = 6, score = 200 // 8365e400 | and dword ptr [ebp - 0x1c], 0 // 53 | push ebx // 56 | push esi // 8b7508 | mov esi, dword ptr [ebp + 8] // 57 | push edi // 8d86a40e0000 | lea eax, [esi + 0xea4] $sequence_2 = { 53 53 53 68???????? ff15???????? 3bc3 0f847a010000 } // n = 7, score = 200 // 53 | push ebx // 53 | push ebx // 53 | push ebx // 68???????? | // ff15???????? | // 3bc3 | cmp eax, ebx // 0f847a010000 | je 0x180 $sequence_3 = { ff15???????? 83c420 391d???????? 0f8588000000 ff15???????? 6800010000 8d8ddcfdffff } // n = 7, score = 200 // ff15???????? | // 83c420 | add esp, 0x20 // 391d???????? | // 0f8588000000 | jne 0x8e // ff15???????? | // 6800010000 | push 0x100 // 8d8ddcfdffff | lea ecx, [ebp - 0x224] $sequence_4 = { 57 56 ff15???????? 68ff030000 8d85fdfbffff 6a00 50 } // n = 7, score = 200 // 57 | push edi // 56 | push esi // ff15???????? | // 68ff030000 | push 0x3ff // 8d85fdfbffff | lea eax, [ebp - 0x403] // 6a00 | push 0 // 50 | push eax $sequence_5 = { 89b5eafdffff 89b5dcfdffff c785d4fdffff03000000 ff15???????? 8d85f0fdffff } // n = 5, score = 200 // 89b5eafdffff | mov dword ptr [ebp - 0x216], esi // 89b5dcfdffff | mov dword ptr [ebp - 0x224], esi // c785d4fdffff03000000 | mov dword ptr [ebp - 0x22c], 3 // ff15???????? | // 8d85f0fdffff | lea eax, [ebp - 0x210] $sequence_6 = { 33c0 40 56 50 8985a8fbffff 6800000080 8d85ecfdffff } // n = 7, score = 200 // 33c0 | xor eax, eax // 40 | inc eax // 56 | push esi // 50 | push eax // 8985a8fbffff | mov dword ptr [ebp - 0x458], eax // 6800000080 | push 0x80000000 // 8d85ecfdffff | lea eax, [ebp - 0x214] $sequence_7 = { a1???????? 89442418 a1???????? 6800020000 89442420 8d442424 57 } // n = 7, score = 200 // a1???????? | // 89442418 | mov dword ptr [esp + 0x18], eax // a1???????? | // 6800020000 | push 0x200 // 89442420 | mov dword ptr [esp + 0x20], eax // 8d442424 | lea eax, [esp + 0x24] // 57 | push edi $sequence_8 = { 58 64a300000000 5d 5d 9d 5d b900020000 } // n = 7, score = 100 // 58 | pop eax // 64a300000000 | mov dword ptr fs:[0], eax // 5d | pop ebp // 5d | pop ebp // 9d | popfd // 5d | pop ebp // b900020000 | mov ecx, 0x200 $sequence_9 = { 7373 8bc8 8bf0 c1f905 83e61f 8d3c8d00644100 c1e603 } // n = 7, score = 100 // 7373 | jae 0x75 // 8bc8 | mov ecx, eax // 8bf0 | mov esi, eax // c1f905 | sar ecx, 5 // 83e61f | and esi, 0x1f // 8d3c8d00644100 | lea edi, [ecx*4 + 0x416400] // c1e603 | shl esi, 3 $sequence_10 = { 6689954cf7ffff f3ab 8955f8 8955fc c745d002000000 c745cc2c010000 66ab } // n = 7, score = 100 // 6689954cf7ffff | mov word ptr [ebp - 0x8b4], dx // f3ab | rep stosd dword ptr es:[edi], eax // 8955f8 | mov dword ptr [ebp - 8], edx // 8955fc | mov dword ptr [ebp - 4], edx // c745d002000000 | mov dword ptr [ebp - 0x30], 2 // c745cc2c010000 | mov dword ptr [ebp - 0x34], 0x12c // 66ab | stosw word ptr es:[edi], ax $sequence_11 = { b907000000 8d7ddc 8945d8 8945fc f3ab } // n = 5, score = 100 // b907000000 | mov ecx, 7 // 8d7ddc | lea edi, [ebp - 0x24] // 8945d8 | mov dword ptr [ebp - 0x28], eax // 8945fc | mov dword ptr [ebp - 4], eax // f3ab | rep stosd dword ptr es:[edi], eax $sequence_12 = { 58 68000000f0 6a01 52 52 8d55f8 } // n = 6, score = 100 // 58 | pop eax // 68000000f0 | push 0xf0000000 // 6a01 | push 1 // 52 | push edx // 52 | push edx // 8d55f8 | lea edx, [ebp - 8] $sequence_13 = { b8ec120000 e8???????? 53 56 57 33d2 b91f000000 } // n = 7, score = 100 // b8ec120000 | mov eax, 0x12ec // e8???????? | // 53 | push ebx // 56 | push esi // 57 | push edi // 33d2 | xor edx, edx // b91f000000 | mov ecx, 0x1f $sequence_14 = { 57 50 51 e8???????? 83c410 33c0 } // n = 6, score = 100 // 57 | push edi // 50 | push eax // 51 | push ecx // e8???????? | // 83c410 | add esp, 0x10 // 33c0 | xor eax, eax $sequence_15 = { c3 0fb6442404 8a4c240c 8488a1524100 751c } // n = 5, score = 100 // c3 | ret // 0fb6442404 | movzx eax, byte ptr [esp + 4] // 8a4c240c | mov cl, byte ptr [esp + 0xc] // 8488a1524100 | test byte ptr [eax + 0x4152a1], cl // 751c | jne 0x1e condition: 7 of them and filesize < 188416 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY