There is no description at this point.
rule win_httpdropper_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.httpdropper." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 014b18 c7437c00000000 897b70 85c0 0f85b4010000 } // n = 5, score = 200 // 014b18 | add ecx, ebx // c7437c00000000 | imul ecx, ecx, 0xea60 // 897b70 | inc esi // 85c0 | add edx, eax // 0f85b4010000 | movzx eax, word ptr [esp + 0x22] $sequence_1 = { 0110 80aa0110a4aa01 1023 d18a0688078a 46 } // n = 5, score = 200 // 0110 | cmp edi, 0x194 // 80aa0110a4aa01 | jne 0x25 // 1023 | add ecx, ecx // d18a0688078a | sub ebx, ecx // 46 | cmp edi, 0x194 $sequence_2 = { 018614400000 8b8614400000 c68430142000000d ff8614400000 } // n = 4, score = 200 // 018614400000 | test esi, esi // 8b8614400000 | add dword ptr [ebx + 0x18], ecx // c68430142000000d | mov dword ptr [ebx + 0x7c], 0 // ff8614400000 | mov dword ptr [ebx + 0x70], edi $sequence_3 = { 018610200000 8d5e10 8d9b00000000 8b9610200000 } // n = 4, score = 200 // 018610200000 | mov ebx, 0x40 // 8d5e10 | sub ebx, ecx // 8d9b00000000 | cmp edi, ebx // 8b9610200000 | jb 0x62 $sequence_4 = { 014614 bb40000000 2bd9 3bfb 7254 } // n = 5, score = 200 // 014614 | add ecx, ebx // bb40000000 | imul ecx, ecx, 0xea60 // 2bd9 | add ecx, ebx // 3bfb | imul ecx, ecx, 0xea60 // 7254 | add ecx, ebx $sequence_5 = { 017df8 83f93d 7471 83f920 7505 b92b000000 0fbf0c4d20a80310 } // n = 7, score = 200 // 017df8 | add dword ptr [eax + 0x468a0147], ecx // 83f93d | add dword ptr [esi + 0x14], eax // 7471 | mov ebx, 0x40 // 83f920 | sub ebx, ecx // 7505 | cmp edi, ebx // b92b000000 | jb 0x62 // 0fbf0c4d20a80310 | add dword ptr [esi + 0x14], eax $sequence_6 = { 89848dc0deffff 41 803f00 7416 c60700 8a4701 47 } // n = 7, score = 200 // 89848dc0deffff | mov eax, 0x4849 // 41 | add ecx, ecx // 803f00 | sub ebx, ecx // 7416 | cmp edi, 0x194 // c60700 | jne 0x25 // 8a4701 | add ecx, ecx // 47 | sub ebx, ecx $sequence_7 = { 015dfc 83c204 81fa???????? 7cb7 3d00010000 740a c786a4af060078420310 } // n = 7, score = 200 // 015dfc | inc esi // 83c204 | add dword ptr [eax], edx // 81fa???????? | // 7cb7 | sub byte ptr [edx - 0x555befff], 1 // 3d00010000 | adc byte ptr [ebx], ah // 740a | ror dword ptr [edx - 0x75f877fa], 1 // c786a4af060078420310 | inc esi $sequence_8 = { 014e28 48c786a800000000000000 899698000000 85c0 } // n = 4, score = 100 // 014e28 | add dword ptr [esi + 0x28], ecx // 48c786a800000000000000 | dec eax // 899698000000 | mov dword ptr [esi + 0xa8], 0 // 85c0 | mov dword ptr [esi + 0x98], edx $sequence_9 = { 03742478 488d442478 4533c9 4533c0 } // n = 4, score = 100 // 03742478 | add dword ptr [ebx + 0x1af70], ecx // 488d442478 | mov edx, dword ptr [ebx + 0x1af70] // 4533c9 | dec eax // 4533c0 | lea ecx, [0x16f8e] $sequence_10 = { 03cb 69c960ea0000 ff15???????? e9???????? } // n = 4, score = 100 // 03cb | inc ebp // 69c960ea0000 | xor eax, eax // ff15???????? | // e9???????? | $sequence_11 = { 018b70af0100 8b9370af0100 488d0d8e6f0100 e8???????? } // n = 4, score = 100 // 018b70af0100 | add dword ptr [ebx + 0x4018], ecx // 8b9370af0100 | mov eax, dword ptr [ebx + 0x4018] // 488d0d8e6f0100 | dec eax // e8???????? | $sequence_12 = { 039c2488000000 488d842488000000 c744243080000000 4533c9 } // n = 4, score = 100 // 039c2488000000 | dec eax // 488d842488000000 | lea eax, [esp + 0x78] // c744243080000000 | inc ebp // 4533c9 | xor ecx, ecx $sequence_13 = { 018b18400000 8b8318400000 488d8b20400000 c68418182000000d } // n = 4, score = 100 // 018b18400000 | test eax, eax // 8b8318400000 | jne 0x173 // 488d8b20400000 | test edi, edi // c68418182000000d | jne 0xfffffc6e $sequence_14 = { 03c9 2bd9 81ff94010000 7519 } // n = 4, score = 100 // 03c9 | mov dword ptr [esp + 0x28], eax // 2bd9 | add ebx, dword ptr [esp + 0x88] // 81ff94010000 | dec eax // 7519 | lea eax, [esp + 0x88] $sequence_15 = { 03c8 85db 740e 3bd9 } // n = 4, score = 100 // 03c8 | xor ecx, ecx // 85db | inc ebp // 740e | xor eax, eax // 3bd9 | dec eax condition: 7 of them and filesize < 524288 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY