There is no description at this point.
rule win_httpdropper_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.httpdropper." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d4c243c 51 8d54241c 52 53 } // n = 5, score = 200 // 8d4c243c | lea ecx, [esp + 0x3c] // 51 | push ecx // 8d54241c | lea edx, [esp + 0x1c] // 52 | push edx // 53 | push ebx $sequence_1 = { 51 6a00 6a00 68???????? 52 c745f404000000 } // n = 6, score = 200 // 51 | push ecx // 6a00 | push 0 // 6a00 | push 0 // 68???????? | // 52 | push edx // c745f404000000 | mov dword ptr [ebp - 0xc], 4 $sequence_2 = { 7506 c60100 49 ebec 8bc3 } // n = 5, score = 200 // 7506 | jne 8 // c60100 | mov byte ptr [ecx], 0 // 49 | dec ecx // ebec | jmp 0xffffffee // 8bc3 | mov eax, ebx $sequence_3 = { e8???????? 6804010000 8d95edfdffff 6a00 52 c685ecfdffff00 } // n = 6, score = 200 // e8???????? | // 6804010000 | push 0x104 // 8d95edfdffff | lea edx, [ebp - 0x213] // 6a00 | push 0 // 52 | push edx // c685ecfdffff00 | mov byte ptr [ebp - 0x214], 0 $sequence_4 = { 7414 57 c6470300 e8???????? 83c404 } // n = 5, score = 200 // 7414 | je 0x16 // 57 | push edi // c6470300 | mov byte ptr [edi + 3], 0 // e8???????? | // 83c404 | add esp, 4 $sequence_5 = { 51 8d95ecf8ffff 68???????? 52 e8???????? 8d85f4fdffff } // n = 6, score = 200 // 51 | push ecx // 8d95ecf8ffff | lea edx, [ebp - 0x714] // 68???????? | // 52 | push edx // e8???????? | // 8d85f4fdffff | lea eax, [ebp - 0x20c] $sequence_6 = { 6802000080 ff15???????? 8b85d8fbffff 8d8ddcfbffff 51 } // n = 5, score = 200 // 6802000080 | push 0x80000002 // ff15???????? | // 8b85d8fbffff | mov eax, dword ptr [ebp - 0x428] // 8d8ddcfbffff | lea ecx, [ebp - 0x424] // 51 | push ecx $sequence_7 = { c685d4f4ffff00 e8???????? 57 68ff030000 } // n = 4, score = 200 // c685d4f4ffff00 | mov byte ptr [ebp - 0xb2c], 0 // e8???????? | // 57 | push edi // 68ff030000 | push 0x3ff $sequence_8 = { 33c0 ba01000000 f2ae 448bc2 48f7d1 48ffc9 } // n = 6, score = 100 // 33c0 | mov dword ptr [esp + 0x20], edi // ba01000000 | dec eax // f2ae | mov edi, ebx // 448bc2 | dec eax // 48f7d1 | lea esi, [ebx - 1] // 48ffc9 | repne scasb al, byte ptr es:[edi] $sequence_9 = { 48c7c102000080 4889442438 48897c2430 c74424283f000f00 897c2420 } // n = 5, score = 100 // 48c7c102000080 | lea edx, [0x20f52] // 4889442438 | dec eax // 48897c2430 | lea ecx, [esp + 0xf0] // c74424283f000f00 | dec eax // 897c2420 | mov ecx, 0x80000002 $sequence_10 = { 33d2 41b804010000 c68424f000000000 e8???????? 488d15520f0200 488d8c24f0000000 } // n = 6, score = 100 // 33d2 | xor edx, edx // 41b804010000 | inc ecx // c68424f000000000 | mov eax, 0x104 // e8???????? | // 488d15520f0200 | mov byte ptr [esp + 0xf0], 0 // 488d8c24f0000000 | dec eax $sequence_11 = { 488bfb 488d73ff f2ae 48f7d1 48ffc9 } // n = 5, score = 100 // 488bfb | dec eax // 488d73ff | mov dword ptr [esp + 0x38], eax // f2ae | dec eax // 48f7d1 | mov dword ptr [esp + 0x30], edi // 48ffc9 | mov dword ptr [esp + 0x28], 0xf003f $sequence_12 = { 0fb7cd 4889442428 6689742428 4889442430 ff15???????? 488bcf } // n = 6, score = 100 // 0fb7cd | not ecx // 4889442428 | dec eax // 6689742428 | dec ecx // 4889442430 | shr eax, 8 // ff15???????? | // 488bcf | inc ecx $sequence_13 = { e8???????? 488d8d81040000 33d2 41b87f0c0000 } // n = 4, score = 100 // e8???????? | // 488d8d81040000 | mov edx, 1 // 33d2 | repne scasb al, byte ptr es:[edi] // 41b87f0c0000 | inc esp $sequence_14 = { c1e808 418bd1 4032c7 4a0fbebc35da020000 81e2fdff0000 } // n = 5, score = 100 // c1e808 | dec eax // 418bd1 | not ecx // 4032c7 | dec eax // 4a0fbebc35da020000 | dec ecx // 81e2fdff0000 | xor eax, eax $sequence_15 = { 488d4df0 e8???????? b801000000 e9???????? } // n = 4, score = 100 // 488d4df0 | mov eax, edx // e8???????? | // b801000000 | dec eax // e9???????? | condition: 7 of them and filesize < 524288 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY