A ransomware that emerged in April 2022.
rule win_industrial_spy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.industrial_spy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industrial_spy" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4403d1 4133c2 4133c1 0345c8 4403c0 8bc1 } // n = 6, score = 100 // 4403d1 | lea ecx, [ebx + 0x242070db] // 4133c2 | not ecx // 4133c1 | dec ecx // 0345c8 | sub ecx, 4 // 4403c0 | inc ecx // 8bc1 | sub eax, 1 $sequence_1 = { 33d2 410fb70451 66890451 48ffc2 6685c0 75ef 48ffc3 } // n = 7, score = 100 // 33d2 | dec eax // 410fb70451 | sub edi, ecx // 66890451 | inc ebp // 48ffc2 | mov ecx, ecx // 6685c0 | mov edx, dword ptr [edi + ebx] // 75ef | inc ecx // 48ffc3 | mov ecx, ebx $sequence_2 = { 4533c9 4889442428 4533c0 33d2 4c89642420 488bcb } // n = 6, score = 100 // 4533c9 | mov ecx, esi // 4889442428 | test eax, eax // 4533c0 | jne 0xa18 // 33d2 | dec esp // 4c89642420 | lea eax, [0x9c1b] // 488bcb | dec eax $sequence_3 = { 0f872f010000 ff15???????? 41b80a020000 418bd6 488bc8 ff15???????? 4c8d8d600d0000 } // n = 7, score = 100 // 0f872f010000 | mov dword ptr [esp + 0x20], esi // ff15???????? | // 41b80a020000 | dec eax // 418bd6 | mov edx, edi // 488bc8 | dec eax // ff15???????? | // 4c8d8d600d0000 | lea ecx, [esp + 0x140] $sequence_4 = { f20f59ee f20f5ce9 f2410f1004c1 488d15e6a00000 f20f1014c2 f20f1025???????? f20f59e6 } // n = 7, score = 100 // f20f59ee | lea ecx, [esp + 0x50] // f20f5ce9 | dec eax // f2410f1004c1 | and dword ptr [esp + 0x20], 0 // 488d15e6a00000 | xor edx, edx // f20f1014c2 | dec eax // f20f1025???????? | // f20f59e6 | lea ecx, [ebp + 0x19f0] $sequence_5 = { 7409 03ca d1e8 83f920 72f3 41bc20000000 } // n = 6, score = 100 // 7409 | dec esp // 03ca | mov eax, edi // d1e8 | movups xmmword ptr [esp + 0x268], xmm0 // 83f920 | movsd qword ptr [esp + 0x278], xmm0 // 72f3 | movups xmmword ptr [esp + 0x228], xmm1 // 41bc20000000 | movups xmmword ptr [esp + 0x2a8], xmm0 $sequence_6 = { 0fb68c2490000000 4c8d0531b90000 4803da 4883f101 4803d9 482bfb 488bcb } // n = 7, score = 100 // 0fb68c2490000000 | inc ecx // 4c8d0531b90000 | add eax, ebp // 4803da | inc ebp // 4883f101 | add edx, ecx // 4803d9 | inc ecx // 482bfb | xor eax, edx // 488bcb | add eax, dword ptr [ebp - 0x40] $sequence_7 = { 44897c2424 0f8878020000 488d542460 4963c7 } // n = 4, score = 100 // 44897c2424 | inc esp // 0f8878020000 | mov eax, eax // 488d542460 | mov ecx, eax // 4963c7 | inc ecx $sequence_8 = { ff15???????? 488bc8 be00000100 448bc6 bb08000000 8bd3 ff15???????? } // n = 7, score = 100 // ff15???????? | // 488bc8 | cmp edx, esi // be00000100 | seta cl // 448bc6 | sub edx, dword ptr [esp + 0x50] // bb08000000 | or eax, 0xffffffff // 8bd3 | inc edx // ff15???????? | $sequence_9 = { 418bc2 334704 448bc0 8bc8 48c1e810 83e03f 41c1c904 } // n = 7, score = 100 // 418bc2 | dec eax // 334704 | lea ecx, [ebp + 0x40] // 448bc0 | dec eax // 8bc8 | lea edx, [ebx + 0x80] // 48c1e810 | dec eax // 83e03f | lea ecx, [ebp + 0x40] // 41c1c904 | dec eax condition: 7 of them and filesize < 339968 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY