Actor(s): Kimsuki, Kimsuky
There is no description at this point.
rule win_kimsuky_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.kimsuky." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 ffd6 8bd8 85db 7510 5e } // n = 6, score = 400 // 50 | push eax // ffd6 | call esi // 8bd8 | mov ebx, eax // 85db | test ebx, ebx // 7510 | jne 0x12 // 5e | pop esi $sequence_1 = { 6a00 6800f70484 6a00 6a00 68???????? 8d85e4fbffff 50 } // n = 7, score = 400 // 6a00 | push 0 // 6800f70484 | push 0x8404f700 // 6a00 | push 0 // 6a00 | push 0 // 68???????? | // 8d85e4fbffff | lea eax, [ebp - 0x41c] // 50 | push eax $sequence_2 = { 8d85ecfbffff 50 8d85f8feffff 50 8d85f4fdffff } // n = 5, score = 400 // 8d85ecfbffff | lea eax, [ebp - 0x414] // 50 | push eax // 8d85f8feffff | lea eax, [ebp - 0x108] // 50 | push eax // 8d85f4fdffff | lea eax, [ebp - 0x20c] $sequence_3 = { ffd7 a3???????? 8d85ccf3ffff 50 56 ffd7 } // n = 6, score = 400 // ffd7 | call edi // a3???????? | // 8d85ccf3ffff | lea eax, [ebp - 0xc34] // 50 | push eax // 56 | push esi // ffd7 | call edi $sequence_4 = { 7503 56 eb18 6a00 6a00 6a00 } // n = 6, score = 400 // 7503 | jne 5 // 56 | push esi // eb18 | jmp 0x1a // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_5 = { 85c0 7423 6a00 8d85f0feffff 50 68???????? } // n = 6, score = 400 // 85c0 | test eax, eax // 7423 | je 0x25 // 6a00 | push 0 // 8d85f0feffff | lea eax, [ebp - 0x110] // 50 | push eax // 68???????? | $sequence_6 = { b9???????? e8???????? 8d85f8feffff 50 6a00 6a00 6a1a } // n = 7, score = 400 // b9???????? | // e8???????? | // 8d85f8feffff | lea eax, [ebp - 0x108] // 50 | push eax // 6a00 | push 0 // 6a00 | push 0 // 6a1a | push 0x1a $sequence_7 = { eb06 ff15???????? 85c0 7421 } // n = 4, score = 400 // eb06 | jmp 8 // ff15???????? | // 85c0 | test eax, eax // 7421 | je 0x23 $sequence_8 = { ff15???????? 85c0 7516 ff15???????? 8bd8 e8???????? } // n = 6, score = 400 // ff15???????? | // 85c0 | test eax, eax // 7516 | jne 0x18 // ff15???????? | // 8bd8 | mov ebx, eax // e8???????? | $sequence_9 = { 4156 4157 4883ec40 48896c2470 4889742438 4533ff 4c89642428 } // n = 7, score = 300 // 4156 | dec esp // 4157 | mov esp, dword ptr [esp + 0x28] // 4883ec40 | dec eax // 48896c2470 | mov edi, dword ptr [esp + 0x30] // 4889742438 | dec eax // 4533ff | mov esi, dword ptr [esp + 0x38] // 4c89642428 | dec eax $sequence_10 = { ebdb 65488b042560000000 48897c2430 48896c2460 } // n = 4, score = 300 // ebdb | jmp 0xffffffdd // 65488b042560000000 | dec eax // 48897c2430 | mov eax, dword ptr [0x60] // 48896c2460 | dec eax $sequence_11 = { 0f857affffff 4c8b7c2460 4c8b6c2420 4c8b642428 488b7c2430 488b742438 488b6c2470 } // n = 7, score = 300 // 0f857affffff | mov dword ptr [esp + 0x28], esp // 4c8b7c2460 | dec esp // 4c8b6c2420 | mov dword ptr [esp + 0x20], ebp // 4c8b642428 | xor esi, esi // 488b7c2430 | inc ebp // 488b742438 | xor ebp, ebp // 488b6c2470 | inc ebp $sequence_12 = { 498bce 418d5001 ffd3 488bc3 4883c440 415f } // n = 6, score = 300 // 498bce | dec eax // 418d5001 | mov dword ptr [esp + 0x70], ebp // ffd3 | dec eax // 488bc3 | mov dword ptr [esp + 0x38], esi // 4883c440 | inc ebp // 415f | xor edi, edi $sequence_13 = { 488b742438 488b6c2470 4d8bc6 4d2b4730 } // n = 4, score = 300 // 488b742438 | xor ecx, ecx // 488b6c2470 | inc ecx // 4d8bc6 | mov eax, 0x3000 // 4d2b4730 | dec esp $sequence_14 = { 0f8540feffff 488b6c2460 4c637d3c 33c9 41b800300000 4c03fd } // n = 6, score = 300 // 0f8540feffff | xor esp, esp // 488b6c2460 | jne 0xffffff80 // 4c637d3c | dec esp // 33c9 | mov edi, dword ptr [esp + 0x60] // 41b800300000 | dec esp // 4c03fd | mov ebp, dword ptr [esp + 0x20] $sequence_15 = { 4533ff 4c89642428 4c896c2420 33f6 4533ed 4533e4 } // n = 6, score = 300 // 4533ff | mov dword ptr [esp + 0x30], edi // 4c89642428 | dec eax // 4c896c2420 | mov dword ptr [esp + 0x60], ebp // 33f6 | inc ebp // 4533ed | xor edi, edi // 4533e4 | dec esp $sequence_16 = { 85c0 0f94c1 85c9 0f8494020000 } // n = 4, score = 200 // 85c0 | dec eax // 0f94c1 | add esp, 0x40 // 85c9 | inc ecx // 0f8494020000 | pop edi $sequence_17 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 } // n = 5, score = 200 // 4c89642430 | jne 0x18 // c744242880000000 | mov ebx, eax // c744242002000000 | mov edx, dword ptr [ebp + 0x90] // 4533c9 | add edx, dword ptr [ebp + 0xd8] // 4533c0 | add edx, dword ptr [ebp + 0xb8] $sequence_18 = { 85c0 0f8432020000 8b7590 660f1f440000 } // n = 4, score = 200 // 85c0 | jne 0x18 // 0f8432020000 | mov ebx, eax // 8b7590 | imul ebx, eax // 660f1f440000 | mov ebx, eax $sequence_19 = { 8b9590000000 0395d8000000 0395b8000000 8bbda0010000 8d4702 03c2 89442450 } // n = 7, score = 200 // 8b9590000000 | dec eax // 0395d8000000 | mov dword ptr [esp + 0x70], ebp // 0395b8000000 | dec eax // 8bbda0010000 | mov dword ptr [esp + 0x38], esi // 8d4702 | inc ebp // 03c2 | xor edi, edi // 89442450 | dec esp $sequence_20 = { 8b4c2468 c6043900 803f00 740d } // n = 4, score = 200 // 8b4c2468 | mov eax, esi // c6043900 | dec ebp // 803f00 | sub eax, dword ptr [edi + 0x30] // 740d | dec eax $sequence_21 = { 488d8a38000000 e9???????? 488d8a28010000 e9???????? } // n = 4, score = 200 // 488d8a38000000 | imul ebx, eax // e9???????? | // 488d8a28010000 | test eax, eax // e9???????? | $sequence_22 = { 85c0 7464 c7453038000000 33c0 } // n = 4, score = 200 // 85c0 | lea ebx, [ebx + 2] // 7464 | dec ebp // c7453038000000 | test ebp, ebp // 33c0 | je 0x1e $sequence_23 = { 85c0 7471 895c2468 8d4801 } // n = 4, score = 200 // 85c0 | mov dword ptr [esp + 0x28], esp // 7471 | dec esp // 895c2468 | mov dword ptr [esp + 0x20], ebp // 8d4801 | dec eax $sequence_24 = { 83f809 8d7340 7405 be20000000 c68424a000000000 } // n = 5, score = 200 // 83f809 | sub esp, 0x40 // 8d7340 | dec eax // 7405 | mov dword ptr [esp + 0x70], ebp // be20000000 | dec eax // c68424a000000000 | mov dword ptr [esp + 0x38], esi $sequence_25 = { 668945c4 8b05???????? 8945d8 0fb705???????? } // n = 4, score = 100 // 668945c4 | test ecx, ecx // 8b05???????? | // 8945d8 | je 0x29f // 0fb705???????? | $sequence_26 = { 668945ea 6644896dec 4c8d45c0 488d1563c20400 } // n = 4, score = 100 // 668945ea | xor eax, eax // 6644896dec | mov edx, 0x40000000 // 4c8d45c0 | dec eax // 488d1563c20400 | lea ecx, [edx + 0x38] $sequence_27 = { 66894507 884509 895d0b 85ff } // n = 4, score = 100 // 66894507 | cmp eax, 9 // 884509 | lea esi, [ebx + 0x40] // 895d0b | je 0xa // 85ff | mov esi, 0x20 $sequence_28 = { 668945dc 448d62ff e8???????? 33db } // n = 4, score = 100 // 668945dc | mov esi, 0x20 // 448d62ff | mov edi, dword ptr [ebp + 0x1a0] // e8???????? | // 33db | lea eax, [edi + 2] $sequence_29 = { 668945b0 488d4db0 e8???????? 488d442450 } // n = 4, score = 100 // 668945b0 | je 0x29f // 488d4db0 | test eax, eax // e8???????? | // 488d442450 | sete cl $sequence_30 = { 668945e8 488bc3 7203 488b03 } // n = 4, score = 100 // 668945e8 | add eax, edx // 488bc3 | mov dword ptr [esp + 0x50], eax // 7203 | mov esi, eax // 488b03 | mov ecx, eax condition: 7 of them and filesize < 1021952 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY