Actor(s): Kimsuki
There is no description at this point.
rule win_kimsuky_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ffd7 a3???????? 8d85d4f5ffff 50 } // n = 4, score = 200 // ffd7 | call edi // a3???????? | // 8d85d4f5ffff | lea eax, [ebp - 0xa2c] // 50 | push eax $sequence_1 = { 807c01ff2f 7505 c644242000 33ff } // n = 4, score = 200 // 807c01ff2f | cmp byte ptr [ecx + eax - 1], 0x2f // 7505 | jne 7 // c644242000 | mov byte ptr [esp + 0x20], 0 // 33ff | xor edi, edi $sequence_2 = { 750a bffeffffff e9???????? 3dfafe0000 0f8217010000 83bbc0af060000 0f840a010000 } // n = 7, score = 200 // 750a | jne 0xc // bffeffffff | mov edi, 0xfffffffe // e9???????? | // 3dfafe0000 | cmp eax, 0xfefa // 0f8217010000 | jb 0x11d // 83bbc0af060000 | cmp dword ptr [ebx + 0x6afc0], 0 // 0f840a010000 | je 0x110 $sequence_3 = { b9???????? e8???????? 8d95e4f9ffff b9???????? e8???????? } // n = 5, score = 200 // b9???????? | // e8???????? | // 8d95e4f9ffff | lea edx, [ebp - 0x61c] // b9???????? | // e8???????? | $sequence_4 = { 8bd6 b130 e8???????? 837c245800 8b7c2444 7470 85ff } // n = 7, score = 200 // 8bd6 | mov edx, esi // b130 | mov cl, 0x30 // e8???????? | // 837c245800 | cmp dword ptr [esp + 0x58], 0 // 8b7c2444 | mov edi, dword ptr [esp + 0x44] // 7470 | je 0x72 // 85ff | test edi, edi $sequence_5 = { 6a00 6a00 e8???????? 83c418 50 ff15???????? 8b4dfc } // n = 7, score = 200 // 6a00 | push 0 // 6a00 | push 0 // e8???????? | // 83c418 | add esp, 0x18 // 50 | push eax // ff15???????? | // 8b4dfc | mov ecx, dword ptr [ebp - 4] $sequence_6 = { ffc9 0f84fe070000 ffc9 0f84ee070000 ffc9 } // n = 5, score = 200 // ffc9 | dec ecx // 0f84fe070000 | je 0x804 // ffc9 | dec ecx // 0f84ee070000 | je 0x7f4 // ffc9 | dec ecx $sequence_7 = { 740b 83c820 894718 e9???????? 83c801 894718 } // n = 6, score = 200 // 740b | je 0xd // 83c820 | or eax, 0x20 // 894718 | mov dword ptr [edi + 0x18], eax // e9???????? | // 83c801 | or eax, 1 // 894718 | mov dword ptr [edi + 0x18], eax $sequence_8 = { 0f284890 0f294a90 0f2840a0 0f2942a0 } // n = 4, score = 200 // 0f284890 | movaps xmm1, xmmword ptr [eax - 0x70] // 0f294a90 | movaps xmmword ptr [edx - 0x70], xmm1 // 0f2840a0 | movaps xmm0, xmmword ptr [eax - 0x60] // 0f2942a0 | movaps xmmword ptr [edx - 0x60], xmm0 $sequence_9 = { 8d4fff 8d53ff 03c8 03d0 3bd9 7704 } // n = 6, score = 200 // 8d4fff | lea ecx, [edi - 1] // 8d53ff | lea edx, [ebx - 1] // 03c8 | add ecx, eax // 03d0 | add edx, eax // 3bd9 | cmp ebx, ecx // 7704 | ja 6 $sequence_10 = { 50 8d85f8feffff 6804010000 50 e8???????? 83c418 8d85f8feffff } // n = 7, score = 200 // 50 | push eax // 8d85f8feffff | lea eax, [ebp - 0x108] // 6804010000 | push 0x104 // 50 | push eax // e8???????? | // 83c418 | add esp, 0x18 // 8d85f8feffff | lea eax, [ebp - 0x108] $sequence_11 = { 740a 33ff ff15???????? eb06 } // n = 4, score = 200 // 740a | je 0xc // 33ff | xor edi, edi // ff15???????? | // eb06 | jmp 8 $sequence_12 = { 8b442430 e9???????? c7431400000001 33c0 e9???????? } // n = 5, score = 200 // 8b442430 | mov eax, dword ptr [esp + 0x30] // e9???????? | // c7431400000001 | mov dword ptr [ebx + 0x14], 0x1000000 // 33c0 | xor eax, eax // e9???????? | $sequence_13 = { 8d85dcf7ffff 50 53 ffd7 a3???????? } // n = 5, score = 200 // 8d85dcf7ffff | lea eax, [ebp - 0x824] // 50 | push eax // 53 | push ebx // ffd7 | call edi // a3???????? | $sequence_14 = { 6a00 6800f70484 6a00 6a00 68???????? 8d85e4fbffff 50 } // n = 7, score = 200 // 6a00 | push 0 // 6800f70484 | push 0x8404f700 // 6a00 | push 0 // 6a00 | push 0 // 68???????? | // 8d85e4fbffff | lea eax, [ebp - 0x41c] // 50 | push eax $sequence_15 = { c705????????00000800 eb2f c705????????00000100 eb23 ff15???????? } // n = 5, score = 200 // c705????????00000800 | // eb2f | jmp 0x31 // c705????????00000100 | // eb23 | jmp 0x25 // ff15???????? | condition: 7 of them and filesize < 499712 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY