Actor(s): Kimsuki, Kimsuky
There is no description at this point.
rule win_kimsuky_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 8d95ecfbffff b9???????? e8???????? } // n = 4, score = 400 // e8???????? | // 8d95ecfbffff | lea edx, [ebp - 0x414] // b9???????? | // e8???????? | $sequence_1 = { 6a00 6a00 68???????? 8d85e4fbffff 50 8d45e4 50 } // n = 7, score = 400 // 6a00 | push 0 // 6a00 | push 0 // 68???????? | // 8d85e4fbffff | lea eax, [ebp - 0x41c] // 50 | push eax // 8d45e4 | lea eax, [ebp - 0x1c] // 50 | push eax $sequence_2 = { ff15???????? 85c0 7516 ff15???????? 8bd8 } // n = 5, score = 400 // ff15???????? | // 85c0 | test eax, eax // 7516 | jne 0x18 // ff15???????? | // 8bd8 | mov ebx, eax $sequence_3 = { 50 56 ffd7 a3???????? 8d85ccf3ffff 50 56 } // n = 7, score = 400 // 50 | push eax // 56 | push esi // ffd7 | call edi // a3???????? | // 8d85ccf3ffff | lea eax, [ebp - 0xc34] // 50 | push eax // 56 | push esi $sequence_4 = { 8d85f8feffff 6804010000 50 e8???????? 8d85f0fcffff 50 } // n = 6, score = 400 // 8d85f8feffff | lea eax, [ebp - 0x108] // 6804010000 | push 0x104 // 50 | push eax // e8???????? | // 8d85f0fcffff | lea eax, [ebp - 0x310] // 50 | push eax $sequence_5 = { ff15???????? 8bd8 e8???????? 0fafd8 } // n = 4, score = 400 // ff15???????? | // 8bd8 | mov ebx, eax // e8???????? | // 0fafd8 | imul ebx, eax $sequence_6 = { 8d85f0feffff 50 68???????? ff15???????? 6a04 6a00 } // n = 6, score = 400 // 8d85f0feffff | lea eax, [ebp - 0x110] // 50 | push eax // 68???????? | // ff15???????? | // 6a04 | push 4 // 6a00 | push 0 $sequence_7 = { 75f9 2bca 51 8d85e4f5ffff } // n = 4, score = 400 // 75f9 | jne 0xfffffffb // 2bca | sub ecx, edx // 51 | push ecx // 8d85e4f5ffff | lea eax, [ebp - 0xa1c] $sequence_8 = { 8d95f0fcffff b9???????? e8???????? 8d95ecfbffff } // n = 4, score = 400 // 8d95f0fcffff | lea edx, [ebp - 0x310] // b9???????? | // e8???????? | // 8d95ecfbffff | lea edx, [ebp - 0x414] $sequence_9 = { a3???????? 8d85dcf7ffff 50 53 ffd7 } // n = 5, score = 400 // a3???????? | // 8d85dcf7ffff | lea eax, [ebp - 0x824] // 50 | push eax // 53 | push ebx // ffd7 | call edi $sequence_10 = { 498bce 418d5001 ffd3 488bc3 4883c440 415f 415e } // n = 7, score = 300 // 498bce | dec ecx // 418d5001 | mov ecx, esi // ffd3 | inc ecx // 488bc3 | lea edx, [eax + 1] // 4883c440 | call ebx // 415f | dec eax // 415e | mov eax, ebx $sequence_11 = { 4883c9ff 4903de ff542468 4533c0 498bce 418d5001 ffd3 } // n = 7, score = 300 // 4883c9ff | dec eax // 4903de | add esp, 0x40 // ff542468 | inc ecx // 4533c0 | pop edi // 498bce | inc ecx // 418d5001 | pop esi // ffd3 | dec eax $sequence_12 = { 4156 4157 4883ec40 48896c2470 4889742438 } // n = 5, score = 300 // 4156 | dec ecx // 4157 | mov ecx, esi // 4883ec40 | inc ecx // 48896c2470 | lea edx, [eax + 1] // 4889742438 | call ebx $sequence_13 = { 4d8b36 4d85f6 0f8540feffff 488b6c2460 4c637d3c } // n = 5, score = 300 // 4d8b36 | dec esp // 4d85f6 | mov dword ptr [esp + 0x68], edi // 0f8540feffff | inc ecx // 488b6c2460 | mov ebx, 1 // 4c637d3c | inc ecx $sequence_14 = { 48896c2460 488b4818 41bb01000000 4c8b7120 4d85f6 0f84d6010000 } // n = 6, score = 300 // 48896c2460 | lea ebx, [ebx + 2] // 488b4818 | dec ebp // 41bb01000000 | test ebp, ebp // 4c8b7120 | je 0x1e // 4d85f6 | dec ebp // 0f84d6010000 | test esp, esp $sequence_15 = { 4c897c2468 41bb01000000 418d5b02 4d85ed 740f 4d85e4 } // n = 6, score = 300 // 4c897c2468 | or ecx, 0xffffffff // 41bb01000000 | dec ecx // 418d5b02 | add ebx, esi // 4d85ed | call dword ptr [esp + 0x68] // 740f | inc ebp // 4d85e4 | xor eax, eax $sequence_16 = { 85c9 0f8494020000 89bda0000000 897d30 } // n = 4, score = 200 // 85c9 | mov dword ptr [esp + 0x38], esi // 0f8494020000 | dec ebp // 89bda0000000 | mov esi, dword ptr [esi] // 897d30 | dec ebp $sequence_17 = { e8???????? 90 83bd8000000000 7443 8b8584000000 85c0 750b } // n = 7, score = 200 // e8???????? | // 90 | test esi, esi // 83bd8000000000 | jne 0xfffffe49 // 7443 | dec eax // 8b8584000000 | mov ebp, dword ptr [esp + 0x60] // 85c0 | dec esp // 750b | arpl word ptr [ebp + 0x3c], di $sequence_18 = { 0f84b3000000 85f6 0f8497000000 8bd6 } // n = 4, score = 200 // 0f84b3000000 | inc ecx // 85f6 | push edi // 0f8497000000 | dec eax // 8bd6 | sub esp, 0x40 $sequence_19 = { ff15???????? 85c0 7464 c7453038000000 33c0 } // n = 5, score = 200 // ff15???????? | // 85c0 | dec eax // 7464 | mov dword ptr [esp + 0x60], ebp // c7453038000000 | dec eax // 33c0 | mov ecx, dword ptr [eax + 0x18] $sequence_20 = { e8???????? eb2e 83f801 750b } // n = 4, score = 200 // e8???????? | // eb2e | dec eax // 83f801 | mov dword ptr [esp + 0x70], ebp // 750b | dec eax $sequence_21 = { 8d4702 03c2 89442450 8bf0 8bc8 e8???????? } // n = 6, score = 200 // 8d4702 | je 0x1e // 03c2 | dec ebp // 89442450 | test esp, esp // 8bf0 | inc ecx // 8bc8 | push esi // e8???????? | condition: 7 of them and filesize < 499712 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY