Actor(s): Kimsuki, Kimsuky
There is no description at this point.
rule win_kimsuky_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.kimsuky." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 56 85ff 740a 33ff } // n = 4, score = 400 // 56 | push esi // 85ff | test edi, edi // 740a | je 0xc // 33ff | xor edi, edi $sequence_1 = { 8d95f0fcffff b9???????? e8???????? 8d95ecfbffff b9???????? e8???????? } // n = 6, score = 400 // 8d95f0fcffff | lea edx, [ebp - 0x310] // b9???????? | // e8???????? | // 8d95ecfbffff | lea edx, [ebp - 0x414] // b9???????? | // e8???????? | $sequence_2 = { ff15???????? 85c0 7516 ff15???????? 8bd8 e8???????? } // n = 6, score = 400 // ff15???????? | // 85c0 | test eax, eax // 7516 | jne 0x18 // ff15???????? | // 8bd8 | mov ebx, eax // e8???????? | $sequence_3 = { 50 ffd6 8bd8 85db 7510 5e } // n = 6, score = 400 // 50 | push eax // ffd6 | call esi // 8bd8 | mov ebx, eax // 85db | test ebx, ebx // 7510 | jne 0x12 // 5e | pop esi $sequence_4 = { 833d????????00 7413 b801000000 8b4dfc 33cd e8???????? 8be5 } // n = 7, score = 400 // 833d????????00 | // 7413 | je 0x15 // b801000000 | mov eax, 1 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 33cd | xor ecx, ebp // e8???????? | // 8be5 | mov esp, ebp $sequence_5 = { 53 ffd7 a3???????? 8d85d4f5ffff } // n = 4, score = 400 // 53 | push ebx // ffd7 | call edi // a3???????? | // 8d85d4f5ffff | lea eax, [ebp - 0xa2c] $sequence_6 = { 7503 56 eb18 6a00 6a00 6a00 68???????? } // n = 7, score = 400 // 7503 | jne 5 // 56 | push esi // eb18 | jmp 0x1a // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 // 68???????? | $sequence_7 = { 2bca 51 8d85e4f5ffff 50 6a00 6a00 } // n = 6, score = 400 // 2bca | sub ecx, edx // 51 | push ecx // 8d85e4f5ffff | lea eax, [ebp - 0xa1c] // 50 | push eax // 6a00 | push 0 // 6a00 | push 0 $sequence_8 = { 6a00 50 ff15???????? 8d85ecfbffff 50 8d85f8feffff } // n = 6, score = 400 // 6a00 | push 0 // 50 | push eax // ff15???????? | // 8d85ecfbffff | lea eax, [ebp - 0x414] // 50 | push eax // 8d85f8feffff | lea eax, [ebp - 0x108] $sequence_9 = { 75af 4c897c2468 41bb01000000 418d5b02 4d85ed 740f 4d85e4 } // n = 7, score = 300 // 75af | add ebx, esi // 4c897c2468 | call dword ptr [esp + 0x68] // 41bb01000000 | inc ebp // 418d5b02 | xor eax, eax // 4d85ed | dec ecx // 740f | mov ecx, esi // 4d85e4 | inc ecx $sequence_10 = { 4c03fd 448d4940 418b5750 4c897c2460 ffd6 458b4754 488bd5 } // n = 7, score = 300 // 4c03fd | movzx eax, byte ptr [ecx] // 448d4940 | nop dword ptr [eax] // 418b5750 | inc ebp // 4c897c2460 | xor ebp, ebp // ffd6 | inc ebp // 458b4754 | xor esp, esp // 488bd5 | dec esp $sequence_11 = { ebdb 65488b042560000000 48897c2430 48896c2460 488b4818 41bb01000000 4c8b7120 } // n = 7, score = 300 // ebdb | dec esp // 65488b042560000000 | mov dword ptr [esp + 0x28], esp // 48897c2430 | dec esp // 48896c2460 | mov dword ptr [esp + 0x20], ebp // 488b4818 | xor esi, esi // 41bb01000000 | inc ebp // 4c8b7120 | xor ebp, ebp $sequence_12 = { 4533ff 4c89642428 4c896c2420 33f6 4533ed 4533e4 4c897c2468 } // n = 7, score = 300 // 4533ff | lea edx, [eax + 1] // 4c89642428 | call ebx // 4c896c2420 | jne 0xffffffb1 // 33f6 | dec esp // 4533ed | mov dword ptr [esp + 0x68], edi // 4533e4 | inc ecx // 4c897c2468 | mov ebx, 1 $sequence_13 = { 666666660f1f840000000000 418b0a 4903c9 4533c0 0fb601 0f1f4000 } // n = 6, score = 300 // 666666660f1f840000000000 | inc ecx // 418b0a | lea ebx, [ebx + 2] // 4903c9 | dec ebp // 4533c0 | test ebp, ebp // 0fb601 | je 0x23 // 0f1f4000 | dec ebp $sequence_14 = { 4533c0 33d2 4883c9ff 4903de ff542468 4533c0 } // n = 6, score = 300 // 4533c0 | inc ebp // 33d2 | xor eax, eax // 4883c9ff | xor edx, edx // 4903de | dec eax // ff542468 | or ecx, 0xffffffff // 4533c0 | dec ecx $sequence_15 = { 428bbc0888000000 468b540f20 468b5c0f24 4d03d1 4d03d9 666666660f1f840000000000 } // n = 6, score = 300 // 428bbc0888000000 | mov dword ptr [esp + 0x68], edi // 468b540f20 | jmp 0xffffffdd // 468b5c0f24 | dec eax // 4d03d1 | mov eax, dword ptr [0x60] // 4d03d9 | dec eax // 666666660f1f840000000000 | mov dword ptr [esp + 0x30], edi $sequence_16 = { 488d8a38000000 e9???????? 488d8a28010000 e9???????? } // n = 4, score = 200 // 488d8a38000000 | push edi // e9???????? | // 488d8a28010000 | dec eax // e9???????? | $sequence_17 = { 8b9590000000 0395d8000000 0395b8000000 8bbda0010000 } // n = 4, score = 200 // 8b9590000000 | dec eax // 0395d8000000 | mov dword ptr [esp + 0x30], edi // 0395b8000000 | dec eax // 8bbda0010000 | mov dword ptr [esp + 0x60], ebp $sequence_18 = { 8bc2 c1e81f 03d0 69d290010000 3bca 7409 8b84afd0450300 } // n = 7, score = 200 // 8bc2 | dec eax // c1e81f | mov ecx, dword ptr [eax + 0x18] // 03d0 | inc ecx // 69d290010000 | mov ebx, 1 // 3bca | dec esp // 7409 | mov esi, dword ptr [ecx + 0x20] // 8b84afd0450300 | dec ecx $sequence_19 = { ff15???????? 498bc6 488b4d20 4833cc } // n = 4, score = 200 // ff15???????? | // 498bc6 | jne 0x18 // 488b4d20 | mov ebx, eax // 4833cc | jne 0x18 $sequence_20 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 ba00000040 } // n = 6, score = 200 // 4c89642430 | mov ebx, eax // c744242880000000 | imul ebx, eax // c744242002000000 | jne 0x18 // 4533c9 | mov ebx, eax // 4533c0 | imul ebx, eax // ba00000040 | test eax, eax $sequence_21 = { 8d4702 03c2 89442450 8bf0 } // n = 4, score = 200 // 8d4702 | mov ecx, esi // 03c2 | inc ecx // 89442450 | lea edx, [eax + 1] // 8bf0 | dec eax $sequence_22 = { 8b4c2468 c6043900 803f00 740d } // n = 4, score = 200 // 8b4c2468 | add edx, ecx // c6043900 | dec ebp // 803f00 | add ebx, ecx // 740d | nop word ptr [eax + eax] $sequence_23 = { 85c0 7471 895c2468 8d4801 } // n = 4, score = 200 // 85c0 | mov edx, ebp // 7471 | inc edx // 895c2468 | mov edi, dword ptr [eax + ecx + 0x88] // 8d4801 | inc esi $sequence_24 = { 83f809 8d7340 7405 be20000000 c68424a000000000 33d2 } // n = 6, score = 200 // 83f809 | inc esp // 8d7340 | lea ecx, [ecx + 0x40] // 7405 | inc ecx // be20000000 | mov edx, dword ptr [edi + 0x50] // c68424a000000000 | dec esp // 33d2 | mov dword ptr [esp + 0x60], edi $sequence_25 = { 85c0 0f94c1 85c9 0f8494020000 } // n = 4, score = 200 // 85c0 | mov eax, 0x3000 // 0f94c1 | test eax, eax // 85c9 | jne 0x18 // 0f8494020000 | mov ebx, eax $sequence_26 = { 8b83d8af0600 eb13 418d41ff 41be01000000 8983d8af0600 } // n = 5, score = 100 // 8b83d8af0600 | test eax, eax // eb13 | jne 0x1a // 418d41ff | mov ebx, eax // 41be01000000 | imul ebx, eax // 8983d8af0600 | mov ebx, eax $sequence_27 = { 8b848248960500 85c0 0f84cf000000 83f801 } // n = 4, score = 100 // 8b848248960500 | lea ecx, [eax + 1] // 85c0 | test eax, eax // 0f84cf000000 | je 0x73 // 83f801 | mov dword ptr [esp + 0x68], ebx $sequence_28 = { 8b83d8af0600 eb2b 448b83ccaf0600 41ffc0 } // n = 4, score = 100 // 8b83d8af0600 | shr eax, 0x1f // eb2b | add edx, eax // 448b83ccaf0600 | imul edx, edx, 0x190 // 41ffc0 | cmp ecx, edx $sequence_29 = { 8b8424a0020000 488d542440 4c8bc3 89442420 } // n = 4, score = 100 // 8b8424a0020000 | mov dword ptr [esp + 0x50], eax // 488d542440 | mov esi, eax // 4c8bc3 | mov ecx, eax // 89442420 | mov edx, dword ptr [ebp + 0x90] $sequence_30 = { 8b848248960500 85c0 746a 83f801 } // n = 4, score = 100 // 8b848248960500 | mov dword ptr [esp + 0x68], ebx // 85c0 | lea ecx, [eax + 1] // 746a | mov esi, eax // 83f801 | test eax, eax condition: 7 of them and filesize < 1021952 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY