There is no description at this point.
rule win_kins_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-08-17" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins" malpedia_rule_date = "20200817" malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5" malpedia_version = "20200817" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bc3 c1e806 2401 56 57 c645ff00 8845fd } // n = 7, score = 5000 // 8bc3 | mov eax, ebx // c1e806 | shr eax, 6 // 2401 | and al, 1 // 56 | push esi // 57 | push edi // c645ff00 | mov byte ptr [ebp - 1], 0 // 8845fd | mov byte ptr [ebp - 3], al $sequence_1 = { c1e008 0bc2 0fb6510f c1e008 0bc2 89460c } // n = 6, score = 5000 // c1e008 | shl eax, 8 // 0bc2 | or eax, edx // 0fb6510f | movzx edx, byte ptr [ecx + 0xf] // c1e008 | shl eax, 8 // 0bc2 | or eax, edx // 89460c | mov dword ptr [esi + 0xc], eax $sequence_2 = { e8???????? 50 e8???????? 33c9 833e01 0f94c1 890e } // n = 7, score = 5000 // e8???????? | // 50 | push eax // e8???????? | // 33c9 | xor ecx, ecx // 833e01 | cmp dword ptr [esi], 1 // 0f94c1 | sete cl // 890e | mov dword ptr [esi], ecx $sequence_3 = { 99 8bcf f7f9 8bd8 8d442438 e8???????? 8b442424 } // n = 7, score = 5000 // 99 | cdq // 8bcf | mov ecx, edi // f7f9 | idiv ecx // 8bd8 | mov ebx, eax // 8d442438 | lea eax, [esp + 0x38] // e8???????? | // 8b442424 | mov eax, dword ptr [esp + 0x24] $sequence_4 = { 6a74 ff7508 33c0 6a05 40 5a e8???????? } // n = 7, score = 5000 // 6a74 | push 0x74 // ff7508 | push dword ptr [ebp + 8] // 33c0 | xor eax, eax // 6a05 | push 5 // 40 | inc eax // 5a | pop edx // e8???????? | $sequence_5 = { 8bc8 e8???????? 8bd8 3bde 0f85a8030000 eb04 89742424 } // n = 7, score = 5000 // 8bc8 | mov ecx, eax // e8???????? | // 8bd8 | mov ebx, eax // 3bde | cmp ebx, esi // 0f85a8030000 | jne 0x3ae // eb04 | jmp 6 // 89742424 | mov dword ptr [esp + 0x24], esi $sequence_6 = { 8d45fc 50 8bce e8???????? 85c0 0f8566ffffff 8b45f4 } // n = 7, score = 5000 // 8d45fc | lea eax, [ebp - 4] // 50 | push eax // 8bce | mov ecx, esi // e8???????? | // 85c0 | test eax, eax // 0f8566ffffff | jne 0xffffff6c // 8b45f4 | mov eax, dword ptr [ebp - 0xc] $sequence_7 = { c1c611 03f2 8bfa 33f8 23fe 33f8 037de8 } // n = 7, score = 5000 // c1c611 | rol esi, 0x11 // 03f2 | add esi, edx // 8bfa | mov edi, edx // 33f8 | xor edi, eax // 23fe | and edi, esi // 33f8 | xor edi, eax // 037de8 | add edi, dword ptr [ebp - 0x18] $sequence_8 = { 8bf8 83ffff 750b ff742408 e8???????? 8bf8 } // n = 6, score = 5000 // 8bf8 | mov edi, eax // 83ffff | cmp edi, -1 // 750b | jne 0xd // ff742408 | push dword ptr [esp + 8] // e8???????? | // 8bf8 | mov edi, eax $sequence_9 = { 33c0 6a05 40 5a e8???????? 0fb64514 83e800 } // n = 7, score = 5000 // 33c0 | xor eax, eax // 6a05 | push 5 // 40 | inc eax // 5a | pop edx // e8???????? | // 0fb64514 | movzx eax, byte ptr [ebp + 0x14] // 83e800 | sub eax, 0 condition: 7 of them and filesize < 548864 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY