There is no description at this point.
rule win_kivars_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c6842473040000eb c684247404000025 c6842475040000a6 c684247604000096 c684247704000024 c6842478040000a5 c684247904000013 } // n = 7, score = 200 // c6842473040000eb | mov eax, ecx // c684247404000025 | dec eax // c6842475040000a6 | lea edx, [0x7297] // c684247604000096 | dec eax // c684247704000024 | lea ecx, [esp + 0x15e0] // c6842478040000a5 | inc ecx // c684247904000013 | mov eax, 0x1000 $sequence_1 = { 486305???????? 4869c088000000 488d0de6cc0000 4803c8 488bc1 } // n = 5, score = 200 // 486305???????? | // 4869c088000000 | dec eax // 488d0de6cc0000 | lea ecx, [esp + 0x360] // 4803c8 | dec eax // 488bc1 | imul eax, eax, 0x88 $sequence_2 = { 89542410 48894c2408 4883ec58 8b442468 488b4c2460 4803c8 } // n = 6, score = 200 // 89542410 | xor edx, edx // 48894c2408 | dec eax // 4883ec58 | lea ecx, [esp + 0x80] // 8b442468 | mov byte ptr [esp + 0x473], 0xeb // 488b4c2460 | mov byte ptr [esp + 0x474], 0x25 // 4803c8 | mov byte ptr [esp + 0x475], 0xa6 $sequence_3 = { c6842462010000e4 c684246301000066 c68424640100001e c684246501000082 c684246601000027 c6842467010000db } // n = 6, score = 200 // c6842462010000e4 | mov byte ptr [esp + 0x162], 0xe4 // c684246301000066 | mov byte ptr [esp + 0x163], 0x66 // c68424640100001e | mov byte ptr [esp + 0x164], 0x1e // c684246501000082 | mov byte ptr [esp + 0x165], 0x82 // c684246601000027 | mov byte ptr [esp + 0x166], 0x27 // c6842467010000db | mov byte ptr [esp + 0x167], 0xdb $sequence_4 = { 8bc8 e8???????? 8bf0 eb02 33f6 85f6 c7842498020000ffffffff } // n = 7, score = 200 // 8bc8 | mov ecx, eax // e8???????? | // 8bf0 | mov esi, eax // eb02 | jmp 4 // 33f6 | xor esi, esi // 85f6 | test esi, esi // c7842498020000ffffffff | mov dword ptr [esp + 0x298], 0xffffffff $sequence_5 = { 488bd1 488bc8 ff15???????? 4885c0 7537 488d8424e1010000 4889842468020000 } // n = 7, score = 200 // 488bd1 | mov byte ptr [esp + 0x476], 0x96 // 488bc8 | mov byte ptr [esp + 0x477], 0x24 // ff15???????? | // 4885c0 | mov byte ptr [esp + 0x478], 0xa5 // 7537 | mov byte ptr [esp + 0x479], 0x13 // 488d8424e1010000 | mov dword ptr [esp + 0x10], edx // 4889842468020000 | dec eax $sequence_6 = { 8b8c2418020000 8d442414 6a04 83c108 50 51 } // n = 6, score = 200 // 8b8c2418020000 | mov ecx, dword ptr [esp + 0x218] // 8d442414 | lea eax, [esp + 0x14] // 6a04 | push 4 // 83c108 | add ecx, 8 // 50 | push eax // 51 | push ecx $sequence_7 = { 8b550c 52 8b7508 56 } // n = 4, score = 200 // 8b550c | mov edx, dword ptr [ebp + 0xc] // 52 | push edx // 8b7508 | mov esi, dword ptr [ebp + 8] // 56 | push esi $sequence_8 = { c6400800 4533c9 41b809000000 488d542440 488b8c2478080000 e8???????? 89842444040000 } // n = 7, score = 200 // c6400800 | mov dword ptr [esp + 8], ecx // 4533c9 | dec eax // 41b809000000 | sub esp, 0x58 // 488d542440 | mov eax, dword ptr [esp + 0x68] // 488b8c2478080000 | dec eax // e8???????? | // 89842444040000 | mov ecx, dword ptr [esp + 0x60] $sequence_9 = { 7439 488d8c2440010000 e8???????? 90 488d8c2460030000 } // n = 5, score = 200 // 7439 | je 0x3b // 488d8c2440010000 | dec eax // e8???????? | // 90 | lea ecx, [esp + 0x140] // 488d8c2460030000 | nop $sequence_10 = { 56 57 53 c744242404010000 e8???????? 83c418 85c0 } // n = 7, score = 200 // 56 | push esi // 57 | push edi // 53 | push ebx // c744242404010000 | mov dword ptr [esp + 0x24], 0x104 // e8???????? | // 83c418 | add esp, 0x18 // 85c0 | test eax, eax $sequence_11 = { 8d94247c010000 8d84241c030000 6a00 52 50 } // n = 5, score = 200 // 8d94247c010000 | lea edx, [esp + 0x17c] // 8d84241c030000 | lea eax, [esp + 0x31c] // 6a00 | push 0 // 52 | push edx // 50 | push eax $sequence_12 = { e8???????? 89442428 c1e802 8d7c4001 57 e8???????? } // n = 6, score = 200 // e8???????? | // 89442428 | mov dword ptr [esp + 0x28], eax // c1e802 | shr eax, 2 // 8d7c4001 | lea edi, [eax + eax*2 + 1] // 57 | push edi // e8???????? | $sequence_13 = { 83c408 85c0 0f84b0000000 8b4b54 8b3d???????? 50 } // n = 6, score = 200 // 83c408 | add esp, 8 // 85c0 | test eax, eax // 0f84b0000000 | je 0xb6 // 8b4b54 | mov ecx, dword ptr [ebx + 0x54] // 8b3d???????? | // 50 | push eax $sequence_14 = { 488d1597720000 488d8c24e0150000 ff15???????? 41b800100000 33d2 488d8c2480000000 e8???????? } // n = 7, score = 200 // 488d1597720000 | dec eax // 488d8c24e0150000 | lea ecx, [0xcce6] // ff15???????? | // 41b800100000 | dec eax // 33d2 | add ecx, eax // 488d8c2480000000 | dec eax // e8???????? | $sequence_15 = { 6681feffff 0f87e9010000 8d4306 57 50 } // n = 5, score = 200 // 6681feffff | cmp si, 0xffff // 0f87e9010000 | ja 0x1ef // 8d4306 | lea eax, [ebx + 6] // 57 | push edi // 50 | push eax condition: 7 of them and filesize < 196608 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY