Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.
rule win_m0yv_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.m0yv." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 490faff8 4d89c3 4901ff 4c8b1424 490fafd2 48039424b8000000 4c89ef } // n = 7, score = 100 // 490faff8 | mov byte ptr [esp + eax + 0x20], dl // 4d89c3 | dec eax // 4901ff | add eax, 1 // 4c8b1424 | dec eax // 490fafd2 | cmp eax, 0x3f // 48039424b8000000 | jne 0x2e8 // 4c89ef | add byte ptr [esp + 0x5f], cl $sequence_1 = { 72e7 4889f9 4889da e8???????? 48c7474800000000 31c0 6690 } // n = 7, score = 100 // 72e7 | bt ebx, eax // 4889f9 | inc ebp // 4889da | test ecx, ecx // e8???????? | // 48c7474800000000 | je 0xad0 // 31c0 | dec eax // 6690 | test esi, esi $sequence_2 = { f6c201 0f84e3000000 4183fb66 775c 744e } // n = 5, score = 100 // f6c201 | dec ecx // 0f84e3000000 | imul esi, edi, 0xa2c13 // 4183fb66 | dec eax // 775c | add esi, dword ptr [esp + 0x70] // 744e | dec ebp $sequence_3 = { 4889fa e8???????? 4889f9 4889fa e8???????? 4c89f1 } // n = 6, score = 100 // 4889fa | inc ecx // e8???????? | // 4889f9 | sub ecx, edi // 4889fa | dec esp // e8???????? | // 4c89f1 | lea esi, [esi + ebp] $sequence_4 = { 29e8 488bac24a8000000 894500 895504 44895d08 } // n = 5, score = 100 // 29e8 | dec ecx // 488bac24a8000000 | mov ecx, edi // 894500 | mov byte ptr [ebp + 1], ah // 895504 | dec ecx // 44895d08 | mov ebx, ebp $sequence_5 = { 490fafc6 4801c2 4889942440010000 4c89842488000000 4c89c0 480fafc1 } // n = 6, score = 100 // 490fafc6 | inc esp // 4801c2 | mov byte ptr [edx + 0x14], dh // 4889942440010000 | mov byte ptr [edx + 0x15], bl // 4c89842488000000 | mov byte ptr [edx + 0x16], bh // 4c89c0 | inc esp // 480fafc1 | mov eax, edx $sequence_6 = { 4f037ce538 4c21df 4c31d7 4e03bce498000000 4831c1 4901ff 4c89c8 } // n = 7, score = 100 // 4f037ce538 | inc esp // 4c21df | mov eax, eax // 4c31d7 | and eax, 0x1ffffff // 4e03bce498000000 | inc ecx // 4831c1 | shr ecx, 0xc // 4901ff | inc esp // 4c89c8 | mov byte ptr [ecx + 0x1b], cl $sequence_7 = { 2b6a24 448901 44894904 44895108 4489590c 44897110 897114 } // n = 7, score = 100 // 2b6a24 | dec ecx // 448901 | xor edx, eax // 44894904 | dec ebx // 44895108 | xchg dword ptr [edi + esi*8 + 0x59c30], edx // 4489590c | jmp 0x1840 // 44897110 | jmp 0x17cd // 897114 | dec ecx $sequence_8 = { 4883ec28 e8???????? 4885c0 7409 488b4010 } // n = 5, score = 100 // 4883ec28 | nop // e8???????? | // 4885c0 | inc ecx // 7409 | add eax, -1 // 488b4010 | xor edi, edi $sequence_9 = { c1e802 4122c2 41884041 8bc2 83e003 8a0481 498bc8 } // n = 7, score = 100 // c1e802 | dec eax // 4122c2 | mov dword ptr [esp + 0x58], eax // 41884041 | dec eax // 8bc2 | mov ecx, ebx // 83e003 | dec eax // 8a0481 | mov dword ptr [esp + 0xa8], eax // 498bc8 | dec eax condition: 7 of them and filesize < 779264 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY