Modular x86/x64 file infector created/used by Maze ransomware developer. According to the author, it has been mistakenly tagged by AVs as Expiro.
rule win_m0yv_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.m0yv." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4881c100000001 4889ca 81e1000000fe 4129cf 4c89c9 4e8d0c4e } // n = 6, score = 100 // 4881c100000001 | dec eax // 4889ca | imul ecx, ebx // 81e1000000fe | dec eax // 4129cf | add ebp, ecx // 4c89c9 | dec esp // 4e8d0c4e | mov ecx, esp $sequence_1 = { 480f44d0 4889f1 4531c0 e8???????? 895c2420 4983c701 498b4508 } // n = 7, score = 100 // 480f44d0 | add edi, ecx // 4889f1 | dec ebp // 4531c0 | imul ebp, eax, 0x9fb67 // e8???????? | // 895c2420 | dec ebp // 4983c701 | add ebp, ebx // 498b4508 | dec ecx $sequence_2 = { 57 53 4883ec20 b801000000 4885c9 0f840c010000 4889d6 } // n = 7, score = 100 // 57 | mov ebx, dword ptr [edx + 8] // 53 | inc esp // 4883ec20 | mov dword ptr [esp + 0x2c], ebx // b801000000 | inc esp // 4885c9 | mov esp, dword ptr [edx + 0xc] // 0f840c010000 | inc esp // 4889d6 | mov dword ptr [esp + 0x30], esp $sequence_3 = { e8???????? 488d7c2420 4889f9 4889da e8???????? 4889f9 } // n = 6, score = 100 // e8???????? | // 488d7c2420 | test eax, eax // 4889f9 | je 0xf69 // 4889da | dec eax // e8???????? | // 4889f9 | mov eax, dword ptr [eax + 0x10] $sequence_4 = { 4889d6 4885d2 7475 4889cf 8b01 83c0ff 83f806 } // n = 7, score = 100 // 4889d6 | jne 0x17b1 // 4885d2 | inc ecx // 7475 | mov byte ptr [eax + 0x4f], cl // 4889cf | inc ecx // 8b01 | mov byte ptr [eax + 0x59], cl // 83c0ff | jmp 0x17c9 // 83f806 | cmp cl, 0xa $sequence_5 = { 8814ce 0fb654cf0e 8854ce01 0fb654cf0d 8854ce02 0fb654cf0c 8854ce03 } // n = 7, score = 100 // 8814ce | dec ebp // 0fb654cf0e | imul edi, esi // 8854ce01 | dec esp // 0fb654cf0d | add edx, edi // 8854ce02 | dec eax // 0fb654cf0c | add eax, esi // 8854ce03 | dec ecx $sequence_6 = { 41887419fe 83c009 4c8d5bff 83f813 7210 } // n = 5, score = 100 // 41887419fe | mov dword ptr [esp + 0x78], ebx // 83c009 | dec ebp // 4c8d5bff | add eax, edx // 83f813 | dec esp // 7210 | add eax, edx $sequence_7 = { 4989d8 e8???????? 4d8d4728 4c8d7650 4c89f1 4889f2 e8???????? } // n = 7, score = 100 // 4989d8 | shr eax, 2 // e8???????? | // 4d8d4728 | and eax, 0x1fffff // 4c8d7650 | dec eax // 4c89f1 | mov dword ptr [esp + 0xa8], eax // 4889f2 | dec eax // e8???????? | $sequence_8 = { 4e8d2402 4c01c2 4881c200001000 4889d6 4881e20000e0ff 4929d4 488b542470 } // n = 7, score = 100 // 4e8d2402 | xor eax, eax // 4c01c2 | inc esp // 4881c200001000 | movaps xmmword ptr [esp + 0x1440], xmm2 // 4889d6 | inc esp // 4881e20000e0ff | movaps xmmword ptr [esp + 0x1430], xmm1 // 4929d4 | inc sp // 488b542470 | movq qword ptr [esp + 0x1420], mm0 $sequence_9 = { 4889f9 4c89f2 4989d8 e8???????? 4d8d4728 4c8d7650 4c89f1 } // n = 7, score = 100 // 4889f9 | arpl cx, dx // 4c89f2 | dec eax // 4989d8 | lea ecx, [0x1db24] // e8???????? | // 4d8d4728 | test ecx, ecx // 4c8d7650 | js 0x1268 // 4c89f1 | jae 0x1262 condition: 7 of them and filesize < 779264 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY