SYMBOLCOMMON_NAMEaka. SYNONYMS
win.matsnu (Back to overview)

Matsnu

VTCollection    

There is no description at this point.

References
2015-05-15Check PointStanislav Skuratovich
MATSNU
Matsnu
Yara Rules
[TLP:WHITE] win_matsnu_auto (20230808 | Detects win.matsnu.)
rule win_matsnu_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.matsnu."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 8985bcfbffff 83bdb0fbffff01 0f8588000000 8b85bcfbffff 8985c4fbffff 8b85c0fbffff }
            // n = 7, score = 700
            //   e9????????           |                     
            //   8985bcfbffff         | mov                 dword ptr [ebp - 0x444], eax
            //   83bdb0fbffff01       | cmp                 dword ptr [ebp - 0x450], 1
            //   0f8588000000         | jne                 0x8e
            //   8b85bcfbffff         | mov                 eax, dword ptr [ebp - 0x444]
            //   8985c4fbffff         | mov                 dword ptr [ebp - 0x43c], eax
            //   8b85c0fbffff         | mov                 eax, dword ptr [ebp - 0x440]

        $sequence_1 = { eb04 c647023d 837d1003 7213 }
            // n = 4, score = 700
            //   eb04                 | jmp                 6
            //   c647023d             | mov                 byte ptr [edi + 2], 0x3d
            //   837d1003             | cmp                 dword ptr [ebp + 0x10], 3
            //   7213                 | jb                  0x15

        $sequence_2 = { eb04 c647023d 837d1003 7213 31c0 8a4602 243f }
            // n = 7, score = 700
            //   eb04                 | jmp                 6
            //   c647023d             | mov                 byte ptr [edi + 2], 0x3d
            //   837d1003             | cmp                 dword ptr [ebp + 0x10], 3
            //   7213                 | jb                  0x15
            //   31c0                 | xor                 eax, eax
            //   8a4602               | mov                 al, byte ptr [esi + 2]
            //   243f                 | and                 al, 0x3f

        $sequence_3 = { 8b45e0 3b450c 0f8391000000 c745e800000000 }
            // n = 4, score = 700
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]
            //   0f8391000000         | jae                 0x97
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0

        $sequence_4 = { 750f c785a4fbffff02000000 e9???????? 8985bcfbffff 83bdb0fbffff01 0f8588000000 8b85bcfbffff }
            // n = 7, score = 700
            //   750f                 | jne                 0x11
            //   c785a4fbffff02000000     | mov    dword ptr [ebp - 0x45c], 2
            //   e9????????           |                     
            //   8985bcfbffff         | mov                 dword ptr [ebp - 0x444], eax
            //   83bdb0fbffff01       | cmp                 dword ptr [ebp - 0x450], 1
            //   0f8588000000         | jne                 0x8e
            //   8b85bcfbffff         | mov                 eax, dword ptr [ebp - 0x444]

        $sequence_5 = { 85c0 0f84a6000000 8945fc 8b45e0 3b450c }
            // n = 5, score = 700
            //   85c0                 | test                eax, eax
            //   0f84a6000000         | je                  0xac
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]

        $sequence_6 = { c78570f3ffff00000000 c78574f3ffff00000000 c78578f3ffff00000000 c7857cf3ffff00000000 }
            // n = 4, score = 700
            //   c78570f3ffff00000000     | mov    dword ptr [ebp - 0xc90], 0
            //   c78574f3ffff00000000     | mov    dword ptr [ebp - 0xc8c], 0
            //   c78578f3ffff00000000     | mov    dword ptr [ebp - 0xc88], 0
            //   c7857cf3ffff00000000     | mov    dword ptr [ebp - 0xc84], 0

        $sequence_7 = { 751d ff45da ba00000000 8b45da }
            // n = 4, score = 700
            //   751d                 | jne                 0x1f
            //   ff45da               | inc                 dword ptr [ebp - 0x26]
            //   ba00000000           | mov                 edx, 0
            //   8b45da               | mov                 eax, dword ptr [ebp - 0x26]

        $sequence_8 = { 3b45ba 7228 8b7d08 8b4704 3b45ba 751d }
            // n = 6, score = 700
            //   3b45ba               | cmp                 eax, dword ptr [ebp - 0x46]
            //   7228                 | jb                  0x2a
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   3b45ba               | cmp                 eax, dword ptr [ebp - 0x46]
            //   751d                 | jne                 0x1f

        $sequence_9 = { 89e5 81ec18020000 c785e8fdffff00000000 c785ecfdffff00000000 c785f0fdffff00000000 }
            // n = 5, score = 700
            //   89e5                 | mov                 ebp, esp
            //   81ec18020000         | sub                 esp, 0x218
            //   c785e8fdffff00000000     | mov    dword ptr [ebp - 0x218], 0
            //   c785ecfdffff00000000     | mov    dword ptr [ebp - 0x214], 0
            //   c785f0fdffff00000000     | mov    dword ptr [ebp - 0x210], 0

    condition:
        7 of them and filesize < 606992
}
Download all Yara Rules