MetadataBin (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.metadatabin (Back to overview)
MetadataBin

aka: Ransomware32
VTCollection
Ransomware.
References

2020-10-25 ⋅ ⋅ Andrew Ivanov
MetadataBin Ransomware
MetadataBin
Yara Rules

[TLP:WHITE] win_metadatabin_auto (20230808 | Detects win.metadatabin.)
rule win_metadatabin_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.metadatabin."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89d1 89c6 8b8424d0000000 11d9 0f92c3 f7e7 89c7 }
            // n = 7, score = 100
            //   89d1                 | mov                 ecx, edx
            //   89c6                 | mov                 esi, eax
            //   8b8424d0000000       | mov                 eax, dword ptr [esp + 0xd0]
            //   11d9                 | adc                 ecx, ebx
            //   0f92c3               | setb                bl
            //   f7e7                 | mul                 edi
            //   89c7                 | mov                 edi, eax

        $sequence_1 = { 8bbde8feffff 0f44c8 01fa 39da 0f4cd3 85ff 0f45da }
            // n = 7, score = 100
            //   8bbde8feffff         | mov                 edi, dword ptr [ebp - 0x118]
            //   0f44c8               | cmove               ecx, eax
            //   01fa                 | add                 edx, edi
            //   39da                 | cmp                 edx, ebx
            //   0f4cd3               | cmovl               edx, ebx
            //   85ff                 | test                edi, edi
            //   0f45da               | cmovne              ebx, edx

        $sequence_2 = { 8b8c2488000000 13442448 897c243c 660f6e4c243c 89f7 8b74245c 83d300 }
            // n = 7, score = 100
            //   8b8c2488000000       | mov                 ecx, dword ptr [esp + 0x88]
            //   13442448             | adc                 eax, dword ptr [esp + 0x48]
            //   897c243c             | mov                 dword ptr [esp + 0x3c], edi
            //   660f6e4c243c         | movd                xmm1, dword ptr [esp + 0x3c]
            //   89f7                 | mov                 edi, esi
            //   8b74245c             | mov                 esi, dword ptr [esp + 0x5c]
            //   83d300               | adc                 ebx, 0

        $sequence_3 = { 8b742414 8b542424 39de 0f841c010000 0f836e010000 0fb7447430 0512230000 }
            // n = 7, score = 100
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   39de                 | cmp                 esi, ebx
            //   0f841c010000         | je                  0x122
            //   0f836e010000         | jae                 0x174
            //   0fb7447430           | movzx               eax, word ptr [esp + esi*2 + 0x30]
            //   0512230000           | add                 eax, 0x2312

        $sequence_4 = { 8b85f8feffff c744240800000000 895c2404 890424 ff95f4feffff c785fcfeffff01000000 8b8568feffff }
            // n = 7, score = 100
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   c744240800000000     | mov                 dword ptr [esp + 8], 0
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   890424               | mov                 dword ptr [esp], eax
            //   ff95f4feffff         | call                dword ptr [ebp - 0x10c]
            //   c785fcfeffff01000000     | mov    dword ptr [ebp - 0x104], 1
            //   8b8568feffff         | mov                 eax, dword ptr [ebp - 0x198]

        $sequence_5 = { f7e3 8b5c2470 01c8 89842458010000 0fb6442428 11c2 89d8 }
            // n = 7, score = 100
            //   f7e3                 | mul                 ebx
            //   8b5c2470             | mov                 ebx, dword ptr [esp + 0x70]
            //   01c8                 | add                 eax, ecx
            //   89842458010000       | mov                 dword ptr [esp + 0x158], eax
            //   0fb6442428           | movzx               eax, byte ptr [esp + 0x28]
            //   11c2                 | adc                 edx, eax
            //   89d8                 | mov                 eax, ebx

        $sequence_6 = { 897c240c 89fa 89c7 b8ffff0700 660f6e8c2420010000 83d700 660f6e5c240c }
            // n = 7, score = 100
            //   897c240c             | mov                 dword ptr [esp + 0xc], edi
            //   89fa                 | mov                 edx, edi
            //   89c7                 | mov                 edi, eax
            //   b8ffff0700           | mov                 eax, 0x7ffff
            //   660f6e8c2420010000     | movd    xmm1, dword ptr [esp + 0x120]
            //   83d700               | adc                 edi, 0
            //   660f6e5c240c         | movd                xmm3, dword ptr [esp + 0xc]

        $sequence_7 = { 8d34c0 89442424 01f6 01d1 8b542408 11fe 8b7c241c }
            // n = 7, score = 100
            //   8d34c0               | lea                 esi, [eax + eax*8]
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   01f6                 | add                 esi, esi
            //   01d1                 | add                 ecx, edx
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   11fe                 | adc                 esi, edi
            //   8b7c241c             | mov                 edi, dword ptr [esp + 0x1c]

        $sequence_8 = { 89d3 89442418 89f8 039c2480010000 83d100 f7642460 01d8 }
            // n = 7, score = 100
            //   89d3                 | mov                 ebx, edx
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   89f8                 | mov                 eax, edi
            //   039c2480010000       | add                 ebx, dword ptr [esp + 0x180]
            //   83d100               | adc                 ecx, 0
            //   f7642460             | mul                 dword ptr [esp + 0x60]
            //   01d8                 | add                 eax, ebx

        $sequence_9 = { 660f70d044 660fefe6 f30f6fb42460050000 660fdbe2 660fefdc 660fefa424a0000000 660f6fc1 }
            // n = 7, score = 100
            //   660f70d044           | pshufd              xmm2, xmm0, 0x44
            //   660fefe6             | pxor                xmm4, xmm6
            //   f30f6fb42460050000     | movdqu    xmm6, xmmword ptr [esp + 0x560]
            //   660fdbe2             | pand                xmm4, xmm2
            //   660fefdc             | pxor                xmm3, xmm4
            //   660fefa424a0000000     | pxor    xmm4, xmmword ptr [esp + 0xa0]
            //   660f6fc1             | movdqa              xmm0, xmm1

    condition:
        7 of them and filesize < 1263616
}
Download all Yara Rules
MetadataBin Propose Change

References

Yara Rules

MetadataBin
