There is no description at this point.
rule win_mole_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.mole." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 81bdf0fdffff99000000 0f8787710000 8b95f0fdffff 0fb68248c04000 ff248514c04000 81bdf0fdffffd3a7d105 0f8794000000 } // n = 7, score = 100 // 81bdf0fdffff99000000 | cmp dword ptr [ebp - 0x210], 0x99 // 0f8787710000 | ja 0x718d // 8b95f0fdffff | mov edx, dword ptr [ebp - 0x210] // 0fb68248c04000 | movzx eax, byte ptr [edx + 0x40c048] // ff248514c04000 | jmp dword ptr [eax*4 + 0x40c014] // 81bdf0fdffffd3a7d105 | cmp dword ptr [ebp - 0x210], 0x5d1a7d3 // 0f8794000000 | ja 0x9a $sequence_1 = { 6bc000 0385bcf9ffff 898588e5ffff 837d1401 751a 68???????? 68???????? } // n = 7, score = 100 // 6bc000 | imul eax, eax, 0 // 0385bcf9ffff | add eax, dword ptr [ebp - 0x644] // 898588e5ffff | mov dword ptr [ebp - 0x1a78], eax // 837d1401 | cmp dword ptr [ebp + 0x14], 1 // 751a | jne 0x1c // 68???????? | // 68???????? | $sequence_2 = { 81bdf0fdffffcde5d405 0f8458400000 81bdf0fdffff41e6d405 0f849e440000 81bdf0fdffff44e6d405 0f84742c0000 e9???????? } // n = 7, score = 100 // 81bdf0fdffffcde5d405 | cmp dword ptr [ebp - 0x210], 0x5d4e5cd // 0f8458400000 | je 0x405e // 81bdf0fdffff41e6d405 | cmp dword ptr [ebp - 0x210], 0x5d4e641 // 0f849e440000 | je 0x44a4 // 81bdf0fdffff44e6d405 | cmp dword ptr [ebp - 0x210], 0x5d4e644 // 0f84742c0000 | je 0x2c7a // e9???????? | $sequence_3 = { e9???????? 81bdf0fdffff5625d105 0f8786000000 81bdf0fdffff5625d105 0f8494710000 81bdf0fdffffc624d105 7745 } // n = 7, score = 100 // e9???????? | // 81bdf0fdffff5625d105 | cmp dword ptr [ebp - 0x210], 0x5d12556 // 0f8786000000 | ja 0x8c // 81bdf0fdffff5625d105 | cmp dword ptr [ebp - 0x210], 0x5d12556 // 0f8494710000 | je 0x719a // 81bdf0fdffffc624d105 | cmp dword ptr [ebp - 0x210], 0x5d124c6 // 7745 | ja 0x47 $sequence_4 = { 8d959cefffff 52 68???????? 6801000080 ff15???????? 898584efffff 8d85d4fbffff } // n = 7, score = 100 // 8d959cefffff | lea edx, [ebp - 0x1064] // 52 | push edx // 68???????? | // 6801000080 | push 0x80000001 // ff15???????? | // 898584efffff | mov dword ptr [ebp - 0x107c], eax // 8d85d4fbffff | lea eax, [ebp - 0x42c] $sequence_5 = { 8d85ace4ffff 50 6a05 68???????? 8b8dc4e4ffff 51 ff15???????? } // n = 7, score = 100 // 8d85ace4ffff | lea eax, [ebp - 0x1b54] // 50 | push eax // 6a05 | push 5 // 68???????? | // 8b8dc4e4ffff | mov ecx, dword ptr [ebp - 0x1b3c] // 51 | push ecx // ff15???????? | $sequence_6 = { c7802ceb410002000000 6a04 58 6bc000 8b0d???????? 894c05f8 6a04 } // n = 7, score = 100 // c7802ceb410002000000 | mov dword ptr [eax + 0x41eb2c], 2 // 6a04 | push 4 // 58 | pop eax // 6bc000 | imul eax, eax, 0 // 8b0d???????? | // 894c05f8 | mov dword ptr [ebp + eax - 8], ecx // 6a04 | push 4 $sequence_7 = { 8d9530e2ffff 52 e8???????? 83c404 6a64 68???????? 8d85ecfbffff } // n = 7, score = 100 // 8d9530e2ffff | lea edx, [ebp - 0x1dd0] // 52 | push edx // e8???????? | // 83c404 | add esp, 4 // 6a64 | push 0x64 // 68???????? | // 8d85ecfbffff | lea eax, [ebp - 0x414] $sequence_8 = { 83c410 8d959cf9ffff 52 8b8590e5ffff } // n = 4, score = 100 // 83c410 | add esp, 0x10 // 8d959cf9ffff | lea edx, [ebp - 0x664] // 52 | push edx // 8b8590e5ffff | mov eax, dword ptr [ebp - 0x1a70] $sequence_9 = { e8???????? e8???????? 898580f7ffff 81bd80f7ffff00300000 7575 6a00 } // n = 6, score = 100 // e8???????? | // e8???????? | // 898580f7ffff | mov dword ptr [ebp - 0x880], eax // 81bd80f7ffff00300000 | cmp dword ptr [ebp - 0x880], 0x3000 // 7575 | jne 0x77 // 6a00 | push 0 condition: 7 of them and filesize < 297984 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY