Actor(s): MuddyWater
There is no description at this point.
rule win_moriagent_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2021-06-10" version = "1" description = "Detects win.moriagent." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent" malpedia_rule_date = "20210604" malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd" malpedia_version = "20210616" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { eb0c b802000000 eb05 b801000000 33ff } // n = 5, score = 200 // eb0c | jmp 0xe // b802000000 | mov eax, 2 // eb05 | jmp 7 // b801000000 | mov eax, 1 // 33ff | xor edi, edi $sequence_1 = { 90 4c89742450 48c74424580f000000 c644244000 } // n = 4, score = 100 // 90 | mov dword ptr [ebp - 0x48], 7 // 4c89742450 | inc sp // 48c74424580f000000 | mov dword ptr [ebp - 0x60], ebp // c644244000 | inc ebp $sequence_2 = { 90 4c89742438 48c74424400f000000 c644242800 } // n = 4, score = 100 // 90 | nop // 4c89742438 | dec esp // 48c74424400f000000 | mov dword ptr [ebp - 0x70], ebp // c644242800 | dec eax $sequence_3 = { 660fd68534efffff 0d80000000 83c808 c745fc0c000000 8db524efffff } // n = 5, score = 100 // 660fd68534efffff | movq qword ptr [ebp - 0x10cc], xmm0 // 0d80000000 | or eax, 0x80 // 83c808 | or eax, 8 // c745fc0c000000 | mov dword ptr [ebp - 4], 0xc // 8db524efffff | lea esi, dword ptr [ebp - 0x10dc] $sequence_4 = { 90 4c896db0 48c745b807000000 6644896da0 } // n = 4, score = 100 // 90 | or ecx, 0xffffffff // 4c896db0 | inc ebp // 48c745b807000000 | xor eax, eax // 6644896da0 | nop $sequence_5 = { 90 4c8965cf 48c745d70f000000 c645bf00 } // n = 4, score = 100 // 90 | or ecx, 0xffffffff // 4c8965cf | inc ebp // 48c745d70f000000 | xor eax, eax // c645bf00 | dec eax $sequence_6 = { 8d4d08 e9???????? 8b8560feffff 83e001 0f8412000000 } // n = 5, score = 100 // 8d4d08 | lea ecx, dword ptr [ebp + 8] // e9???????? | // 8b8560feffff | mov eax, dword ptr [ebp - 0x1a0] // 83e001 | and eax, 1 // 0f8412000000 | je 0x18 $sequence_7 = { 8d4dc8 52 50 e8???????? 834dec04 c745fc02000000 } // n = 6, score = 100 // 8d4dc8 | lea ecx, dword ptr [ebp - 0x38] // 52 | push edx // 50 | push eax // e8???????? | // 834dec04 | or dword ptr [ebp - 0x14], 4 // c745fc02000000 | mov dword ptr [ebp - 4], 2 $sequence_8 = { 90 4c8965a7 48c745af0f000000 c6459700 4983c9ff 4533c0 488bd6 } // n = 7, score = 100 // 90 | nop // 4c8965a7 | dec esp // 48c745af0f000000 | mov dword ptr [ebp - 0x59], esp // c6459700 | dec eax // 4983c9ff | mov dword ptr [ebp - 0x51], 0xf // 4533c0 | mov byte ptr [ebp - 0x69], 0 // 488bd6 | dec ecx $sequence_9 = { 0f1107 f30f7e45d8 660fd64710 eb60 8b55dc 83fa10 7258 } // n = 7, score = 100 // 0f1107 | movups xmmword ptr [edi], xmm0 // f30f7e45d8 | movq xmm0, qword ptr [ebp - 0x28] // 660fd64710 | movq qword ptr [edi + 0x10], xmm0 // eb60 | jmp 0x62 // 8b55dc | mov edx, dword ptr [ebp - 0x24] // 83fa10 | cmp edx, 0x10 // 7258 | jb 0x5a $sequence_10 = { 742b 8bc1 c0e204 c1e802 240f 02c2 } // n = 6, score = 100 // 742b | je 0x2d // 8bc1 | mov eax, ecx // c0e204 | shl dl, 4 // c1e802 | shr eax, 2 // 240f | and al, 0xf // 02c2 | add al, dl $sequence_11 = { 90 4c8965ef 48c745f70f000000 c645df00 } // n = 4, score = 100 // 90 | xor eax, eax // 4c8965ef | nop // 48c745f70f000000 | dec esp // c645df00 | mov dword ptr [ebp - 0x31], esp $sequence_12 = { 90 4c896d90 48c7459807000000 6644896d80 } // n = 4, score = 100 // 90 | lea edx, dword ptr [ebp - 1] // 4c896d90 | nop // 48c7459807000000 | dec esp // 6644896d80 | mov dword ptr [ebp - 0x11], esp $sequence_13 = { 0f43b59cefffff 0f438d9cefffff 03f2 3bf1 743b 8bf9 } // n = 6, score = 100 // 0f43b59cefffff | cmovae esi, dword ptr [ebp - 0x1064] // 0f438d9cefffff | cmovae ecx, dword ptr [ebp - 0x1064] // 03f2 | add esi, edx // 3bf1 | cmp esi, ecx // 743b | je 0x3d // 8bf9 | mov edi, ecx $sequence_14 = { 8d8d54efffff 8b8554efffff 83c40c 83bd68efffff10 8b9564efffff } // n = 5, score = 100 // 8d8d54efffff | lea ecx, dword ptr [ebp - 0x10ac] // 8b8554efffff | mov eax, dword ptr [ebp - 0x10ac] // 83c40c | add esp, 0xc // 83bd68efffff10 | cmp dword ptr [ebp - 0x1098], 0x10 // 8b9564efffff | mov edx, dword ptr [ebp - 0x109c] condition: 7 of them and filesize < 1347904 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY