Ransomware.
rule win_mrac_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.mrac." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrac" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d8c24d40a0000 6a0f 888424ea0a0000 e8???????? 346c 8d8c24d40a0000 6a10 } // n = 7, score = 200 // 8d8c24d40a0000 | lea ecx, [esp + 0xad4] // 6a0f | push 0xf // 888424ea0a0000 | mov byte ptr [esp + 0xaea], al // e8???????? | // 346c | xor al, 0x6c // 8d8c24d40a0000 | lea ecx, [esp + 0xad4] // 6a10 | push 0x10 $sequence_1 = { 8d8c24c8030000 e8???????? 046e 8d8c24c4030000 6a77 888424c8030000 e8???????? } // n = 7, score = 200 // 8d8c24c8030000 | lea ecx, [esp + 0x3c8] // e8???????? | // 046e | add al, 0x6e // 8d8c24c4030000 | lea ecx, [esp + 0x3c4] // 6a77 | push 0x77 // 888424c8030000 | mov byte ptr [esp + 0x3c8], al // e8???????? | $sequence_2 = { 6a0a 88842475060000 e8???????? 3451 8d8c2464060000 6a0b 88842476060000 } // n = 7, score = 200 // 6a0a | push 0xa // 88842475060000 | mov byte ptr [esp + 0x675], al // e8???????? | // 3451 | xor al, 0x51 // 8d8c2464060000 | lea ecx, [esp + 0x664] // 6a0b | push 0xb // 88842476060000 | mov byte ptr [esp + 0x676], al $sequence_3 = { c684240b07000079 c684240c07000079 c684240d0700007b c684240e0700007e c684240f0700007e c684241007000032 c68424110700003d } // n = 7, score = 200 // c684240b07000079 | mov byte ptr [esp + 0x70b], 0x79 // c684240c07000079 | mov byte ptr [esp + 0x70c], 0x79 // c684240d0700007b | mov byte ptr [esp + 0x70d], 0x7b // c684240e0700007e | mov byte ptr [esp + 0x70e], 0x7e // c684240f0700007e | mov byte ptr [esp + 0x70f], 0x7e // c684241007000032 | mov byte ptr [esp + 0x710], 0x32 // c68424110700003d | mov byte ptr [esp + 0x711], 0x3d $sequence_4 = { 8d8c249c000000 6a27 888424a8000000 e8???????? 0454 8d8c249c000000 6a27 } // n = 7, score = 200 // 8d8c249c000000 | lea ecx, [esp + 0x9c] // 6a27 | push 0x27 // 888424a8000000 | mov byte ptr [esp + 0xa8], al // e8???????? | // 0454 | add al, 0x54 // 8d8c249c000000 | lea ecx, [esp + 0x9c] // 6a27 | push 0x27 $sequence_5 = { 041d 342f 8885a1fbffff 8b8580fbffff 041e 3471 8885a2fbffff } // n = 7, score = 200 // 041d | add al, 0x1d // 342f | xor al, 0x2f // 8885a1fbffff | mov byte ptr [ebp - 0x45f], al // 8b8580fbffff | mov eax, dword ptr [ebp - 0x480] // 041e | add al, 0x1e // 3471 | xor al, 0x71 // 8885a2fbffff | mov byte ptr [ebp - 0x45e], al $sequence_6 = { 8d4c2460 6a4f 88442470 e8???????? 0456 8d4c2460 6a4f } // n = 7, score = 200 // 8d4c2460 | lea ecx, [esp + 0x60] // 6a4f | push 0x4f // 88442470 | mov byte ptr [esp + 0x70], al // e8???????? | // 0456 | add al, 0x56 // 8d4c2460 | lea ecx, [esp + 0x60] // 6a4f | push 0x4f $sequence_7 = { 3462 8845b0 8b459c 0411 346a 8845b1 8b459c } // n = 7, score = 200 // 3462 | xor al, 0x62 // 8845b0 | mov byte ptr [ebp - 0x50], al // 8b459c | mov eax, dword ptr [ebp - 0x64] // 0411 | add al, 0x11 // 346a | xor al, 0x6a // 8845b1 | mov byte ptr [ebp - 0x4f], al // 8b459c | mov eax, dword ptr [ebp - 0x64] $sequence_8 = { 3474 8d8c2414050000 6a06 88842421050000 e8???????? 346f 8d8c2414050000 } // n = 7, score = 200 // 3474 | xor al, 0x74 // 8d8c2414050000 | lea ecx, [esp + 0x514] // 6a06 | push 6 // 88842421050000 | mov byte ptr [esp + 0x521], al // e8???????? | // 346f | xor al, 0x6f // 8d8c2414050000 | lea ecx, [esp + 0x514] $sequence_9 = { 040f 3472 88842433140000 8b842420140000 0410 3469 } // n = 6, score = 200 // 040f | add al, 0xf // 3472 | xor al, 0x72 // 88842433140000 | mov byte ptr [esp + 0x1433], al // 8b842420140000 | mov eax, dword ptr [esp + 0x1420] // 0410 | add al, 0x10 // 3469 | xor al, 0x69 condition: 7 of them and filesize < 745472 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY