There is no description at this point.
rule win_newbounce_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.newbounce." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83e00f 7e05 2bf0 83c610 } // n = 4, score = 300 // 83e00f | and eax, 0xf // 7e05 | jle 7 // 2bf0 | sub esi, eax // 83c610 | add esi, 0x10 $sequence_1 = { 759a 4c8903 488bc3 488b5c2438 4883c420 } // n = 5, score = 200 // 759a | jne 0xffffff9c // 4c8903 | dec esp // 488bc3 | mov dword ptr [ebx], eax // 488b5c2438 | dec eax // 4883c420 | mov eax, ebx $sequence_2 = { ff15???????? 85c0 0f841f010000 eb17 } // n = 4, score = 200 // ff15???????? | // 85c0 | dec esp // 0f841f010000 | mov dword ptr [ebp + 7], esp // eb17 | inc ebp $sequence_3 = { ff15???????? 85c0 0f844b010000 ba28000000 } // n = 4, score = 200 // ff15???????? | // 85c0 | mov ecx, dword ptr [esp + 0x28] // 0f844b010000 | test eax, eax // ba28000000 | je 0x23d $sequence_4 = { ff15???????? 85c0 0f8437020000 8b4c2428 } // n = 4, score = 200 // ff15???????? | // 85c0 | dec eax // 0f8437020000 | mov dword ptr [esp + 0x128], edi // 8b4c2428 | mov dword ptr [esp + 0x120], 0x22 $sequence_5 = { ff15???????? 85c0 0f8408020000 4c896507 } // n = 4, score = 200 // ff15???????? | // 85c0 | mov eax, ebx // 0f8408020000 | jmp 6 // 4c896507 | xor eax, eax $sequence_6 = { ff15???????? 85c0 0f8436020000 4889bc2428010000 } // n = 4, score = 200 // ff15???????? | // 85c0 | mov eax, dword ptr [ebx + 0x204] // 0f8436020000 | test eax, eax // 4889bc2428010000 | je 0x125 $sequence_7 = { ffd0 85c0 0f99c3 8bc3 eb02 33c0 488b5c2430 } // n = 7, score = 200 // ffd0 | dec eax // 85c0 | mov ebx, dword ptr [esp + 0x38] // 0f99c3 | dec eax // 8bc3 | add esp, 0x20 // eb02 | call eax // 33c0 | test eax, eax // 488b5c2430 | setns bl $sequence_8 = { 81e1ff000000 337c2424 8b0c8d48536300 333c95485f6300 } // n = 4, score = 100 // 81e1ff000000 | and ecx, 0xff // 337c2424 | xor eax, dword ptr [esp + 0x2c] // 8b0c8d48536300 | mov ecx, dword ptr [ecx*4 + 0x635748] // 333c95485f6300 | xor eax, ecx $sequence_9 = { 81e1ff000000 33048d48576300 8b3cbd48536300 3304b5485f6300 } // n = 4, score = 100 // 81e1ff000000 | lea edi, [edx + 0x18] // 33048d48576300 | mov ecx, edi // 8b3cbd48536300 | test eax, eax // 3304b5485f6300 | je 0xffffff73 $sequence_10 = { 81e1ff000000 83f901 0f8507010000 8b4004 } // n = 4, score = 100 // 81e1ff000000 | mov ecx, dword ptr [ecx*4 + 0x635348] // 83f901 | xor edi, dword ptr [edx*4 + 0x635f48] // 0f8507010000 | and ecx, 0xff // 8b4004 | xor edi, dword ptr [esp + 0x24] $sequence_11 = { 81e1ff000000 330495485f6300 8b0c8d485b6300 33c1 } // n = 4, score = 100 // 81e1ff000000 | and edx, 0xff // 330495485f6300 | xor eax, dword ptr [esp + 0x2c] // 8b0c8d485b6300 | and ecx, 0xff // 33c1 | xor eax, dword ptr [ecx*4 + 0x635b48] $sequence_12 = { 81e1ff000000 3354241c 33542424 33542448 899424d4000000 8b148d48576300 } // n = 6, score = 100 // 81e1ff000000 | mov ecx, dword ptr [ecx*4 + 0x635748] // 3354241c | xor eax, ecx // 33542424 | and ecx, 0xff // 33542448 | xor eax, dword ptr [esp + 0x2c] // 899424d4000000 | mov ecx, dword ptr [ecx*4 + 0x635748] // 8b148d48576300 | xor eax, ecx $sequence_13 = { 81e1ff000000 3344242c 8b0c8d48576300 33c1 } // n = 4, score = 100 // 81e1ff000000 | mov ecx, dword ptr [ecx*4 + 0x635b48] // 3344242c | xor eax, ecx // 8b0c8d48576300 | and ecx, 0xff // 33c1 | xor eax, dword ptr [edx*4 + 0x635f48] $sequence_14 = { 81e1ff000000 33048d485b6300 81e2ff000000 3344242c } // n = 4, score = 100 // 81e1ff000000 | mov edi, dword ptr [edi*4 + 0x635348] // 33048d485b6300 | xor eax, dword ptr [esi*4 + 0x635f48] // 81e2ff000000 | and ecx, 0xff // 3344242c | xor eax, dword ptr [ecx*4 + 0x635748] condition: 7 of them and filesize < 8637440 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY