There is no description at this point.
rule win_newbounce_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.newbounce." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83e00f 7e05 2bf0 83c610 } // n = 4, score = 300 // 83e00f | and eax, 0xf // 7e05 | jle 7 // 2bf0 | sub esi, eax // 83c610 | add esi, 0x10 $sequence_1 = { ff15???????? 85c0 0f844b010000 ba28000000 } // n = 4, score = 200 // ff15???????? | // 85c0 | inc esp // 0f844b010000 | mov ebp, ebx // ba28000000 | int3 $sequence_2 = { ff15???????? 85c0 0f8437020000 8b4c2428 } // n = 4, score = 200 // ff15???????? | // 85c0 | lea ecx, [esi + 0x354] // 0f8437020000 | xor ebx, ebx // 8b4c2428 | jne 0xfffffff7 $sequence_3 = { ff15???????? 85c0 0f8436020000 4889bc2428010000 c784242001000022000000 c784241801000073252000 c78424100100006b2d2000 } // n = 7, score = 200 // ff15???????? | // 85c0 | lea ecx, [esi + 0x354] // 0f8436020000 | jne 0xfffffff7 // 4889bc2428010000 | dec ecx // c784242001000022000000 | dec ecx // c784241801000073252000 | jne 0xffffffed // c78424100100006b2d2000 | dec eax $sequence_4 = { 75f5 49ffc8 75eb 488d8104020000 } // n = 4, score = 200 // 75f5 | jne 0xfffffff4 // 49ffc8 | jmp 0xffffffe7 // 75eb | dec eax // 488d8104020000 | lea edx, [0x1c24a] $sequence_5 = { e8???????? cc b201 488bcf e8???????? 4c8d1d8f920100 488d5547 } // n = 7, score = 200 // e8???????? | // cc | jne 0xfffffff7 // b201 | dec ecx // 488bcf | dec ecx // e8???????? | // 4c8d1d8f920100 | jne 0xffffffed // 488d5547 | dec eax $sequence_6 = { 75f2 ebe3 488d154ac20100 498bcc 4d8bc7 } // n = 5, score = 200 // 75f2 | jne 0xfffffff4 // ebe3 | jmp 0xffffffe5 // 488d154ac20100 | dec eax // 498bcc | lea edx, [0x1c24a] // 4d8bc7 | dec ecx $sequence_7 = { 75f5 49ffc9 75e8 488d8e54030000 } // n = 4, score = 200 // 75f5 | dec esp // 49ffc9 | mov esp, eax // 75e8 | jne 0xfffffff7 // 488d8e54030000 | dec ecx $sequence_8 = { 81e3c0000000 0bf3 c1ee06 0b14b5b0876300 } // n = 4, score = 100 // 81e3c0000000 | or ebx, edx // 0bf3 | mov edx, dword ptr [esi*4 + 0x638db0] // c1ee06 | shr ebx, 7 // 0b14b5b0876300 | or edx, dword ptr [ebx*4 + 0x638bb0] $sequence_9 = { 81e300000600 c1ea14 8b1495b0896300 81e6000f0000 } // n = 4, score = 100 // 81e300000600 | and eax, 0xf // c1ea14 | jle 7 // 8b1495b0896300 | sub esi, eax // 81e6000f0000 | add esi, 0x10 $sequence_10 = { 81e300e00100 0bf3 c1ee0d 0b0cb5b0886300 } // n = 4, score = 100 // 81e300e00100 | mov edx, dword ptr [edx*4 + 0x6389b0] // 0bf3 | and ebx, 0x100000 // c1ee0d | or edx, ebx // 0b0cb5b0886300 | mov ebx, esi $sequence_11 = { 81e2ff000000 8b0c8d48436300 8b1c9d48476300 33cb 8b1c85484b6300 2bcb } // n = 6, score = 100 // 81e2ff000000 | test eax, eax // 8b0c8d48436300 | je 0x151 // 8b1c9d48476300 | mov edx, 0x28 // 33cb | test eax, eax // 8b1c85484b6300 | je 0x151 // 2bcb | mov edx, 0x28 $sequence_12 = { 81e2ff000000 c1e808 c1e208 53 } // n = 4, score = 100 // 81e2ff000000 | je 0x151 // c1e808 | mov edx, 0x28 // c1e208 | lea edi, [edx + 0x18] // 53 | mov ecx, edi $sequence_13 = { 81e3001e0000 8bef 81e50000e001 0bf5 c1ee15 8b34b5b08d6300 } // n = 6, score = 100 // 81e3001e0000 | and ebp, 0x1e000 // 8bef | and ebx, 0x60000 // 81e50000e001 | shr edx, 0x14 // 0bf5 | mov edx, dword ptr [edx*4 + 0x6389b0] // c1ee15 | and esi, 0xf00 // 8b34b5b08d6300 | mov ebp, ecx $sequence_14 = { 81e3001e0000 8bd5 81e280010000 0bda 8b14b5b08d6300 } // n = 5, score = 100 // 81e3001e0000 | push ebx // 8bd5 | or edx, eax // 81e280010000 | mov eax, dword ptr [esp + 0x2c] // 0bda | push edx // 8b14b5b08d6300 | and ebx, 0x60000 condition: 7 of them and filesize < 8637440 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY