Actor(s): Hellsing
There is no description at this point.
rule win_newcore_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.newcore_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c20400 8b8e3c200000 8d542404 52 50 8b442414 50 } // n = 7, score = 100 // c20400 | ret 4 // 8b8e3c200000 | mov ecx, dword ptr [esi + 0x203c] // 8d542404 | lea edx, [esp + 4] // 52 | push edx // 50 | push eax // 8b442414 | mov eax, dword ptr [esp + 0x14] // 50 | push eax $sequence_1 = { 33c0 6a08 56 8d54241c 52 81c110040000 8944243c } // n = 7, score = 100 // 33c0 | xor eax, eax // 6a08 | push 8 // 56 | push esi // 8d54241c | lea edx, [esp + 0x1c] // 52 | push edx // 81c110040000 | add ecx, 0x410 // 8944243c | mov dword ptr [esp + 0x3c], eax $sequence_2 = { e8???????? 8b8c247c140200 5f 5e 5b 33cc } // n = 6, score = 100 // e8???????? | // 8b8c247c140200 | mov ecx, dword ptr [esp + 0x2147c] // 5f | pop edi // 5e | pop esi // 5b | pop ebx // 33cc | xor ecx, esp $sequence_3 = { 0437 eb02 0430 83e10f 88442434 8bc1 83f809 } // n = 7, score = 100 // 0437 | add al, 0x37 // eb02 | jmp 4 // 0430 | add al, 0x30 // 83e10f | and ecx, 0xf // 88442434 | mov byte ptr [esp + 0x34], al // 8bc1 | mov eax, ecx // 83f809 | cmp eax, 9 $sequence_4 = { eb03 80c130 83e20f 884802 8bca 83f909 } // n = 6, score = 100 // eb03 | jmp 5 // 80c130 | add cl, 0x30 // 83e20f | and edx, 0xf // 884802 | mov byte ptr [eax + 2], cl // 8bca | mov ecx, edx // 83f909 | cmp ecx, 9 $sequence_5 = { 8bc6 e8???????? eb0c c7035a1b0000 c70600000000 33d2 33c9 } // n = 7, score = 100 // 8bc6 | mov eax, esi // e8???????? | // eb0c | jmp 0xe // c7035a1b0000 | mov dword ptr [ebx], 0x1b5a // c70600000000 | mov dword ptr [esi], 0 // 33d2 | xor edx, edx // 33c9 | xor ecx, ecx $sequence_6 = { 6880000000 8d442448 50 56 ff15???????? 56 } // n = 6, score = 100 // 6880000000 | push 0x80 // 8d442448 | lea eax, [esp + 0x48] // 50 | push eax // 56 | push esi // ff15???????? | // 56 | push esi $sequence_7 = { 5d c21400 8b8638200000 6a00 6800010084 6a00 6a00 } // n = 7, score = 100 // 5d | pop ebp // c21400 | ret 0x14 // 8b8638200000 | mov eax, dword ptr [esi + 0x2038] // 6a00 | push 0 // 6800010084 | push 0x84000100 // 6a00 | push 0 // 6a00 | push 0 $sequence_8 = { 5d c3 8b04cd948d0310 5d c3 0544ffffff } // n = 6, score = 100 // 5d | pop ebp // c3 | ret // 8b04cd948d0310 | mov eax, dword ptr [ecx*8 + 0x10038d94] // 5d | pop ebp // c3 | ret // 0544ffffff | add eax, 0xffffff44 $sequence_9 = { 7e04 0437 eb02 0430 0fb64c2428 88442433 8bc1 } // n = 7, score = 100 // 7e04 | jle 6 // 0437 | add al, 0x37 // eb02 | jmp 4 // 0430 | add al, 0x30 // 0fb64c2428 | movzx ecx, byte ptr [esp + 0x28] // 88442433 | mov byte ptr [esp + 0x33], al // 8bc1 | mov eax, ecx condition: 7 of them and filesize < 581632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY