Actor(s): Hellsing
There is no description at this point.
rule win_newcore_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.newcore_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { eb05 1bc0 83d8ff 85c0 0f84e5010000 6683bc24840200002a } // n = 6, score = 100 // eb05 | jmp 7 // 1bc0 | sbb eax, eax // 83d8ff | sbb eax, -1 // 85c0 | test eax, eax // 0f84e5010000 | je 0x1eb // 6683bc24840200002a | cmp word ptr [esp + 0x284], 0x2a $sequence_1 = { e8???????? 8d4c2414 c684245402000008 e8???????? 8d54242c 52 8d4c2418 } // n = 7, score = 100 // e8???????? | // 8d4c2414 | lea ecx, [esp + 0x14] // c684245402000008 | mov byte ptr [esp + 0x254], 8 // e8???????? | // 8d54242c | lea edx, [esp + 0x2c] // 52 | push edx // 8d4c2418 | lea ecx, [esp + 0x18] $sequence_2 = { e8???????? 8b8c24a0080000 8b542434 8b850c100000 } // n = 4, score = 100 // e8???????? | // 8b8c24a0080000 | mov ecx, dword ptr [esp + 0x8a0] // 8b542434 | mov edx, dword ptr [esp + 0x34] // 8b850c100000 | mov eax, dword ptr [ebp + 0x100c] $sequence_3 = { 33c4 89842440040000 8b5514 8b4508 } // n = 4, score = 100 // 33c4 | xor eax, esp // 89842440040000 | mov dword ptr [esp + 0x440], eax // 8b5514 | mov edx, dword ptr [ebp + 0x14] // 8b4508 | mov eax, dword ptr [ebp + 8] $sequence_4 = { 85c0 7409 50 e8???????? 83c404 8b8e64300000 81c100280000 } // n = 7, score = 100 // 85c0 | test eax, eax // 7409 | je 0xb // 50 | push eax // e8???????? | // 83c404 | add esp, 4 // 8b8e64300000 | mov ecx, dword ptr [esi + 0x3064] // 81c100280000 | add ecx, 0x2800 $sequence_5 = { 5d 5b c3 8b8e58300000 03c0 03c0 898678300000 } // n = 7, score = 100 // 5d | pop ebp // 5b | pop ebx // c3 | ret // 8b8e58300000 | mov ecx, dword ptr [esi + 0x3058] // 03c0 | add eax, eax // 03c0 | add eax, eax // 898678300000 | mov dword ptr [esi + 0x3078], eax $sequence_6 = { 8bc1 83f809 7e04 0437 eb02 0430 0fb64c241e } // n = 7, score = 100 // 8bc1 | mov eax, ecx // 83f809 | cmp eax, 9 // 7e04 | jle 6 // 0437 | add al, 0x37 // eb02 | jmp 4 // 0430 | add al, 0x30 // 0fb64c241e | movzx ecx, byte ptr [esp + 0x1e] $sequence_7 = { 53 ffd7 85c0 7432 53 53 53 } // n = 7, score = 100 // 53 | push ebx // ffd7 | call edi // 85c0 | test eax, eax // 7432 | je 0x34 // 53 | push ebx // 53 | push ebx // 53 | push ebx $sequence_8 = { 6830020000 50 8d44245c 50 e8???????? 83c40c 8d4c2448 } // n = 7, score = 100 // 6830020000 | push 0x230 // 50 | push eax // 8d44245c | lea eax, [esp + 0x5c] // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 8d4c2448 | lea ecx, [esp + 0x48] $sequence_9 = { 83d8ff 85c0 0f85a3000000 6830020000 50 8d44245c } // n = 6, score = 100 // 83d8ff | sbb eax, -1 // 85c0 | test eax, eax // 0f85a3000000 | jne 0xa9 // 6830020000 | push 0x230 // 50 | push eax // 8d44245c | lea eax, [esp + 0x5c] condition: 7 of them and filesize < 581632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY