There is no description at this point.
rule win_onhat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.onhat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 8b44246c 25ff000000 48 } // n = 4, score = 200 // e8???????? | // 8b44246c | mov eax, dword ptr [esp + 0x6c] // 25ff000000 | and eax, 0xff // 48 | dec eax $sequence_1 = { 5d 8915???????? 890d???????? 5b c3 385802 7415 } // n = 7, score = 200 // 5d | pop ebp // 8915???????? | // 890d???????? | // 5b | pop ebx // c3 | ret // 385802 | cmp byte ptr [eax + 2], bl // 7415 | je 0x17 $sequence_2 = { c1eb18 52 53 68???????? e8???????? 8b44244c 83c42c } // n = 7, score = 200 // c1eb18 | shr ebx, 0x18 // 52 | push edx // 53 | push ebx // 68???????? | // e8???????? | // 8b44244c | mov eax, dword ptr [esp + 0x4c] // 83c42c | add esp, 0x2c $sequence_3 = { 8b542448 51 50 52 e8???????? 83c40c } // n = 6, score = 200 // 8b542448 | mov edx, dword ptr [esp + 0x48] // 51 | push ecx // 50 | push eax // 52 | push edx // e8???????? | // 83c40c | add esp, 0xc $sequence_4 = { 5f b801000080 5e 81c404010000 c3 8d4c2408 51 } // n = 7, score = 200 // 5f | pop edi // b801000080 | mov eax, 0x80000001 // 5e | pop esi // 81c404010000 | add esp, 0x104 // c3 | ret // 8d4c2408 | lea ecx, [esp + 8] // 51 | push ecx $sequence_5 = { 83c408 884c2411 b020 884c241a b253 } // n = 5, score = 200 // 83c408 | add esp, 8 // 884c2411 | mov byte ptr [esp + 0x11], cl // b020 | mov al, 0x20 // 884c241a | mov byte ptr [esp + 0x1a], cl // b253 | mov dl, 0x53 $sequence_6 = { 5e 891d???????? 5d 8915???????? } // n = 4, score = 200 // 5e | pop esi // 891d???????? | // 5d | pop ebp // 8915???????? | $sequence_7 = { 7406 3bc6 8bc7 7405 b802000080 5f 5e } // n = 7, score = 200 // 7406 | je 8 // 3bc6 | cmp eax, esi // 8bc7 | mov eax, edi // 7405 | je 7 // b802000080 | mov eax, 0x80000002 // 5f | pop edi // 5e | pop esi $sequence_8 = { 50 8bd3 33c0 81e2ff000000 33c9 8a4c2436 8ac7 } // n = 7, score = 200 // 50 | push eax // 8bd3 | mov edx, ebx // 33c0 | xor eax, eax // 81e2ff000000 | and edx, 0xff // 33c9 | xor ecx, ecx // 8a4c2436 | mov cl, byte ptr [esp + 0x36] // 8ac7 | mov al, bh $sequence_9 = { 5d b808000080 5b 81c458100000 c3 } // n = 5, score = 200 // 5d | pop ebp // b808000080 | mov eax, 0x80000008 // 5b | pop ebx // 81c458100000 | add esp, 0x1058 // c3 | ret condition: 7 of them and filesize < 57344 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY