There is no description at this point.
rule win_onhat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.onhat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 e8???????? 83c404 83f8ff 89442464 } // n = 5, score = 200 // 50 | push eax // e8???????? | // 83c404 | add esp, 4 // 83f8ff | cmp eax, -1 // 89442464 | mov dword ptr [esp + 0x64], eax $sequence_1 = { c644243b4e c644243c56 885c243d c644243e53 } // n = 4, score = 200 // c644243b4e | mov byte ptr [esp + 0x3b], 0x4e // c644243c56 | mov byte ptr [esp + 0x3c], 0x56 // 885c243d | mov byte ptr [esp + 0x3d], bl // c644243e53 | mov byte ptr [esp + 0x3e], 0x53 $sequence_2 = { 85c0 7d85 68401f0000 ff15???????? 55 e8???????? 56 } // n = 7, score = 200 // 85c0 | test eax, eax // 7d85 | jge 0xffffff87 // 68401f0000 | push 0x1f40 // ff15???????? | // 55 | push ebp // e8???????? | // 56 | push esi $sequence_3 = { 55 ff15???????? 8bf0 3bf5 7526 } // n = 5, score = 200 // 55 | push ebp // ff15???????? | // 8bf0 | mov esi, eax // 3bf5 | cmp esi, ebp // 7526 | jne 0x28 $sequence_4 = { 55 895c2450 e8???????? 8b542410 89442448 52 e8???????? } // n = 7, score = 200 // 55 | push ebp // 895c2450 | mov dword ptr [esp + 0x50], ebx // e8???????? | // 8b542410 | mov edx, dword ptr [esp + 0x10] // 89442448 | mov dword ptr [esp + 0x48], eax // 52 | push edx // e8???????? | $sequence_5 = { 3bc3 0f84d7000000 8b0c8e 8a1401 8b44241c } // n = 5, score = 200 // 3bc3 | cmp eax, ebx // 0f84d7000000 | je 0xdd // 8b0c8e | mov ecx, dword ptr [esi + ecx*4] // 8a1401 | mov dl, byte ptr [ecx + eax] // 8b44241c | mov eax, dword ptr [esp + 0x1c] $sequence_6 = { 85c0 0f85c2010000 88442469 55 8d44246c 6a02 } // n = 6, score = 200 // 85c0 | test eax, eax // 0f85c2010000 | jne 0x1c8 // 88442469 | mov byte ptr [esp + 0x69], al // 55 | push ebp // 8d44246c | lea eax, dword ptr [esp + 0x6c] // 6a02 | push 2 $sequence_7 = { f3ab 66ab 8bac2478100000 8b9c246c100000 } // n = 4, score = 200 // f3ab | rep stosd dword ptr es:[edi], eax // 66ab | stosw word ptr es:[edi], ax // 8bac2478100000 | mov ebp, dword ptr [esp + 0x1078] // 8b9c246c100000 | mov ebx, dword ptr [esp + 0x106c] $sequence_8 = { 33c9 8a4c2432 8ac7 52 50 c1eb18 51 } // n = 7, score = 200 // 33c9 | xor ecx, ecx // 8a4c2432 | mov cl, byte ptr [esp + 0x32] // 8ac7 | mov al, bh // 52 | push edx // 50 | push eax // c1eb18 | shr ebx, 0x18 // 51 | push ecx $sequence_9 = { 83c40c b801000080 5f 5e 5d 5b } // n = 6, score = 200 // 83c40c | add esp, 0xc // b801000080 | mov eax, 0x80000001 // 5f | pop edi // 5e | pop esi // 5d | pop ebp // 5b | pop ebx condition: 7 of them and filesize < 57344 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY