Actor(s): Lazarus Group
There is no description at this point.
rule win_op_blockbuster_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.op_blockbuster." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8a08 80f920 7505 83c021 eb05 } // n = 5, score = 800 // 8a08 | dec eax // 80f920 | lea eax, [esp + 0x190] // 7505 | dec esp // 83c021 | lea eax, [esp + 0x60] // eb05 | mov dword ptr [esp + 0x20], 1 $sequence_1 = { 56 57 683c400000 6a40 } // n = 4, score = 800 // 56 | rep stosd dword ptr es:[edi], eax // 57 | stosw word ptr es:[edi], ax // 683c400000 | stosb byte ptr es:[edi], al // 6a40 | pop edi $sequence_2 = { f3ab 66ab aa 5f 85f6 } // n = 5, score = 800 // f3ab | lea eax, [esp + 0x40] // 66ab | dec esp // aa | lea ecx, [esp + 0x40] // 5f | dec eax // 85f6 | mov dword ptr [esp + 0x28], eax $sequence_3 = { ff15???????? 6808400000 6a40 ff15???????? } // n = 4, score = 800 // ff15???????? | // 6808400000 | mov eax, 2 // 6a40 | dec eax // ff15???????? | $sequence_4 = { 6a00 e8???????? 85c0 7407 83f802 } // n = 5, score = 800 // 6a00 | push edi // e8???????? | // 85c0 | push 0x403c // 7407 | push 0x40 // 83f802 | push 0x4000 $sequence_5 = { e8???????? 33c9 5f 85c0 0f9fc1 } // n = 5, score = 800 // e8???????? | // 33c9 | mov ecx, dword ptr [ecx + 0x7c] // 5f | test ecx, ecx // 85c0 | je 9 // 0f9fc1 | push ecx $sequence_6 = { e8???????? 6800400000 6a00 ff15???????? } // n = 4, score = 800 // e8???????? | // 6800400000 | add eax, 0x21 // 6a00 | jmp 0xc // ff15???????? | $sequence_7 = { c701???????? 8b497c 85c9 7407 51 } // n = 5, score = 800 // c701???????? | // 8b497c | test eax, eax // 85c9 | je 0x188 // 7407 | mov edx, dword ptr [esp + 0x44] // 51 | dec ecx $sequence_8 = { 56 50 8d45fc 6a04 50 57 ff15???????? } // n = 7, score = 700 // 56 | stosw word ptr es:[edi], ax // 50 | stosb byte ptr es:[edi], al // 8d45fc | pop edi // 6a04 | test esi, esi // 50 | pop esi // 57 | push esi // ff15???????? | $sequence_9 = { 68???????? ff15???????? 85c0 7412 68???????? 50 e8???????? } // n = 7, score = 700 // 68???????? | // ff15???????? | // 85c0 | pop ecx // 7412 | push esi // 68???????? | // 50 | push eax // e8???????? | $sequence_10 = { 68???????? 56 ff15???????? 68???????? 56 a3???????? e8???????? } // n = 7, score = 700 // 68???????? | // 56 | push eax // ff15???????? | // 68???????? | // 56 | pop ecx // a3???????? | // e8???????? | $sequence_11 = { 3c70 7f04 0409 eb06 3c72 } // n = 5, score = 500 // 3c70 | cmp al, 0x70 // 7f04 | jg 6 // 0409 | add al, 9 // eb06 | jmp 8 // 3c72 | cmp al, 0x72 $sequence_12 = { 3c69 7c08 3c70 7f04 } // n = 4, score = 500 // 3c69 | cmp al, 0x69 // 7c08 | jl 0xa // 3c70 | cmp al, 0x70 // 7f04 | jg 6 $sequence_13 = { 488d442440 4c8d4c2440 4889442428 488d842490010000 4c8d442460 } // n = 5, score = 300 // 488d442440 | inc ecx // 4c8d4c2440 | inc ebp // 4889442428 | xor ecx, ecx // 488d842490010000 | mov dword ptr [esp + 0x40], 1 // 4c8d442460 | mov dword ptr [esp + 0x34], ebx $sequence_14 = { 488b4c2470 33c0 48894580 48894588 488d442478 4889442450 488d4590 } // n = 7, score = 300 // 488b4c2470 | test al, al // 33c0 | jne 0xffffffe9 // 48894580 | cmp byte ptr [edi], 0x3a // 48894588 | jne 0x42 // 488d442478 | dec eax // 4889442450 | mov ecx, dword ptr [esp + 0x70] // 488d4590 | xor eax, eax $sequence_15 = { 8bc6 5f 5e c3 33c0 6a00 } // n = 6, score = 300 // 8bc6 | call dword ptr [ecx + 0x14] // 5f | test eax, eax // 5e | jge 0xb // c3 | xor eax, eax // 33c0 | jmp 0x3a // 6a00 | call dword ptr [ecx + 0x14] $sequence_16 = { 6a00 ff15???????? 8bf8 85ff 7504 5f } // n = 6, score = 300 // 6a00 | jne 0x49 // ff15???????? | // 8bf8 | mov eax, esi // 85ff | pop edi // 7504 | pop esi // 5f | ret $sequence_17 = { 84c0 75e7 803f3a 753d } // n = 4, score = 300 // 84c0 | inc ebp // 75e7 | xor ecx, ecx // 803f3a | dec eax // 753d | mov edi, ecx $sequence_18 = { 57 4883ec50 488bc2 4533c9 488bf9 } // n = 5, score = 300 // 57 | push edi // 4883ec50 | dec eax // 488bc2 | sub esp, 0x50 // 4533c9 | dec eax // 488bf9 | mov eax, edx $sequence_19 = { 33d2 ffc1 4533c9 c744244001000000 895c2434 ff15???????? } // n = 6, score = 300 // 33d2 | dec eax // ffc1 | mov dword ptr [ebp - 0x80], eax // 4533c9 | dec eax // c744244001000000 | mov dword ptr [ebp - 0x78], eax // 895c2434 | dec eax // ff15???????? | $sequence_20 = { ebf8 53 33db 391d???????? 56 57 } // n = 6, score = 300 // ebf8 | test eax, eax // 53 | jge 8 // 33db | xor eax, eax // 391d???????? | // 56 | jmp 0x37 // 57 | mov ax, word ptr [ebp - 6] $sequence_21 = { 48ffc1 84c0 75ea 803f20 740a b802000000 e9???????? } // n = 7, score = 300 // 48ffc1 | lea eax, [esp + 0x78] // 84c0 | dec eax // 75ea | mov dword ptr [esp + 0x50], eax // 803f20 | dec eax // 740a | lea eax, [ebp - 0x70] // b802000000 | xor edx, edx // e9???????? | $sequence_22 = { a3???????? 5e c3 68???????? ff15???????? 85c0 } // n = 6, score = 300 // a3???????? | // 5e | push edi // c3 | push esi // 68???????? | // ff15???????? | // 85c0 | push eax $sequence_23 = { 8bf0 ff15???????? 85f6 7404 85c0 } // n = 5, score = 300 // 8bf0 | xor eax, eax // ff15???????? | // 85f6 | push 0 // 7404 | cmp dword ptr [esp + 8], eax // 85c0 | jmp 0xfffffffa $sequence_24 = { e8???????? 56 e8???????? 83c414 b801000000 } // n = 5, score = 300 // e8???????? | // 56 | push ebx // e8???????? | // 83c414 | xor ebx, ebx // b801000000 | push esi $sequence_25 = { c3 56 53 6a01 57 e8???????? } // n = 6, score = 300 // c3 | jmp 0xfffffffa // 56 | push ebx // 53 | xor ebx, ebx // 6a01 | push esi // 57 | push edi // e8???????? | $sequence_26 = { c1f806 6bc930 8b0485d8974400 80640828fe ff15???????? } // n = 5, score = 200 // c1f806 | push 0 // 6bc930 | mov edi, eax // 8b0485d8974400 | test edi, edi // 80640828fe | jne 0xa // ff15???????? | $sequence_27 = { 7831 8b1cc5ac324400 6a55 53 e8???????? 8bf8 } // n = 6, score = 200 // 7831 | push edi // 8b1cc5ac324400 | push esi // 6a55 | add esp, 0x14 // 53 | ret // e8???????? | // 8bf8 | push esi $sequence_28 = { 83c40c c3 a1???????? 85c0 7402 ffd0 68???????? } // n = 7, score = 200 // 83c40c | pop edi // c3 | pop esi // a1???????? | // 85c0 | ret // 7402 | push esi // ffd0 | push ebx // 68???????? | $sequence_29 = { 6a40 ff74240c ff74240c e8???????? 83c40c c3 a1???????? } // n = 7, score = 200 // 6a40 | push 1 // ff74240c | push edi // ff74240c | push esi // e8???????? | // 83c40c | add esp, 0x14 // c3 | mov eax, 1 // a1???????? | $sequence_30 = { 8a06 46 8b0c8dd8974400 8844392b 83fa03 7511 } // n = 6, score = 200 // 8a06 | push ebx // 46 | push 1 // 8b0c8dd8974400 | push edi // 8844392b | mov esi, eax // 83fa03 | test esi, esi // 7511 | je 8 $sequence_31 = { 894de0 8bc6 83e03f 6bd030 8955dc 8b048dd8974400 } // n = 6, score = 200 // 894de0 | pop edi // 8bc6 | push esi // 83e03f | push esi // 6bd030 | add esp, 0x38 // 8955dc | push ebx // 8b048dd8974400 | push 1 $sequence_32 = { 50 ff5114 85c0 7d04 33c0 eb2f } // n = 6, score = 100 // 50 | push eax // ff5114 | pop esi // 85c0 | ret // 7d04 | test eax, eax // 33c0 | pop esi // eb2f | ret $sequence_33 = { 668b45fa 66894612 668b85f8feffff 66894614 58 5f } // n = 6, score = 100 // 668b45fa | je 0x17 // 66894612 | pop esi // 668b85f8feffff | ret // 66894614 | test eax, eax // 58 | je 0x17 // 5f | jne 0x43 $sequence_34 = { 7541 57 b9ff010000 33c0 8dbdfef7ffff 66899dfcf7ffff } // n = 6, score = 100 // 7541 | lea eax, [ebp - 4] // 57 | push 4 // b9ff010000 | push eax // 33c0 | push edi // 8dbdfef7ffff | test eax, eax // 66899dfcf7ffff | je 0x14 condition: 7 of them and filesize < 74309632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY