Actor(s): EMISSARY PANDA
There is no description at this point.
rule win_polpo_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.polpo." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polpo" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 55 8bec 8b550c 33c0 33c9 85d2 7e15 } // n = 7, score = 100 // 55 | push ebp // 8bec | mov ebp, esp // 8b550c | mov edx, dword ptr [ebp + 0xc] // 33c0 | xor eax, eax // 33c9 | xor ecx, ecx // 85d2 | test edx, edx // 7e15 | jle 0x17 $sequence_1 = { 4e 75f5 8d45f4 50 8d4df8 51 8d55fc } // n = 7, score = 100 // 4e | dec esi // 75f5 | jne 0xfffffff7 // 8d45f4 | lea eax, [ebp - 0xc] // 50 | push eax // 8d4df8 | lea ecx, [ebp - 8] // 51 | push ecx // 8d55fc | lea edx, [ebp - 4] $sequence_2 = { 51 668985ecfbffff e8???????? 83c40c 57 ff15???????? 85c0 } // n = 7, score = 100 // 51 | push ecx // 668985ecfbffff | mov word ptr [ebp - 0x414], ax // e8???????? | // 83c40c | add esp, 0xc // 57 | push edi // ff15???????? | // 85c0 | test eax, eax $sequence_3 = { 8d4df4 8d7101 8a11 41 84d2 75f9 } // n = 6, score = 100 // 8d4df4 | lea ecx, [ebp - 0xc] // 8d7101 | lea esi, [ecx + 1] // 8a11 | mov dl, byte ptr [ecx] // 41 | inc ecx // 84d2 | test dl, dl // 75f9 | jne 0xfffffffb $sequence_4 = { 8bd8 c706eeeeee22 83fbff 751e 6a00 6a04 56 } // n = 7, score = 100 // 8bd8 | mov ebx, eax // c706eeeeee22 | mov dword ptr [esi], 0x22eeeeee // 83fbff | cmp ebx, -1 // 751e | jne 0x20 // 6a00 | push 0 // 6a04 | push 4 // 56 | push esi $sequence_5 = { 89461c ff15???????? 6a04 8bf8 8d45e0 50 6a04 } // n = 7, score = 100 // 89461c | mov dword ptr [esi + 0x1c], eax // ff15???????? | // 6a04 | push 4 // 8bf8 | mov edi, eax // 8d45e0 | lea eax, [ebp - 0x20] // 50 | push eax // 6a04 | push 4 $sequence_6 = { 57 8bf9 6806020000 33db 8d8db6fdffff 33c0 53 } // n = 7, score = 100 // 57 | push edi // 8bf9 | mov edi, ecx // 6806020000 | push 0x206 // 33db | xor ebx, ebx // 8d8db6fdffff | lea ecx, [ebp - 0x24a] // 33c0 | xor eax, eax // 53 | push ebx $sequence_7 = { 83c40c 6804010000 8d85dcfbffff 50 6a00 6a00 6a00 } // n = 7, score = 100 // 83c40c | add esp, 0xc // 6804010000 | push 0x104 // 8d85dcfbffff | lea eax, [ebp - 0x424] // 50 | push eax // 6a00 | push 0 // 6a00 | push 0 // 6a00 | push 0 $sequence_8 = { 55 8bec 837d0c10 7d04 33c0 5d c3 } // n = 7, score = 100 // 55 | push ebp // 8bec | mov ebp, esp // 837d0c10 | cmp dword ptr [ebp + 0xc], 0x10 // 7d04 | jge 6 // 33c0 | xor eax, eax // 5d | pop ebp // c3 | ret $sequence_9 = { ffd7 8b0b 51 ffd7 8b95e0f1ffff 8b02 50 } // n = 7, score = 100 // ffd7 | call edi // 8b0b | mov ecx, dword ptr [ebx] // 51 | push ecx // ffd7 | call edi // 8b95e0f1ffff | mov edx, dword ptr [ebp - 0xe20] // 8b02 | mov eax, dword ptr [edx] // 50 | push eax condition: 7 of them and filesize < 250880 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY