Actor(s): FIN8
There is no description at this point.
rule win_poslurp_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.poslurp." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0f1f440000 418bc0 b908000000 a801 } // n = 4, score = 100 // 0f1f440000 | movzx eax, word ptr [edx] // 418bc0 | cmp ax, 0x30 // b908000000 | jb 0x6b // a801 | nop dword ptr [eax] $sequence_1 = { 7506 807b015a 7409 4881eb00100000 ebec } // n = 5, score = 100 // 7506 | xor ecx, ecx // 807b015a | inc ebp // 7409 | xor eax, eax // 4881eb00100000 | xor edx, edx // ebec | dec eax $sequence_2 = { 498bce e8???????? 85c0 7408 498bce e8???????? } // n = 6, score = 100 // 498bce | jae 0x6e5 // e8???????? | // 85c0 | mov eax, dword ptr [ebx + 0x24] // 7408 | dec eax // 498bce | mov edi, dword ptr [esp + 0x10] // e8???????? | $sequence_3 = { 7434 ffc1 4883c004 3bca 72f1 81fa10270000 } // n = 6, score = 100 // 7434 | mov ecx, eax // ffc1 | dec eax // 4883c004 | mov ecx, edi // 3bca | dec eax // 72f1 | mov ecx, edi // 81fa10270000 | xor edx, edx $sequence_4 = { 4c8d2503280000 4c8d35bc270000 418b1424 85d2 } // n = 4, score = 100 // 4c8d2503280000 | dec ecx // 4c8d35bc270000 | mov dword ptr [esp], eax // 418b1424 | dec eax // 85d2 | mov eax, dword ptr [esp + 0x88] $sequence_5 = { 486bc922 4803c8 4183c101 664589644d00 } // n = 4, score = 100 // 486bc922 | inc esp // 4803c8 | or ecx, edx // 4183c101 | dec ecx // 664589644d00 | sub ebx, 1 $sequence_6 = { 458b0491 4433c0 83c7ff 75df 8b15???????? } // n = 5, score = 100 // 458b0491 | dec ecx // 4433c0 | mov edi, ebx // 83c7ff | test ecx, ecx // 75df | je 0x154 // 8b15???????? | $sequence_7 = { 8bcb 83ea01 0f8491000000 0f1f840000000000 410fbe0424 ffca 83e830 } // n = 7, score = 100 // 8bcb | dec ebp // 83ea01 | test esp, esp // 0f8491000000 | test edx, edx // 0f1f840000000000 | jne 0xde9 // 410fbe0424 | lea eax, dword ptr [edi - 0xf] // ffca | cmp eax, 5 // 83e830 | ja 0xec2 $sequence_8 = { 4533c0 4889442430 33d2 488bcf 48895c2428 48895c2420 } // n = 6, score = 100 // 4533c0 | dec eax // 4889442430 | mov ecx, edi // 33d2 | dec esp // 488bcf | mov dword ptr [esp + 0x30], ebp // 48895c2428 | dec eax // 48895c2420 | mov ebx, dword ptr [edx + 0x30] $sequence_9 = { 0f1f440000 418bf6 498bed 412bf5 448bc6 4d03c5 85f6 } // n = 7, score = 100 // 0f1f440000 | inc esp // 418bf6 | cmp ebx, ebp // 498bed | jae 0x291 // 412bf5 | xor ecx, ecx // 448bc6 | int3 // 4d03c5 | dec eax // 85f6 | or ecx, 0xffffffff condition: 7 of them and filesize < 50176 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY