There is no description at this point.
rule win_proto8_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.proto8_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.proto8_rat" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7819 8d4a01 0f1f00 488b5b08 4883e901 75f6 eb07 } // n = 7, score = 100 // 7819 | lea edx, [ebp + 0x460] // 8d4a01 | dec eax // 0f1f00 | mov ecx, esi // 488b5b08 | cmp ebx, edi // 4883e901 | jne 0x2e6 // 75f6 | xor al, al // eb07 | jne 0x752 $sequence_1 = { f04e0fb13409 483bd0 752b 4885d2 7426 440fb68c24c8000000 498bcc } // n = 7, score = 100 // f04e0fb13409 | dec eax // 483bd0 | mov eax, dword ptr [esi + 0x90] // 752b | dec eax // 4885d2 | mov dword ptr [edi], eax // 7426 | dec eax // 440fb68c24c8000000 | mov eax, dword ptr [esi + 0x90] // 498bcc | dec eax $sequence_2 = { 488b4008 48894708 488b4630 488907 488b4630 488b4808 488939 } // n = 7, score = 100 // 488b4008 | mov dword ptr [ecx + 0x350], eax // 48894708 | dec eax // 488b4630 | mov dword ptr [ecx + 0x340], eax // 488907 | dec eax // 488b4630 | mov dword ptr [ecx + 0x348], eax // 488b4808 | mov dword ptr [ecx + 0x358], eax // 488939 | dec eax $sequence_3 = { 764f 6666660f1f840000000000 458bc1 8bd5 49c1e006 4c034360 4183780800 } // n = 7, score = 100 // 764f | dec eax // 6666660f1f840000000000 | mov ebx, dword ptr [esp + 0x38] // 458bc1 | inc esp // 8bd5 | mov esi, dword ptr [esp + 0x30] // 49c1e006 | jne 0x202 // 4c034360 | test edx, edx // 4183780800 | jne 0x1a2 $sequence_4 = { 0f10442428 488b842488000000 0f1100 f20f104c2438 f20f114810 b001 eb02 } // n = 7, score = 100 // 0f10442428 | jne 0x20f // 488b842488000000 | dec esp // 0f1100 | mov esi, dword ptr [esi + 0x58] // f20f104c2438 | dec ebp // f20f114810 | test esi, esi // b001 | je 0x297 // eb02 | call dword ptr [eax + 0x20] $sequence_5 = { e8???????? 84c0 751d 488b03 488bcb ff5018 488bf0 } // n = 7, score = 100 // e8???????? | // 84c0 | dec esp // 751d | arpl word ptr [esp + 0x70], di // 488b03 | dec eax // 488bcb | mov ebx, eax // ff5018 | dec eax // 488bf0 | test eax, eax $sequence_6 = { 4053 4883ec20 488d05634f0400 488bd9 488901 f6c201 740a } // n = 7, score = 100 // 4053 | mov ebx, dword ptr [edi + 0x100] // 4883ec20 | cmp edx, ecx // 488d05634f0400 | jl 0x8f // 488bd9 | sub edx, ecx // 488901 | cmp edx, dword ptr [edi + 0x8c] // f6c201 | jge 0xbf // 740a | dec eax $sequence_7 = { f20f114808 0f28cf 488b41e0 f20f594020 f20f114008 488b41e8 f20f594820 } // n = 7, score = 100 // f20f114808 | mov dword ptr [ebp - 0x10], 1 // 0f28cf | jmp 0x176 // 488b41e0 | add dword ptr [ebp - 0x14], -1 // f20f594020 | inc ecx // f20f114008 | cmove ecx, esp // 488b41e8 | jmp 0x194 // f20f594820 | inc ecx $sequence_8 = { ff15???????? 85c0 757f ff15???????? 3d002f0000 74be 488b4c2440 } // n = 7, score = 100 // ff15???????? | // 85c0 | test eax, eax // 757f | jne 0x19e // ff15???????? | // 3d002f0000 | dec eax // 74be | test esi, esi // 488b4c2440 | jne 0x1c4 $sequence_9 = { 8b842490000000 03ce 894c2428 3bc8 0f829afdffff 4c8b7c2440 4c8b642448 } // n = 7, score = 100 // 8b842490000000 | jg 0xd64 // 03ce | dec eax // 894c2428 | arpl word ptr [ebx + 8], cx // 3bc8 | dec eax // 0f829afdffff | arpl dx, ax // 4c8b7c2440 | dec eax // 4c8b642448 | and ecx, eax condition: 7 of them and filesize < 2537472 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY