Actor(s): Lazarus Group
There is no description at this point.
rule win_pslogger_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b55e0 483bda 741f 488b0b 4885c9 740a } // n = 6, score = 200 // 488b55e0 | dec eax // 483bda | mov edx, dword ptr [ebp - 0x20] // 741f | dec eax // 488b0b | cmp ebx, edx // 4885c9 | je 0x21 // 740a | dec eax $sequence_1 = { 33c9 488d159f510100 48891401 4883c230 } // n = 4, score = 200 // 33c9 | mov edi, edx // 488d159f510100 | dec eax // 48891401 | mov ebx, ecx // 4883c230 | dec eax $sequence_2 = { 4885c9 740c e8???????? 4c8935???????? 488d0dfb3b0100 } // n = 5, score = 200 // 4885c9 | dec eax // 740c | lea esi, [0x15406] // e8???????? | // 4c8935???????? | // 488d0dfb3b0100 | dec eax $sequence_3 = { c74424405b445d00 e9???????? c74424405b425d00 e9???????? } // n = 4, score = 200 // c74424405b445d00 | mov ecx, dword ptr [ebx] // e9???????? | // c74424405b425d00 | dec eax // e9???????? | $sequence_4 = { 488bcf e8???????? 488bcf 488d3506540100 } // n = 4, score = 200 // 488bcf | test ecx, ecx // e8???????? | // 488bcf | je 0xc // 488d3506540100 | mov dword ptr [esp + 0x40], 0x5d445b $sequence_5 = { 85c0 7408 8bcb ff15???????? e8???????? 488d154acc0000 488d0d23cc0000 } // n = 7, score = 200 // 85c0 | lea ecx, [ebp - 0x40] // 7408 | dec eax // 8bcb | lea edx, [0x9925] // ff15???????? | // e8???????? | // 488d154acc0000 | inc ecx // 488d0d23cc0000 | mov eax, 0x40 $sequence_6 = { 488bfa 488bd9 488d4dc0 488d1525990000 41b840000000 } // n = 5, score = 200 // 488bfa | mov dword ptr [esp + 0x40], 0x5d425b // 488bd9 | dec eax // 488d4dc0 | mov ecx, edi // 488d1525990000 | dec eax // 41b840000000 | mov ecx, edi $sequence_7 = { 488bc1 48c1f805 488d1518040100 83e11f 486bc958 488b04c2 80640808fe } // n = 7, score = 200 // 488bc1 | dec eax // 48c1f805 | test ecx, ecx // 488d1518040100 | je 0x11 // 83e11f | dec eax // 486bc958 | lea ecx, [0x13bfb] // 488b04c2 | xor ecx, ecx // 80640808fe | dec eax $sequence_8 = { 56 33f6 8b8688b14200 85c0 740e 50 } // n = 6, score = 100 // 56 | push esi // 33f6 | xor esi, esi // 8b8688b14200 | mov eax, dword ptr [esi + 0x42b188] // 85c0 | test eax, eax // 740e | je 0x10 // 50 | push eax $sequence_9 = { ff15???????? e8???????? 68???????? ff15???????? 8b4dfc 33c0 } // n = 6, score = 100 // ff15???????? | // e8???????? | // 68???????? | // ff15???????? | // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 33c0 | xor eax, eax $sequence_10 = { e8???????? 83c408 c745d8a8024200 8d45d8 68???????? 50 e8???????? } // n = 7, score = 100 // e8???????? | // 83c408 | add esp, 8 // c745d8a8024200 | mov dword ptr [ebp - 0x28], 0x4202a8 // 8d45d8 | lea eax, [ebp - 0x28] // 68???????? | // 50 | push eax // e8???????? | $sequence_11 = { 83c408 85db 750f c705????????00000100 } // n = 4, score = 100 // 83c408 | add esp, 8 // 85db | test ebx, ebx // 750f | jne 0x11 // c705????????00000100 | $sequence_12 = { 59 0304bd88b14200 5f eb05 b8???????? 8a4028 } // n = 6, score = 100 // 59 | pop ecx // 0304bd88b14200 | add eax, dword ptr [edi*4 + 0x42b188] // 5f | pop edi // eb05 | jmp 7 // b8???????? | // 8a4028 | mov al, byte ptr [eax + 0x28] $sequence_13 = { 6804010000 8d84245c020000 6a00 50 e8???????? 83c40c } // n = 6, score = 100 // 6804010000 | push 0x104 // 8d84245c020000 | lea eax, [esp + 0x25c] // 6a00 | push 0 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc $sequence_14 = { 898598fbffff 8b4318 034310 89859cfbffff 8d45e8 } // n = 5, score = 100 // 898598fbffff | mov dword ptr [ebp - 0x468], eax // 8b4318 | mov eax, dword ptr [ebx + 0x18] // 034310 | add eax, dword ptr [ebx + 0x10] // 89859cfbffff | mov dword ptr [ebp - 0x464], eax // 8d45e8 | lea eax, [ebp - 0x18] $sequence_15 = { 66c745e8f879 c645ea00 e8???????? 8d95c4feffff } // n = 4, score = 100 // 66c745e8f879 | mov word ptr [ebp - 0x18], 0x79f8 // c645ea00 | mov byte ptr [ebp - 0x16], 0 // e8???????? | // 8d95c4feffff | lea edx, [ebp - 0x13c] condition: 7 of them and filesize < 434176 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY