Actor(s): Lazarus Group
There is no description at this point.
rule win_pslogger_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.pslogger." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7463 488bc8 e8???????? 8bc8 e8???????? 85c0 } // n = 6, score = 400 // 7463 | dec eax // 488bc8 | mov edi, ecx // e8???????? | // 8bc8 | dec eax // e8???????? | // 85c0 | cmp ebx, dword ptr [ecx + 8] $sequence_1 = { 488d8c2480030000 e8???????? 488d542420 488bcd } // n = 4, score = 400 // 488d8c2480030000 | xor edx, edx // e8???????? | // 488d542420 | inc ecx // 488bcd | mov eax, 0xbb8 $sequence_2 = { e8???????? e9???????? 4c8bc5 33d2 488bc8 } // n = 5, score = 400 // e8???????? | // e9???????? | // 4c8bc5 | dec eax // 33d2 | mov ecx, eax // 488bc8 | dec esp $sequence_3 = { b9b80b0000 e8???????? 33d2 41b8b80b0000 488bc8 4c8be0 e8???????? } // n = 7, score = 400 // b9b80b0000 | mov edi, ecx // e8???????? | // 33d2 | dec eax // 41b8b80b0000 | cmp ebx, dword ptr [ecx + 8] // 488bc8 | je 0x1e // 4c8be0 | mov ecx, 0xbb8 // e8???????? | $sequence_4 = { 57 4883ec20 488b19 488bf9 483b5908 7418 } // n = 6, score = 400 // 57 | push edi // 4883ec20 | dec eax // 488b19 | sub esp, 0x20 // 488bf9 | dec eax // 483b5908 | mov ebx, dword ptr [ecx] // 7418 | dec eax $sequence_5 = { 483bc8 740e 4885c9 7406 ff15???????? } // n = 5, score = 400 // 483bc8 | dec eax // 740e | mov ecx, eax // 4885c9 | dec eax // 7406 | sub esp, 0x20 // ff15???????? | $sequence_6 = { e9???????? 8d4601 4863e8 488bcd } // n = 4, score = 400 // e9???????? | // 8d4601 | dec esp // 4863e8 | mov eax, ebp // 488bcd | xor edx, edx $sequence_7 = { e8???????? b9b80b0000 e8???????? 33d2 } // n = 4, score = 400 // e8???????? | // b9b80b0000 | je 0x28 // e8???????? | // 33d2 | dec eax $sequence_8 = { 85c0 0f844c030000 83f826 7603 6a26 58 0fb60c85d64b4200 } // n = 7, score = 100 // 85c0 | dec eax // 0f844c030000 | mov edi, ecx // 83f826 | dec eax // 7603 | cmp ebx, dword ptr [ecx + 8] // 6a26 | je 0x28 // 58 | dec eax // 0fb60c85d64b4200 | mov ecx, dword ptr [ebx] $sequence_9 = { 6a00 53 e8???????? ffb5e0feffff 56 ffb5e4feffff 68???????? } // n = 7, score = 100 // 6a00 | dec eax // 53 | arpl ax, si // e8???????? | // ffb5e0feffff | ret // 56 | xor edx, edx // ffb5e4feffff | dec eax // 68???????? | $sequence_10 = { 8b7c2410 2bd6 83c7fe 668b4702 } // n = 4, score = 100 // 8b7c2410 | mov ecx, 0xbb8 // 2bd6 | xor edx, edx // 83c7fe | dec eax // 668b4702 | cmp ecx, eax $sequence_11 = { 7504 8816 eb3e c6060d 8b048d88b14200 8854382a } // n = 6, score = 100 // 7504 | je 0x13 // 8816 | dec eax // eb3e | test ecx, ecx // c6060d | je 0x10 // 8b048d88b14200 | dec eax // 8854382a | lea ecx, [esp + 0x380] $sequence_12 = { c1fa06 6bc830 8b049588b14200 8a440828 a848 7404 33c0 } // n = 7, score = 100 // c1fa06 | je 0x13 // 6bc830 | dec eax // 8b049588b14200 | test ecx, ecx // 8a440828 | je 0x10 // a848 | dec eax // 7404 | mov ecx, eax // 33c0 | mov ecx, eax $sequence_13 = { 894606 8d4594 50 8d4676 } // n = 4, score = 100 // 894606 | dec eax // 8d4594 | mov ecx, ebp // 50 | dec eax // 8d4676 | cmp ecx, eax $sequence_14 = { 6bf830 894df8 6a0a 8b048d88b14200 5b 8b543818 8955ec } // n = 7, score = 100 // 6bf830 | dec eax // 894df8 | lea edx, [esp + 0x20] // 6a0a | je 0x65 // 8b048d88b14200 | dec eax // 5b | mov ecx, eax // 8b543818 | mov ecx, eax // 8955ec | test eax, eax $sequence_15 = { 8b049d88b14200 8945d8 85c0 7553 e8???????? 89049d88b14200 } // n = 6, score = 100 // 8b049d88b14200 | dec eax // 8945d8 | test ecx, ecx // 85c0 | lea eax, [esi + 1] // 7553 | dec eax // e8???????? | // 89049d88b14200 | arpl ax, bp condition: 7 of them and filesize < 475136 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY