Actor(s): Lazarus Group
There is no description at this point.
rule win_pslogger_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.pslogger." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7618 498bcc e8???????? 33d2 } // n = 4, score = 400 // 7618 | test ecx, ecx // 498bcc | je 0x14 // e8???????? | // 33d2 | dec eax $sequence_1 = { 483b5908 7418 488b0b 4885c9 7406 ff15???????? 4883c318 } // n = 7, score = 400 // 483b5908 | dec eax // 7418 | mov ecx, ebp // 488b0b | test eax, eax // 4885c9 | jne 0xffffff45 // 7406 | dec eax // ff15???????? | // 4883c318 | mov ecx, ebp $sequence_2 = { 4885f6 740a 488bce ff15???????? } // n = 4, score = 400 // 4885f6 | dec eax // 740a | cmp ebx, dword ptr [ecx + 8] // 488bce | je 0x1e // ff15???????? | $sequence_3 = { 488bb424b8040000 488b9c24b0040000 488b8c2490040000 4833cc e8???????? } // n = 5, score = 400 // 488bb424b8040000 | add ebx, 0x18 // 488b9c24b0040000 | dec eax // 488b8c2490040000 | test esi, esi // 4833cc | je 0x13 // e8???????? | $sequence_4 = { e8???????? 488d542420 488bcd ff15???????? 85c0 0f853fffffff 488bcd } // n = 7, score = 400 // e8???????? | // 488d542420 | ret // 488bcd | xor edx, edx // ff15???????? | // 85c0 | xor edx, edx // 0f853fffffff | dec eax // 488bcd | lea edx, [esp + 0x20] $sequence_5 = { e8???????? 85c0 743b 4863f0 488bce e8???????? } // n = 6, score = 400 // e8???????? | // 85c0 | test eax, eax // 743b | je 0x3d // 4863f0 | dec eax // 488bce | arpl ax, si // e8???????? | $sequence_6 = { 4883c428 c3 488b0d???????? 33d2 ff15???????? 488b0d???????? 33d2 } // n = 7, score = 400 // 4883c428 | dec eax // c3 | mov ecx, esi // 488b0d???????? | // 33d2 | dec eax // ff15???????? | // 488b0d???????? | // 33d2 | add esp, 0x28 $sequence_7 = { 483bc8 740e 4885c9 7406 ff15???????? 48891e } // n = 6, score = 400 // 483bc8 | dec eax // 740e | mov ecx, esi // 4885c9 | test eax, eax // 7406 | je 0x3d // ff15???????? | // 48891e | dec eax $sequence_8 = { 8bce 83e63f c1f906 6bf630 8b0c8d88b14200 } // n = 5, score = 100 // 8bce | dec eax // 83e63f | cmp ecx, eax // c1f906 | je 0x13 // 6bf630 | dec eax // 8b0c8d88b14200 | test ecx, ecx $sequence_9 = { e8???????? 83c408 c74580a8024200 8d4580 68???????? } // n = 5, score = 100 // e8???????? | // 83c408 | dec eax // c74580a8024200 | mov ecx, edi // 8d4580 | je 0x1a // 68???????? | $sequence_10 = { 6689748106 be00000000 8b4df4 85c0 0f8895000000 8b45fc 83c006 } // n = 7, score = 100 // 6689748106 | je 0x10 // be00000000 | dec eax // 8b4df4 | mov dword ptr [esi], ebx // 85c0 | dec eax // 0f8895000000 | mov dword ptr [esi], ebx // 8b45fc | dec eax // 83c006 | mov edx, ebx $sequence_11 = { 83c408 85db 750f c705????????00000100 e9???????? 833b02 } // n = 6, score = 100 // 83c408 | test esi, esi // 85db | je 0xf // 750f | dec eax // c705????????00000100 | // e9???????? | // 833b02 | mov ecx, esi $sequence_12 = { 53 899dd4feffff e8???????? 8d95dcfeffff e8???????? } // n = 5, score = 100 // 53 | dec eax // 899dd4feffff | add ebx, 0x18 // e8???????? | // 8d95dcfeffff | dec eax // e8???????? | $sequence_13 = { 8b049d88b14200 8b4de0 f644082801 7515 e8???????? c70009000000 } // n = 6, score = 100 // 8b049d88b14200 | test eax, eax // 8b4de0 | je 0x47 // f644082801 | dec eax // 7515 | arpl ax, si // e8???????? | // c70009000000 | jbe 0x1a $sequence_14 = { 83fe0c 7cee 8b8570fbffff c1e808 33ff 8845db } // n = 6, score = 100 // 83fe0c | dec eax // 7cee | mov ebx, dword ptr [esp + 0x4b0] // 8b8570fbffff | dec eax // c1e808 | mov ecx, dword ptr [esp + 0x490] // 33ff | dec eax // 8845db | xor ecx, esp $sequence_15 = { 6689842428040000 eb6e b87c000000 6689842428040000 eb5f } // n = 5, score = 100 // 6689842428040000 | dec ecx // eb6e | mov ecx, esp // b87c000000 | xor edx, edx // 6689842428040000 | dec eax // eb5f | mov esi, dword ptr [esp + 0x4b8] condition: 7 of them and filesize < 475136 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY