There is no description at this point.
rule win_ratel_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.ratel." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratel" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 89d9 e8???????? 85c0 75e7 89d9 e8???????? 89d9 } // n = 7, score = 100 // 89d9 | mov ecx, ebx // e8???????? | // 85c0 | test eax, eax // 75e7 | jne 0xffffffe9 // 89d9 | mov ecx, ebx // e8???????? | // 89d9 | mov ecx, ebx $sequence_1 = { a1???????? 85c0 0f85bb010000 8b41fc 8d50ff 8951fc } // n = 6, score = 100 // a1???????? | // 85c0 | test eax, eax // 0f85bb010000 | jne 0x1c1 // 8b41fc | mov eax, dword ptr [ecx - 4] // 8d50ff | lea edx, [eax - 1] // 8951fc | mov dword ptr [ecx - 4], edx $sequence_2 = { 8b442454 8b542414 8b400c 85d2 0f851f040000 83f802 } // n = 6, score = 100 // 8b442454 | mov eax, dword ptr [esp + 0x54] // 8b542414 | mov edx, dword ptr [esp + 0x14] // 8b400c | mov eax, dword ptr [eax + 0xc] // 85d2 | test edx, edx // 0f851f040000 | jne 0x425 // 83f802 | cmp eax, 2 $sequence_3 = { 8bbc24b0000000 e8???????? 8b00 c744245cffffffff c7442460ffffffff 89442428 8b8424a4000000 } // n = 7, score = 100 // 8bbc24b0000000 | mov edi, dword ptr [esp + 0xb0] // e8???????? | // 8b00 | mov eax, dword ptr [eax] // c744245cffffffff | mov dword ptr [esp + 0x5c], 0xffffffff // c7442460ffffffff | mov dword ptr [esp + 0x60], 0xffffffff // 89442428 | mov dword ptr [esp + 0x28], eax // 8b8424a4000000 | mov eax, dword ptr [esp + 0xa4] $sequence_4 = { 0f83a3020000 0fb700 6683f8ff b800000000 0f4545ac 8945ac b800000000 } // n = 7, score = 100 // 0f83a3020000 | jae 0x2a9 // 0fb700 | movzx eax, word ptr [eax] // 6683f8ff | cmp ax, -1 // b800000000 | mov eax, 0 // 0f4545ac | cmovne eax, dword ptr [ebp - 0x54] // 8945ac | mov dword ptr [ebp - 0x54], eax // b800000000 | mov eax, 0 $sequence_5 = { 668993f0000000 c783f400000000000000 c783f800000000000000 c783fc00000000000000 c7830001000000000000 c703???????? c7437c98ce4b00 } // n = 7, score = 100 // 668993f0000000 | mov word ptr [ebx + 0xf0], dx // c783f400000000000000 | mov dword ptr [ebx + 0xf4], 0 // c783f800000000000000 | mov dword ptr [ebx + 0xf8], 0 // c783fc00000000000000 | mov dword ptr [ebx + 0xfc], 0 // c7830001000000000000 | mov dword ptr [ebx + 0x100], 0 // c703???????? | // c7437c98ce4b00 | mov dword ptr [ebx + 0x7c], 0x4bce98 $sequence_6 = { c703???????? c7437884124c00 e8???????? 89b3f0000000 83ec04 8d65f4 5b } // n = 7, score = 100 // c703???????? | // c7437884124c00 | mov dword ptr [ebx + 0x78], 0x4c1284 // e8???????? | // 89b3f0000000 | mov dword ptr [ebx + 0xf0], esi // 83ec04 | sub esp, 4 // 8d65f4 | lea esp, [ebp - 0xc] // 5b | pop ebx $sequence_7 = { 0f9fc1 084dc9 8b4d08 8345cc01 8b4108 3b410c 0f8240ffffff } // n = 7, score = 100 // 0f9fc1 | setg cl // 084dc9 | or byte ptr [ebp - 0x37], cl // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 8345cc01 | add dword ptr [ebp - 0x34], 1 // 8b4108 | mov eax, dword ptr [ecx + 8] // 3b410c | cmp eax, dword ptr [ecx + 0xc] // 0f8240ffffff | jb 0xffffff46 $sequence_8 = { 8b4340 c7431400000000 c7431000000000 0fb67b58 894304 894308 89430c } // n = 7, score = 100 // 8b4340 | mov eax, dword ptr [ebx + 0x40] // c7431400000000 | mov dword ptr [ebx + 0x14], 0 // c7431000000000 | mov dword ptr [ebx + 0x10], 0 // 0fb67b58 | movzx edi, byte ptr [ebx + 0x58] // 894304 | mov dword ptr [ebx + 4], eax // 894308 | mov dword ptr [ebx + 8], eax // 89430c | mov dword ptr [ebx + 0xc], eax $sequence_9 = { 8d4304 89c1 89c6 e8???????? 89b3ec000000 83ec04 8d65f4 } // n = 7, score = 100 // 8d4304 | lea eax, [ebx + 4] // 89c1 | mov ecx, eax // 89c6 | mov esi, eax // e8???????? | // 89b3ec000000 | mov dword ptr [ebx + 0xec], esi // 83ec04 | sub esp, 4 // 8d65f4 | lea esp, [ebp - 0xc] condition: 7 of them and filesize < 2174976 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY