Actor(s): OilRig
There is no description at this point.
rule win_rdat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.rdat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6690 48ffc3 4038341a 75f7 4883791810 } // n = 5, score = 300 // 6690 | dec esp // 48ffc3 | cmovb eax, edi // 4038341a | dec ebp // 75f7 | test eax, eax // 4883791810 | dec eax $sequence_1 = { 4533db 85c0 0f8eae000000 8b8aa4000000 } // n = 4, score = 300 // 4533db | mov edi, dword ptr [ecx + 0x10] // 85c0 | jb 5 // 0f8eae000000 | dec eax // 8b8aa4000000 | mov ecx, dword ptr [ecx] $sequence_2 = { eb0f 4883cbff 6690 48ffc3 } // n = 4, score = 300 // eb0f | xor esi, esi // 4883cbff | inc eax // 6690 | cmp byte ptr [edx], dh // 48ffc3 | jne 9 $sequence_3 = { 48634e68 4c8b44c8f8 7816 8d4a01 } // n = 4, score = 300 // 48634e68 | dec esp // 4c8b44c8f8 | cmovb eax, edi // 7816 | inc eax // 8d4a01 | cmp byte ptr [edx], dh $sequence_4 = { 7504 8bde eb0f 4883cbff } // n = 4, score = 300 // 7504 | inc eax // 8bde | cmp byte ptr [edx + ebx], dh // eb0f | jmp 7 // 4883cbff | dec eax $sequence_5 = { 4889742410 57 4883ec20 33f6 403832 7504 8bde } // n = 7, score = 300 // 4889742410 | mov ecx, dword ptr [ecx] // 57 | dec eax // 4883ec20 | cmp edi, ebx // 33f6 | dec esp // 403832 | mov eax, ebx // 7504 | dec eax // 8bde | mov dword ptr [esp + 0x10], esi $sequence_6 = { 483bfb 4c8bc3 4c0f42c7 4d85c0 7504 } // n = 5, score = 300 // 483bfb | cmp byte ptr [edx], dh // 4c8bc3 | jne 0xb // 4c0f42c7 | mov ebx, esi // 4d85c0 | dec eax // 7504 | cmp edi, ebx $sequence_7 = { 75f7 4883791810 488b7910 7203 488b09 483bfb 4c8bc3 } // n = 7, score = 300 // 75f7 | jne 0xfffffff9 // 4883791810 | dec eax // 488b7910 | cmp dword ptr [ecx + 0x18], 0x10 // 7203 | dec eax // 488b09 | mov edi, dword ptr [ecx + 0x10] // 483bfb | jb 5 // 4c8bc3 | dec eax $sequence_8 = { 4533db 488b4730 4d8b0403 4d85c0 0f84c7000000 418b80c0000000 } // n = 6, score = 300 // 4533db | dec eax // 488b4730 | cmp dword ptr [ecx + 0x18], 0x10 // 4d8b0403 | dec eax // 4d85c0 | mov edi, dword ptr [ecx + 0x10] // 0f84c7000000 | inc eax // 418b80c0000000 | cmp byte ptr [edx], dh $sequence_9 = { 4883ec30 48c740e8feffffff 48895810 48897018 48897820 4c8bf2 } // n = 6, score = 300 // 4883ec30 | dec eax // 48c740e8feffffff | sub esp, 0x20 // 48895810 | xor esi, esi // 48897018 | inc eax // 48897820 | cmp byte ptr [edx], dh // 4c8bf2 | mov ebx, esi $sequence_10 = { 483bfb 7313 83c8ff 488b5c2430 488b742438 4883c420 5f } // n = 7, score = 300 // 483bfb | cmp edi, ebx // 7313 | dec esp // 83c8ff | mov eax, ebx // 488b5c2430 | dec eax // 488b742438 | cmp dword ptr [ecx + 0x18], 0x10 // 4883c420 | dec eax // 5f | mov edi, dword ptr [ecx + 0x10] $sequence_11 = { 4883ec30 48c740d8feffffff 48895818 48896820 498bf9 } // n = 5, score = 300 // 4883ec30 | dec eax // 48c740d8feffffff | cmp edi, ebx // 48895818 | dec esp // 48896820 | mov eax, ebx // 498bf9 | dec esp $sequence_12 = { 4883ec30 48c740d8feffffff 48895808 48896810 48897018 488bf2 } // n = 6, score = 300 // 4883ec30 | sub esp, 0x20 // 48c740d8feffffff | xor esi, esi // 48895808 | inc eax // 48896810 | cmp byte ptr [edx], dh // 48897018 | jne 0xb // 488bf2 | jne 6 $sequence_13 = { 48634e04 488b4608 8b1488 eb07 } // n = 4, score = 300 // 48634e04 | mov dword ptr [esp + 8], ebx // 488b4608 | dec eax // 8b1488 | mov dword ptr [esp + 0x10], esi // eb07 | push edi $sequence_14 = { 4883ec30 48c7442420feffffff 48895c2440 4889742448 488bf9 813963736de0 } // n = 6, score = 300 // 4883ec30 | jne 6 // 48c7442420feffffff | mov ebx, esi // 48895c2440 | jmp 0x15 // 4889742448 | dec esp // 488bf9 | mov eax, ebx // 813963736de0 | dec esp $sequence_15 = { 8bc6 eb05 e8???????? 4898 4885c0 751e 483bfb } // n = 7, score = 300 // 8bc6 | cmp dword ptr [ecx + 0x18], 0x10 // eb05 | dec eax // e8???????? | // 4898 | mov edi, dword ptr [ecx + 0x10] // 4885c0 | dec eax // 751e | inc ebx // 483bfb | inc eax condition: 7 of them and filesize < 1573888 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY