Actor(s): APT33, The Gorgon Group
There is no description at this point.
rule win_remcos_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2018-11-23" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator 0.1a" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos" malpedia_version = "20180607" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach will be published in the near future here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 394508 7418 56 57 } // n = 4, score = 8000 // 394508 | cmp dword ptr [ebp + 8], eax // 7418 | je 0x40e6ea // 56 | push esi // 57 | push edi $sequence_1 = { c1ea10 660910 eb11 0138 } // n = 4, score = 8000 // c1ea10 | shr edx, 0x10 // 660910 | or word ptr [eax], dx // eb11 | jmp 0x405709 // 0138 | add dword ptr [eax], edi $sequence_2 = { f7fb 3bc7 7348 8b4508 } // n = 4, score = 8000 // f7fb | idiv ebx // 3bc7 | cmp eax, edi // 7348 | jae 0x40e5eb // 8b4508 | mov eax, dword ptr [ebp + 8] $sequence_3 = { 0f87e9fdffff 385dfe 740a 53 } // n = 4, score = 8000 // 0f87e9fdffff | ja 0x410214 // 385dfe | cmp byte ptr [ebp - 2], bl // 740a | je 0x41043a // 53 | push ebx $sequence_4 = { 4a 7420 4a 7419 } // n = 4, score = 8000 // 4a | dec edx // 7420 | je 0x4056fc // 4a | dec edx // 7419 | je 0x4056f8 $sequence_5 = { 8d45dc 53 50 53 } // n = 4, score = 8000 // 8d45dc | lea eax, dword ptr [ebp - 0x24] // 53 | push ebx // 50 | push eax // 53 | push ebx $sequence_6 = { ff7508 6a10 e813000000 59 } // n = 4, score = 8000 // ff7508 | push dword ptr [ebp + 8] // 6a10 | push 0x10 // e813000000 | call 0x401c4c // 59 | pop ecx $sequence_7 = { ff750c 03c1 51 ffd0 } // n = 4, score = 8000 // ff750c | push dword ptr [ebp + 0xc] // 03c1 | add eax, ecx // 51 | push ecx // ffd0 | call eax $sequence_8 = { 8b4d08 8d45ff 50 8d45fc } // n = 4, score = 8000 // 8b4d08 | mov ecx, dword ptr [ebp + 8] // 8d45ff | lea eax, dword ptr [ebp - 1] // 50 | push eax // 8d45fc | lea eax, dword ptr [ebp - 4] $sequence_9 = { 8bce 8945fc 53 50 } // n = 4, score = 8000 // 8bce | mov ecx, esi // 8945fc | mov dword ptr [ebp - 4], eax // 53 | push ebx // 50 | push eax condition: 7 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Your suggestion will be reviewed before being published. Thank you for contributing!