There is no description at this point.
rule win_rhysida_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.rhysida." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ba28000000 4889c1 e8???????? 8945f8 837df800 7407 b804000000 } // n = 7, score = 300 // ba28000000 | dec ebp // 4889c1 | lea edx, [eax + 0x10] // e8???????? | // 8945f8 | inc ebp // 837df800 | mov ebx, esi // 7407 | inc ecx // b804000000 | sub ebx, edi $sequence_1 = { 4863d0 488b4510 4801d0 0fb600 0fb6c0 8b55f4 c1ea06 } // n = 7, score = 300 // 4863d0 | ucomiss xmm0, xmm1 // 488b4510 | jbe 0xd48 // 4801d0 | dec eax // 0fb600 | mov eax, dword ptr [ebp + 0x28] // 0fb6c0 | movss xmm0, dword ptr [eax + 0x1c] // 8b55f4 | subss xmm0, dword ptr [ebp + 0x30] // c1ea06 | movss xmm0, dword ptr [ebp - 0x34] $sequence_2 = { f6431920 0f84c7feffff 4983c101 e9???????? 4531c0 4889f2 89e9 } // n = 7, score = 300 // f6431920 | inc ecx // 0f84c7feffff | mov eax, 0x4f3 // 4983c101 | dec eax // e9???????? | // 4531c0 | lea edx, [0x68369] // 4889f2 | dec eax // 89e9 | lea ecx, [0x683b2] $sequence_3 = { 8b45fc 4863c8 4889c8 48c1e002 4801c8 48c1e003 4889c1 } // n = 7, score = 300 // 8b45fc | mov ecx, ecx // 4863c8 | inc ecx // 4889c8 | mov eax, 1 // 48c1e002 | dec eax // 4801c8 | mov ecx, eax // 48c1e003 | mov dword ptr [ebp + 0x10326c], eax // 4889c1 | cmp dword ptr [ebp + 0x10326c], 1 $sequence_4 = { baafa96e5e 89c8 f7ea c1fa0b 89c8 c1f81f 29c2 } // n = 7, score = 300 // baafa96e5e | lea esi, [0x3e089] // 89c8 | dec eax // f7ea | lea ecx, [0x3d482] // c1fa0b | dec esp // 89c8 | lea edx, [0x3dc7b] // c1f81f | dec esp // 29c2 | lea eax, [0x3d874] $sequence_5 = { 8b45f8 4863d0 488b4510 4801d0 0fb600 0fb6d0 8b45f8 } // n = 7, score = 300 // 8b45f8 | mov eax, eax // 4863d0 | dec eax // 488b4510 | shrd eax, edx, 0x3c // 4801d0 | dec ebp // 0fb600 | and eax, edi // 0fb6d0 | dec esp // 8b45f8 | mov dword ptr [ecx], eax $sequence_6 = { e8???????? eb01 90 8b45f0 0faf45b8 89c2 488d45a0 } // n = 7, score = 300 // e8???????? | // eb01 | punpcklwd mm1, mm5 // 90 | inc sp // 8b45f0 | punpcklwd mm7, mm3 // 0faf45b8 | movdqa xmm2, xmm1 // 89c2 | inc bp // 488d45a0 | punpcklwd mm3, mm4 $sequence_7 = { 85c0 74da 85db 4889742428 0f848d010000 8d4bff 488d742460 } // n = 7, score = 300 // 85c0 | mov eax, dword ptr [ebp - 0x10] // 74da | lea ecx, [eax - 1] // 85db | mov eax, dword ptr [ebp - 0xc] // 4889742428 | sub eax, dword ptr [ebp - 8] // 0f848d010000 | dec eax // 8d4bff | lea edx, [eax*4] // 488d742460 | dec eax $sequence_8 = { c1e903 f348ab ff15???????? 83f812 7472 488b8b38020000 e8???????? } // n = 7, score = 300 // c1e903 | mov eax, ebx // f348ab | dec esp // ff15???????? | // 83f812 | lea esp, [esp + 0x40] // 7472 | dec esp // 488b8b38020000 | mov ecx, esp // e8???????? | $sequence_9 = { 5f 5d 415c 415d c3 b80d000000 ebd7 } // n = 7, score = 300 // 5f | mov ecx, dword ptr [ebp + 0x28] // 5d | dec eax // 415c | mov ebp, esp // 415d | dec eax // c3 | sub esp, 0x50 // b80d000000 | dec eax // ebd7 | mov dword ptr [ebp + 0x10], ecx condition: 7 of them and filesize < 2369536 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
