Actor(s): Lazarus Group
There is no description at this point.
rule win_rifdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-05-30" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.4.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor" malpedia_rule_date = "20200529" malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8" malpedia_version = "20200529" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d542404 52 894808 ff15???????? 6804010000 } // n = 5, score = 200 // 8d542404 | lea edx, [esp + 4] // 52 | push edx // 894808 | mov dword ptr [eax + 8], ecx // ff15???????? | // 6804010000 | push 0x104 $sequence_1 = { 02c9 880c30 eb26 8bd1 } // n = 4, score = 200 // 02c9 | add cl, cl // 880c30 | mov byte ptr [eax + esi], cl // eb26 | jmp 0x28 // 8bd1 | mov edx, ecx $sequence_2 = { 8b442414 50 57 e8???????? 83c40c } // n = 5, score = 200 // 8b442414 | mov eax, dword ptr [esp + 0x14] // 50 | push eax // 57 | push edi // e8???????? | // 83c40c | add esp, 0xc $sequence_3 = { a3???????? 391d???????? 745c 391d???????? 7454 } // n = 5, score = 200 // a3???????? | // 391d???????? | // 745c | je 0x5e // 391d???????? | // 7454 | je 0x56 $sequence_4 = { 8bf0 51 56 e8???????? 83c40c 56 ff15???????? } // n = 7, score = 200 // 8bf0 | mov esi, eax // 51 | push ecx // 56 | push esi // e8???????? | // 83c40c | add esp, 0xc // 56 | push esi // ff15???????? | $sequence_5 = { 55 8bf8 8b06 8b5050 53 56 ffd2 } // n = 7, score = 200 // 55 | push ebp // 8bf8 | mov edi, eax // 8b06 | mov eax, dword ptr [esi] // 8b5050 | mov edx, dword ptr [eax + 0x50] // 53 | push ebx // 56 | push esi // ffd2 | call edx $sequence_6 = { 8b04bd605d4100 0500080000 3bf0 0f8397000000 f6460401 755c 837e0800 } // n = 7, score = 200 // 8b04bd605d4100 | mov eax, dword ptr [edi*4 + 0x415d60] // 0500080000 | add eax, 0x800 // 3bf0 | cmp esi, eax // 0f8397000000 | jae 0x9d // f6460401 | test byte ptr [esi + 4], 1 // 755c | jne 0x5e // 837e0800 | cmp dword ptr [esi + 8], 0 $sequence_7 = { 32db 3bc1 7d0e 885c301c } // n = 4, score = 200 // 32db | xor bl, bl // 3bc1 | cmp eax, ecx // 7d0e | jge 0x10 // 885c301c | mov byte ptr [eax + esi + 0x1c], bl $sequence_8 = { 897dfc 897dd8 83ff40 0f8d3c010000 8b34bd605d4100 85f6 0f84ba000000 } // n = 7, score = 200 // 897dfc | mov dword ptr [ebp - 4], edi // 897dd8 | mov dword ptr [ebp - 0x28], edi // 83ff40 | cmp edi, 0x40 // 0f8d3c010000 | jge 0x142 // 8b34bd605d4100 | mov esi, dword ptr [edi*4 + 0x415d60] // 85f6 | test esi, esi // 0f84ba000000 | je 0xc0 $sequence_9 = { 8bff 56 57 33f6 bf???????? 833cf55440410001 751e } // n = 7, score = 200 // 8bff | mov edi, edi // 56 | push esi // 57 | push edi // 33f6 | xor esi, esi // bf???????? | // 833cf55440410001 | cmp dword ptr [esi*8 + 0x414054], 1 // 751e | jne 0x20 condition: 7 of them and filesize < 212992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY