Actor(s): Lazarus Group
There is no description at this point.
rule win_rifdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.rifdoor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 32d9 22da 8ad0 22d1 32da } // n = 5, score = 200 // 32d9 | xor bl, cl // 22da | and bl, dl // 8ad0 | mov dl, al // 22d1 | and dl, cl // 32da | xor bl, dl $sequence_1 = { 8b420c 51 ffd0 85c0 0f85d7010000 8b4c2408 50 } // n = 7, score = 200 // 8b420c | mov eax, dword ptr [edx + 0xc] // 51 | push ecx // ffd0 | call eax // 85c0 | test eax, eax // 0f85d7010000 | jne 0x1dd // 8b4c2408 | mov ecx, dword ptr [esp + 8] // 50 | push eax $sequence_2 = { 8d442410 50 895c2414 b814000000 b9???????? e8???????? } // n = 6, score = 200 // // 50 | push eax // 895c2414 | mov dword ptr [esp + 0x14], ebx // b814000000 | mov eax, 0x14 // b9???????? | // e8???????? | $sequence_3 = { 8bce c1f905 8b0c8d605d4100 83e61f c1e606 89040e 8bc3 } // n = 7, score = 200 // 8bce | mov ecx, esi // c1f905 | sar ecx, 5 // 8b0c8d605d4100 | mov ecx, dword ptr [ecx*4 + 0x415d60] // 83e61f | and esi, 0x1f // c1e606 | shl esi, 6 // 89040e | mov dword ptr [esi + ecx], eax // 8bc3 | mov eax, ebx $sequence_4 = { 83e61f c1e606 033485605d4100 8b45e4 } // n = 4, score = 200 // 83e61f | and esi, 0x1f // c1e606 | shl esi, 6 // 033485605d4100 | add esi, dword ptr [eax*4 + 0x415d60] // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] $sequence_5 = { 7508 c744242401000000 8d4c2410 51 b810000000 } // n = 5, score = 200 // 7508 | jne 0xa // c744242401000000 | mov dword ptr [esp + 0x24], 1 // 8d4c2410 | lea ecx, dword ptr [esp + 0x10] // 51 | push ecx // b810000000 | mov eax, 0x10 $sequence_6 = { 7517 395c2424 7511 3bc3 } // n = 4, score = 200 // 7517 | jne 0x19 // 395c2424 | cmp dword ptr [esp + 0x24], ebx // 7511 | jne 0x13 // 3bc3 | cmp eax, ebx $sequence_7 = { 6689442404 8d9b00000000 8a88645b4100 884c0408 40 84c9 75f1 } // n = 7, score = 200 // 6689442404 | mov word ptr [esp + 4], ax // 8d9b00000000 | lea ebx, dword ptr [ebx] // 8a88645b4100 | mov cl, byte ptr [eax + 0x415b64] // 884c0408 | mov byte ptr [esp + eax + 8], cl // 40 | inc eax // 84c9 | test cl, cl // 75f1 | jne 0xfffffff3 $sequence_8 = { 803900 8bc1 75f5 33f6 } // n = 4, score = 100 // 803900 | cmp byte ptr [ecx], 0 // 8bc1 | mov eax, ecx // 75f5 | jne 0xfffffff7 // 33f6 | xor esi, esi $sequence_9 = { 51 ffd3 a3???????? eb2c } // n = 4, score = 100 // 51 | push ecx // ffd3 | call ebx // a3???????? | // eb2c | jmp 0x2e $sequence_10 = { 53 ff15???????? 83c664 ff8d70fcffff 7587 } // n = 5, score = 100 // 53 | push ebx // ff15???????? | // 83c664 | add esi, 0x64 // ff8d70fcffff | dec dword ptr [ebp - 0x390] // 7587 | jne 0xffffff89 $sequence_11 = { b85b4c0000 85c9 0f8eb2000000 8b8d60c5ffff 8d9574c5ffff 2bca } // n = 6, score = 100 // b85b4c0000 | mov eax, 0x4c5b // 85c9 | test ecx, ecx // 0f8eb2000000 | jle 0xb8 // 8b8d60c5ffff | mov ecx, dword ptr [ebp - 0x3aa0] // 8d9574c5ffff | lea edx, dword ptr [ebp - 0x3a8c] // 2bca | sub ecx, edx $sequence_12 = { 8d9b00000000 8b85f4f7ffff 8b08 8d95f0f7ffff 52 } // n = 5, score = 100 // 8d9b00000000 | lea ebx, dword ptr [ebx] // 8b85f4f7ffff | mov eax, dword ptr [ebp - 0x80c] // 8b08 | mov ecx, dword ptr [eax] // 8d95f0f7ffff | lea edx, dword ptr [ebp - 0x810] // 52 | push edx $sequence_13 = { 85ff 744a 81ffb7000000 7442 83ff03 756b } // n = 6, score = 100 // 85ff | test edi, edi // 744a | je 0x4c // 81ffb7000000 | cmp edi, 0xb7 // 7442 | je 0x44 // 83ff03 | cmp edi, 3 // 756b | jne 0x6d $sequence_14 = { 8b8d50bdffff 3bcb 7436 3bc3 7432 8b4508 } // n = 6, score = 100 // 8b8d50bdffff | mov ecx, dword ptr [ebp - 0x42b0] // 3bcb | cmp ecx, ebx // 7436 | je 0x38 // 3bc3 | cmp eax, ebx // 7432 | je 0x34 // 8b4508 | mov eax, dword ptr [ebp + 8] $sequence_15 = { 8d45e8 eb0f 8d7801 e8???????? 85c0 8d45e8 7543 } // n = 7, score = 100 // 8d45e8 | lea eax, dword ptr [ebp - 0x18] // eb0f | jmp 0x11 // 8d7801 | lea edi, dword ptr [eax + 1] // e8???????? | // 85c0 | test eax, eax // 8d45e8 | lea eax, dword ptr [ebp - 0x18] // 7543 | jne 0x45 condition: 7 of them and filesize < 212992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY