Actor(s): Thrip
There is no description at this point.
rule win_rikamanu_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-12-22" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu" malpedia_rule_date = "20201222" malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130" malpedia_version = "20201023" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { bf???????? f3a5 8bc8 33c0 83e103 f3a4 83c9ff } // n = 7, score = 200 // bf???????? | // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 8bc8 | mov ecx, eax // 33c0 | xor eax, eax // 83e103 | and ecx, 3 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // 83c9ff | or ecx, 0xffffffff $sequence_1 = { e8???????? 6a14 ff15???????? a801 } // n = 4, score = 200 // e8???????? | // 6a14 | push 0x14 // ff15???????? | // a801 | test al, 1 $sequence_2 = { 50 ff15???????? 8b35???????? 3d80969800 } // n = 4, score = 200 // 50 | push eax // ff15???????? | // 8b35???????? | // 3d80969800 | cmp eax, 0x989680 $sequence_3 = { 896c2414 0f849e040000 8d542410 6a10 } // n = 4, score = 100 // 896c2414 | mov dword ptr [esp + 0x14], ebp // 0f849e040000 | je 0x4a4 // 8d542410 | lea edx, [esp + 0x10] // 6a10 | push 0x10 $sequence_4 = { 6a00 ff15???????? 6820000100 68???????? } // n = 4, score = 100 // 6a00 | push 0 // ff15???????? | // 6820000100 | push 0x10020 // 68???????? | $sequence_5 = { 40 002c5a 40 00505a 40 0023 } // n = 6, score = 100 // 40 | inc eax // 002c5a | add byte ptr [edx + ebx*2], ch // 40 | inc eax // 00505a | add byte ptr [eax + 0x5a], dl // 40 | inc eax // 0023 | add byte ptr [ebx], ah $sequence_6 = { 894df8 ff15???????? 85c0 751d 8b45e8 50 } // n = 6, score = 100 // 894df8 | mov dword ptr [ebp - 8], ecx // ff15???????? | // 85c0 | test eax, eax // 751d | jne 0x1f // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 50 | push eax $sequence_7 = { 8b95e8fdffff 52 ffd6 8b4dfc 5e 33cd } // n = 6, score = 100 // 8b95e8fdffff | mov edx, dword ptr [ebp - 0x218] // 52 | push edx // ffd6 | call esi // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 5e | pop esi // 33cd | xor ecx, ebp $sequence_8 = { 5f 85c0 753e 6810270000 } // n = 4, score = 100 // 5f | pop edi // 85c0 | test eax, eax // 753e | jne 0x40 // 6810270000 | push 0x2710 $sequence_9 = { 668b0d???????? 50 51 81e2ffff0000 33c0 33c9 } // n = 6, score = 100 // 668b0d???????? | // 50 | push eax // 51 | push ecx // 81e2ffff0000 | and edx, 0xffff // 33c0 | xor eax, eax // 33c9 | xor ecx, ecx $sequence_10 = { 81fa00010000 7313 8a87d0314100 08441619 } // n = 4, score = 100 // 81fa00010000 | cmp edx, 0x100 // 7313 | jae 0x15 // 8a87d0314100 | mov al, byte ptr [edi + 0x4131d0] // 08441619 | or byte ptr [esi + edx + 0x19], al $sequence_11 = { 1bc0 83d8ff 8b2d???????? 3bc3 753a } // n = 5, score = 100 // 1bc0 | sbb eax, eax // 83d8ff | sbb eax, -1 // 8b2d???????? | // 3bc3 | cmp eax, ebx // 753a | jne 0x3c $sequence_12 = { 6a5c 52 889c05f4feffff e8???????? 83c408 } // n = 5, score = 100 // 6a5c | push 0x5c // 52 | push edx // 889c05f4feffff | mov byte ptr [ebp + eax - 0x10c], bl // e8???????? | // 83c408 | add esp, 8 $sequence_13 = { e8???????? 8d04452ca12400 8bc8 2bce 6a03 d1f9 68???????? } // n = 7, score = 100 // e8???????? | // 8d04452ca12400 | lea eax, [eax*2 + 0x24a12c] // 8bc8 | mov ecx, eax // 2bce | sub ecx, esi // 6a03 | push 3 // d1f9 | sar ecx, 1 // 68???????? | $sequence_14 = { 8d442414 6a64 8d4c2414 50 } // n = 4, score = 100 // 8d442414 | lea eax, [esp + 0x14] // 6a64 | push 0x64 // 8d4c2414 | lea ecx, [esp + 0x14] // 50 | push eax $sequence_15 = { 52 f3a4 ff15???????? 8b85f0fdffff 53 50 8d8de4fdffff } // n = 7, score = 100 // 52 | push edx // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // ff15???????? | // 8b85f0fdffff | mov eax, dword ptr [ebp - 0x210] // 53 | push ebx // 50 | push eax // 8d8de4fdffff | lea ecx, [ebp - 0x21c] $sequence_16 = { ebab c745e444612400 817de448612400 7311 8b45e4 8b00 } // n = 6, score = 100 // ebab | jmp 0xffffffad // c745e444612400 | mov dword ptr [ebp - 0x1c], 0x246144 // 817de448612400 | cmp dword ptr [ebp - 0x1c], 0x246148 // 7311 | jae 0x13 // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] // 8b00 | mov eax, dword ptr [eax] $sequence_17 = { 59 59 8d85f4fdffff 50 68???????? e8???????? 8b3d???????? } // n = 7, score = 100 // 59 | pop ecx // 59 | pop ecx // 8d85f4fdffff | lea eax, [ebp - 0x20c] // 50 | push eax // 68???????? | // e8???????? | // 8b3d???????? | $sequence_18 = { 59 8d85f8feffff 50 8d85e4f8ffff 50 } // n = 5, score = 100 // 59 | pop ecx // 8d85f8feffff | lea eax, [ebp - 0x108] // 50 | push eax // 8d85e4f8ffff | lea eax, [ebp - 0x71c] // 50 | push eax $sequence_19 = { 8a800c982400 08443b1d 0fb64601 47 3bf8 76ea } // n = 6, score = 100 // 8a800c982400 | mov al, byte ptr [eax + 0x24980c] // 08443b1d | or byte ptr [ebx + edi + 0x1d], al // 0fb64601 | movzx eax, byte ptr [esi + 1] // 47 | inc edi // 3bf8 | cmp edi, eax // 76ea | jbe 0xffffffec $sequence_20 = { 837c240800 740e 0fb7044562754000 23442408 eb02 } // n = 5, score = 100 // 837c240800 | cmp dword ptr [esp + 8], 0 // 740e | je 0x10 // 0fb7044562754000 | movzx eax, word ptr [eax*2 + 0x407562] // 23442408 | and eax, dword ptr [esp + 8] // eb02 | jmp 4 $sequence_21 = { 59 59 53 6882000000 6a04 53 6a01 } // n = 7, score = 100 // 59 | pop ecx // 59 | pop ecx // 53 | push ebx // 6882000000 | push 0x82 // 6a04 | push 4 // 53 | push ebx // 6a01 | push 1 $sequence_22 = { 85c0 7451 8a06 8885a0fdffff 8a4601 8885a1fdffff 8d4598 } // n = 7, score = 100 // 85c0 | test eax, eax // 7451 | je 0x53 // 8a06 | mov al, byte ptr [esi] // 8885a0fdffff | mov byte ptr [ebp - 0x260], al // 8a4601 | mov al, byte ptr [esi + 1] // 8885a1fdffff | mov byte ptr [ebp - 0x25f], al // 8d4598 | lea eax, [ebp - 0x68] $sequence_23 = { 33c9 b8???????? 663b10 7415 83c008 41 } // n = 6, score = 100 // 33c9 | xor ecx, ecx // b8???????? | // 663b10 | cmp dx, word ptr [eax] // 7415 | je 0x17 // 83c008 | add eax, 8 // 41 | inc ecx $sequence_24 = { 33c0 5d 83c424 c21000 } // n = 4, score = 100 // 33c0 | xor eax, eax // 5d | pop ebp // 83c424 | add esp, 0x24 // c21000 | ret 0x10 $sequence_25 = { 7432 8d4598 50 ff15???????? 50 } // n = 5, score = 100 // 7432 | je 0x34 // 8d4598 | lea eax, [ebp - 0x68] // 50 | push eax // ff15???????? | // 50 | push eax $sequence_26 = { 83fbff 7416 8bc3 8bcb c1f805 83e11f 8b0485e0b84000 } // n = 7, score = 100 // 83fbff | cmp ebx, -1 // 7416 | je 0x18 // 8bc3 | mov eax, ebx // 8bcb | mov ecx, ebx // c1f805 | sar eax, 5 // 83e11f | and ecx, 0x1f // 8b0485e0b84000 | mov eax, dword ptr [eax*4 + 0x40b8e0] $sequence_27 = { 750b 68???????? ff15???????? 6800010000 68???????? 56 } // n = 6, score = 100 // 750b | jne 0xd // 68???????? | // ff15???????? | // 6800010000 | push 0x100 // 68???????? | // 56 | push esi $sequence_28 = { 8b742408 8a16 3ad0 740d 8a81a9704000 41 } // n = 6, score = 100 // 8b742408 | mov esi, dword ptr [esp + 8] // 8a16 | mov dl, byte ptr [esi] // 3ad0 | cmp dl, al // 740d | je 0xf // 8a81a9704000 | mov al, byte ptr [ecx + 0x4070a9] // 41 | inc ecx condition: 7 of them and filesize < 212992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY