Created from the codebase of Gozi/ISFB.
rule win_rm3_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.rm3." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d7c13ff 4a f7d2 23fa 3bf8 7609 } // n = 6, score = 2300 // 8d7c13ff | xor edx, edx // 4a | inc ebp // f7d2 | xor eax, eax // 23fa | inc ecx // 3bf8 | bswap ecx // 7609 | dec eax $sequence_1 = { 8b4138 8b5608 8d5410ff 48 f7d0 } // n = 5, score = 2300 // 8b4138 | xor edx, edx // 8b5608 | inc ecx // 8d5410ff | mov eax, 0x800 // 48 | mov eax, dword ptr [ebp - 8] // f7d0 | add esi, 0x28 $sequence_2 = { 8b45f8 83c628 ff4dfc 85c0 } // n = 4, score = 2300 // 8b45f8 | dec eax // 83c628 | mov eax, ecx // ff4dfc | dec eax // 85c0 | shr eax, 0x1b $sequence_3 = { 8931 8b7004 897104 8b4808 ff7004 } // n = 5, score = 2300 // 8931 | dec eax // 8b7004 | xor eax, ecx // 897104 | xor ecx, ecx // 8b4808 | dec eax // ff7004 | imul eax, ebx $sequence_4 = { 034c240c 8b00 51 03c2 50 e8???????? } // n = 6, score = 2300 // 034c240c | dec eax // 8b00 | sub esp, 0xc0 // 51 | inc ecx // 03c2 | mov ebx, eax // 50 | mov edi, edx // e8???????? | $sequence_5 = { 3bf8 7609 8b413c 8d5418ff eb0a } // n = 5, score = 2300 // 3bf8 | push dword ptr [eax + 4] // 7609 | lea edi, [ebx + edx - 1] // 8b413c | dec edx // 8d5418ff | not edx // eb0a | and edi, edx $sequence_6 = { 8b460c 03c2 394508 7303 8975f8 8b45f8 } // n = 6, score = 2300 // 8b460c | dec dword ptr [ebp - 4] // 03c2 | test eax, eax // 394508 | mov dword ptr [ecx], esi // 7303 | mov esi, dword ptr [eax + 4] // 8975f8 | mov dword ptr [ecx + 4], esi // 8b45f8 | mov ecx, dword ptr [eax + 8] $sequence_7 = { 8b5e10 8d4438ff 4f f7d7 23c7 8d7c13ff 4a } // n = 7, score = 2300 // 8b5e10 | dec ecx // 8d4438ff | mov edx, esp // 4f | dec eax // f7d7 | shr ecx, 0xc // 23c7 | dec eax // 8d7c13ff | xor eax, ecx // 4a | dec eax $sequence_8 = { 41 ff4508 ff4d0c 885405fc } // n = 4, score = 1800 // 41 | cmp eax, dword ptr [esi + 0xc] // ff4508 | jb 0x59 // ff4d0c | cmp dword ptr [ebp + 8], eax // 885405fc | jae 5 $sequence_9 = { 57 8bc3 8d9568ffffff e8???????? 8b849d64ffffff } // n = 5, score = 1800 // 57 | add eax, edx // 8bc3 | cmp dword ptr [ebp + 8], eax // 8d9568ffffff | jae 0x11 // e8???????? | // 8b849d64ffffff | mov dword ptr [ebp - 8], esi $sequence_10 = { e8???????? 8b5508 57 8bc3 8d8d58feffff e8???????? } // n = 6, score = 1800 // e8???????? | // 8b5508 | mov ecx, dword ptr [eax + 0x3c] // 57 | add ecx, eax // 8bc3 | movzx eax, word ptr [ecx + 6] // 8d8d58feffff | and dword ptr [ebp - 8], 0 // e8???????? | $sequence_11 = { 8b750c 50 8db4b558feffff 894510 } // n = 4, score = 1800 // 8b750c | push ebx // 50 | lea edx, [eax + edx - 1] // 8db4b558feffff | dec eax // 894510 | not eax $sequence_12 = { 8bf0 2b7508 f7de 1bf6 83e60b } // n = 5, score = 1800 // 8bf0 | push dword ptr [eax + 4] // 2b7508 | add ecx, dword ptr [esp + 0xc] // f7de | mov eax, dword ptr [eax] // 1bf6 | push ecx // 83e60b | add eax, edx $sequence_13 = { e8???????? 8bd8 85db 7420 8d45fc } // n = 5, score = 1800 // e8???????? | // 8bd8 | mov dword ptr [ebp - 8], esi // 85db | mov eax, dword ptr [ebp - 8] // 7420 | add esi, 0x28 // 8d45fc | push ecx $sequence_14 = { e8???????? 2bf3 89750c 0f88b3000000 8d3c1e 8dbcbd58feffff } // n = 6, score = 1800 // e8???????? | // 2bf3 | movzx eax, word ptr [ecx + 0x14] // 89750c | push esi // 0f88b3000000 | push edi // 8d3c1e | lea esi, [eax + ecx + 0x18] // 8dbcbd58feffff | mov eax, dword ptr [ebp + 8] $sequence_15 = { 744b 8975fc 6a18 5e } // n = 4, score = 1800 // 744b | push eax // 8975fc | not eax // 6a18 | and edx, eax // 5e | mov eax, dword ptr [esi + 0xc] $sequence_16 = { 33d2 4533c0 410fc9 48f7b42488000000 8b15???????? } // n = 5, score = 300 // 33d2 | dec eax // 4533c0 | mov ecx, esi // 410fc9 | dec eax // 48f7b42488000000 | test eax, eax // 8b15???????? | $sequence_17 = { 488bf3 488bce e8???????? 4885c0 488bd8 7415 } // n = 6, score = 300 // 488bf3 | lea ecx, [esp + 0x68] // 488bce | inc ecx // e8???????? | // 4885c0 | push ebp // 488bd8 | inc ecx // 7415 | push esi $sequence_18 = { 4155 4156 4157 4883ec30 4c8b05???????? 49b91ddd6c4f91f44525 } // n = 6, score = 300 // 4155 | dec eax // 4156 | sub esp, 0x20 // 4157 | test eax, eax // 4883ec30 | je 0x47 // 4c8b05???????? | // 49b91ddd6c4f91f44525 | dec eax $sequence_19 = { 41be18000000 488b15???????? 488b4270 488bc8 48c1e90c 4833c1 488bc8 } // n = 7, score = 300 // 41be18000000 | inc ecx // 488b15???????? | // 488b4270 | push edi // 488bc8 | dec eax // 48c1e90c | sub esp, 0x30 // 4833c1 | dec ecx // 488bc8 | mov ecx, 0x4f6cdd1d $sequence_20 = { 57 4154 4155 4156 4157 4883ec20 4c8b05???????? } // n = 7, score = 300 // 57 | push edi // 4154 | inc ecx // 4155 | push esp // 4156 | inc ecx // 4157 | push ebp // 4883ec20 | inc ecx // 4c8b05???????? | $sequence_21 = { 488bc1 48c1e81b 4833c1 33c9 480fafc3 } // n = 5, score = 300 // 488bc1 | xchg eax, ecx // 48c1e81b | hlt // 4833c1 | inc ebp // 33c9 | dec eax // 480fafc3 | mov esi, ebx $sequence_22 = { ff15???????? 85c0 7445 488d4c2468 ff15???????? ff15???????? } // n = 6, score = 300 // ff15???????? | // 85c0 | push esi // 7445 | inc ecx // 488d4c2468 | push edi // ff15???????? | // ff15???????? | $sequence_23 = { 488d4c2440 4c8bce 4c8bc5 498bd4 } // n = 4, score = 300 // 488d4c2440 | dec eax // 4c8bce | mov ebx, eax // 4c8bc5 | je 0x17 // 498bd4 | inc ecx $sequence_24 = { 899568ffffff 89b564ffffff 889d63ffffff 7570 31c0 89855cffffff eb16 } // n = 7, score = 100 // 899568ffffff | mov dword ptr [ebp - 0xa4], eax // 89b564ffffff | mov eax, ebx // 889d63ffffff | shr eax, 0x1e // 7570 | and eax, 1 // 31c0 | mov dword ptr [ebp - 0x30], eax // 89855cffffff | mov eax, dword ptr [ebp - 0x30] // eb16 | mov ecx, dword ptr [ebp - 0x2c] $sequence_25 = { 8d0d84308702 31d2 8b75f0 89462c 890c24 } // n = 5, score = 100 // 8d0d84308702 | mov eax, dword ptr [eax] // 31d2 | push ecx // 8b75f0 | add eax, edx // 89462c | push eax // 890c24 | mov eax, dword ptr [ecx + 0x38] $sequence_26 = { 885801 39d7 897db8 8975b4 75d7 8d45d4 } // n = 6, score = 100 // 885801 | and dword ptr [ebp - 8], 0 // 39d7 | push ebx // 897db8 | mov dword ptr [ebp - 4], eax // 8975b4 | movzx eax, word ptr [ecx + 0x14] // 75d7 | push esi // 8d45d4 | test eax, eax $sequence_27 = { a1???????? 6a00 6a00 6a00 6a00 68???????? ffd0 } // n = 7, score = 100 // a1???????? | // 6a00 | jbe 0xb // 6a00 | mov eax, dword ptr [ecx + 0x3c] // 6a00 | lea edx, [eax + ebx - 1] // 6a00 | jmp 0x15 // 68???????? | // ffd0 | mov ecx, dword ptr [eax + 0x3c] $sequence_28 = { ffd0 8d0dd1318702 890424 894c2404 e8???????? 83f800 } // n = 6, score = 100 // ffd0 | lea edi, [ebx + edx - 1] // 8d0dd1318702 | dec edx // 890424 | mov eax, dword ptr [esi + 8] // 894c2404 | mov edx, dword ptr [ecx + 0x3c] // e8???????? | // 83f800 | mov ebx, dword ptr [esi + 0x10] $sequence_29 = { 52 8bb5e0fbffff 56 8985d0fbffff 8995ccfbffff 898dc8fbffff ffd7 } // n = 7, score = 100 // 52 | mov edx, dword ptr [esi + 8] // 8bb5e0fbffff | lea edx, [eax + edx - 1] // 56 | dec eax // 8985d0fbffff | not eax // 8995ccfbffff | mov eax, dword ptr [esi + 0xc] // 898dc8fbffff | add eax, edx // ffd7 | cmp dword ptr [ebp + 8], eax $sequence_30 = { 8945d0 8b45d0 8b4dd4 8b55ec 01ca 891424 } // n = 6, score = 100 // 8945d0 | lea ecx, [0x2873177] // 8b45d0 | mov dword ptr [esp], eax // 8b4dd4 | mov edi, dword ptr [ebp - 0x29c] // 8b55ec | mov dword ptr [esi + 8], edi // 01ca | mov ebx, dword ptr [ebp - 0x298] // 891424 | mov dword ptr [esi], ebx $sequence_31 = { 897dec 8955e8 8975e4 ffd3 83ec10 890424 } // n = 6, score = 100 // 897dec | and dword ptr [ebp - 8], 0 // 8955e8 | push ebx // 8975e4 | mov dword ptr [ebp - 4], eax // ffd3 | movzx eax, word ptr [ecx + 0x14] // 83ec10 | push esi // 890424 | push edi $sequence_32 = { 53 57 56 83ec20 8b450c 8b4d08 31d2 } // n = 7, score = 100 // 53 | sub esp, 0x2d0 // 57 | lea eax, [ebp - 0x214] // 56 | lea ecx, [ebp - 0x110] // 83ec20 | mov edx, esp // 8b450c | jae 0x15 // 8b4d08 | bt dword ptr [esi], 0x1f // 31d2 | setb al $sequence_33 = { 890c24 c744240400000000 8955dc e8???????? 8d0d77318702 890424 } // n = 6, score = 100 // 890c24 | add ecx, eax // c744240400000000 | movzx eax, word ptr [ecx + 6] // 8955dc | and dword ptr [ebp - 8], 0 // e8???????? | // 8d0d77318702 | push ebx // 890424 | mov dword ptr [ebp - 4], eax $sequence_34 = { 8b7834 8b5f3c 8945f0 89f8 01d8 813c1f50450000 } // n = 6, score = 100 // 8b7834 | jne 7 // 8b5f3c | cmp dword ptr [ebp - 4], eax // 8945f0 | jne 0xffffffa6 // 89f8 | pop edi // 01d8 | pop esi // 813c1f50450000 | mov ebx, dword ptr [ecx + 0x24] $sequence_35 = { 8bbd64fdffff 897e08 8b9d68fdffff 891e } // n = 4, score = 100 // 8bbd64fdffff | movzx eax, word ptr [ecx + 0x14] // 897e08 | push ecx // 8b9d68fdffff | mov ecx, dword ptr [eax + 0x3c] // 891e | add ecx, eax $sequence_36 = { c7460cfe308702 c74604???????? 8b35???????? 8985e0fdffff 898ddcfdffff 8995d8fdffff } // n = 6, score = 100 // c7460cfe308702 | jae 0xa // c74604???????? | // 8b35???????? | // 8985e0fdffff | mov dword ptr [ebp - 8], esi // 898ddcfdffff | mov eax, dword ptr [ebp - 8] // 8995d8fdffff | cmp edi, eax $sequence_37 = { 898dfcfeffff e8???????? 890424 8b853cffffff 89442404 } // n = 5, score = 100 // 898dfcfeffff | push ebx // e8???????? | // 890424 | mov dword ptr [ebp - 4], eax // 8b853cffffff | movzx eax, word ptr [ecx + 0x14] // 89442404 | push esi $sequence_38 = { 89e2 894a04 c70204010000 8b15???????? 8985e8fdffff 898de4fdffff } // n = 6, score = 100 // 89e2 | lea eax, [eax + edi - 1] // 894a04 | dec edi // c70204010000 | not edi // 8b15???????? | // 8985e8fdffff | and eax, edi // 898de4fdffff | add ecx, dword ptr [esp + 0xc] $sequence_39 = { 8b5924 89855cffffff 89d8 c1e81e 83e001 } // n = 5, score = 100 // 8b5924 | push 0 // 89855cffffff | call eax // 89d8 | mov dword ptr [esp], ecx // c1e81e | mov dword ptr [esp + 4], 0 // 83e001 | mov dword ptr [ebp - 0x24], edx condition: 7 of them and filesize < 221184 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY