Actor(s): TA505
There is no description at this point.
rule win_sdbbot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.sdbbot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 8bf8 ba4d5a0000 6690 } // n = 4, score = 700 // e8???????? | // 8bf8 | mov edi, eax // ba4d5a0000 | mov edx, 0x5a4d // 6690 | nop $sequence_1 = { 803e61 7203 83c1e0 81c2ffff0000 03cf } // n = 5, score = 700 // 803e61 | cmp byte ptr [esi], 0x61 // 7203 | jb 5 // 83c1e0 | add ecx, -0x20 // 81c2ffff0000 | add edx, 0xffff // 03cf | add ecx, edi $sequence_2 = { 8bcf 85d2 7418 8bfe 2b7df8 } // n = 5, score = 700 // 8bcf | mov ecx, edi // 85d2 | test edx, edx // 7418 | je 0x1a // 8bfe | mov edi, esi // 2b7df8 | sub edi, dword ptr [ebp - 8] $sequence_3 = { 8d4901 8841ff 8d5201 83ee01 } // n = 4, score = 700 // 8d4901 | lea ecx, [ecx + 1] // 8841ff | mov byte ptr [ecx - 1], al // 8d5201 | lea edx, [edx + 1] // 83ee01 | sub esi, 1 $sequence_4 = { 2bd1 03c1 8955ec 8945e4 85d2 0f8560ffffff } // n = 6, score = 700 // 2bd1 | sub edx, ecx // 03c1 | add eax, ecx // 8955ec | mov dword ptr [ebp - 0x14], edx // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 85d2 | test edx, edx // 0f8560ffffff | jne 0xffffff66 $sequence_5 = { 8b7028 33c9 0fb75024 0f1f8000000000 0fb63e } // n = 5, score = 700 // 8b7028 | mov esi, dword ptr [eax + 0x28] // 33c9 | xor ecx, ecx // 0fb75024 | movzx edx, word ptr [eax + 0x24] // 0f1f8000000000 | nop dword ptr [eax] // 0fb63e | movzx edi, byte ptr [esi] $sequence_6 = { 8b01 03c6 8945e8 eb2e 3daafc0d7c } // n = 5, score = 700 // 8b01 | mov eax, dword ptr [ecx] // 03c6 | add eax, esi // 8945e8 | mov dword ptr [ebp - 0x18], eax // eb2e | jmp 0x30 // 3daafc0d7c | cmp eax, 0x7c0dfcaa $sequence_7 = { 6683f803 750b 81e1ff0f0000 013c31 eb27 6683f801 7511 } // n = 7, score = 700 // 6683f803 | cmp ax, 3 // 750b | jne 0xd // 81e1ff0f0000 | and ecx, 0xfff // 013c31 | add dword ptr [ecx + esi], edi // eb27 | jmp 0x29 // 6683f801 | cmp ax, 1 // 7511 | jne 0x13 $sequence_8 = { c3 803d????????00 750c c605????????01 } // n = 4, score = 400 // c3 | ret // 803d????????00 | // 750c | jne 0xe // c605????????01 | $sequence_9 = { 33f6 8a27 83c702 84e4 7437 } // n = 5, score = 300 // 33f6 | jb 6 // 8a27 | dec eax // 83c702 | add eax, -0x20 // 84e4 | dec eax // 7437 | add eax, ecx $sequence_10 = { 7419 0f1f8000000000 0fb602 48ffc2 8801 488d4901 4983e801 } // n = 7, score = 300 // 7419 | dec eax // 0f1f8000000000 | cmp dword ptr [edi], 0 // 0fb602 | dec eax // 48ffc2 | mov ebx, eax // 8801 | jne 0xffffffa9 // 488d4901 | dec eax // 4983e801 | add ebp, 0x14 $sequence_11 = { 0f1f840000000000 418b49f8 49ffca 418b11 4903ce 458b41fc } // n = 6, score = 300 // 0f1f840000000000 | add edi, ebp // 418b49f8 | inc ecx // 49ffca | mov eax, 0x3000 // 418b11 | inc esp // 4903ce | lea ecx, [ecx + 0x40] // 458b41fc | test eax, eax $sequence_12 = { 7204 4883c0e0 4803c1 48ffc2 664503c1 75e5 3d5bbc4a6a } // n = 7, score = 300 // 7204 | inc ecx // 4883c0e0 | mov ecx, dword ptr [ecx - 8] // 4803c1 | dec ecx // 48ffc2 | dec edx // 664503c1 | inc ecx // 75e5 | mov edx, dword ptr [ecx] // 3d5bbc4a6a | dec ecx $sequence_13 = { 48833f00 488bd8 75a4 4883c514 837d0000 0f856dffffff } // n = 6, score = 300 // 48833f00 | add ecx, esi // 488bd8 | inc ebp // 75a4 | mov eax, dword ptr [ecx - 4] // 4883c514 | dec ebp // 837d0000 | sub eax, ebp // 0f856dffffff | movzx eax, byte ptr [ecx] $sequence_14 = { 4903ce 41ffd5 488bf0 4885c0 7474 } // n = 5, score = 300 // 4903ce | inc ecx // 41ffd5 | mov byte ptr [eax + ecx], al // 488bf0 | dec eax // 4885c0 | lea ecx, [ecx + 1] // 7474 | dec eax $sequence_15 = { 85c0 0f84bb000000 418b9fb0000000 8bf8 4903de } // n = 5, score = 300 // 85c0 | mov ecx, eax // 0f84bb000000 | dec ebp // 418b9fb0000000 | arpl word ptr [ebp + 0x3c], di // 8bf8 | xor ecx, ecx // 4903de | dec ebp $sequence_16 = { 4d2bc5 0fb601 41880408 488d4901 4883ea01 75ef 450fb74f14 } // n = 7, score = 300 // 4d2bc5 | je 0xc1 // 0fb601 | inc ecx // 41880408 | mov ebx, dword ptr [edi + 0xb0] // 488d4901 | mov edi, eax // 4883ea01 | dec ecx // 75ef | add ebx, esi // 450fb74f14 | nop dword ptr [eax + eax] $sequence_17 = { 4d03fd 41b800300000 448d4940 418b5750 ffd6 418b5750 488bc8 } // n = 7, score = 300 // 4d03fd | dec ebp // 41b800300000 | add edi, ebp // 448d4940 | inc ecx // 418b5750 | mov eax, 0x3000 // ffd6 | inc esp // 418b5750 | lea ecx, [ecx + 0x40] // 488bc8 | inc ecx condition: 7 of them and filesize < 1015808 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY