Actor(s): Mofang
There is no description at this point.
rule win_shimrat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.shimrat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 5e c3 0fb6c1 f7d8 ebf6 33c0 837c240420 } // n = 7, score = 100 // 5e | pop esi // c3 | ret // 0fb6c1 | movzx eax, cl // f7d8 | neg eax // ebf6 | jmp 0xfffffff8 // 33c0 | xor eax, eax // 837c240420 | cmp dword ptr [esp + 4], 0x20 $sequence_1 = { 58 c3 0fb6c0 83e008 c3 55 } // n = 6, score = 100 // 58 | pop eax // c3 | ret // 0fb6c0 | movzx eax, al // 83e008 | and eax, 8 // c3 | ret // 55 | push ebp $sequence_2 = { c745f801000000 395df8 0f8492feffff 895df4 395df0 0f8488000000 53 } // n = 7, score = 100 // c745f801000000 | mov dword ptr [ebp - 8], 1 // 395df8 | cmp dword ptr [ebp - 8], ebx // 0f8492feffff | je 0xfffffe98 // 895df4 | mov dword ptr [ebp - 0xc], ebx // 395df0 | cmp dword ptr [ebp - 0x10], ebx // 0f8488000000 | je 0x8e // 53 | push ebx $sequence_3 = { 50 e8???????? 0fb745fc 32db 50 } // n = 5, score = 100 // 50 | push eax // e8???????? | // 0fb745fc | movzx eax, word ptr [ebp - 4] // 32db | xor bl, bl // 50 | push eax $sequence_4 = { 8d4560 50 8d4d54 e8???????? 50 8d4d54 e8???????? } // n = 7, score = 100 // 8d4560 | lea eax, dword ptr [ebp + 0x60] // 50 | push eax // 8d4d54 | lea ecx, dword ptr [ebp + 0x54] // e8???????? | // 50 | push eax // 8d4d54 | lea ecx, dword ptr [ebp + 0x54] // e8???????? | $sequence_5 = { 53 881c30 ff15???????? 50 ff15???????? } // n = 5, score = 100 // 53 | push ebx // 881c30 | mov byte ptr [eax + esi], bl // ff15???????? | // 50 | push eax // ff15???????? | $sequence_6 = { 8d85bcf7ffff 50 6a03 68???????? ff15???????? 8945e8 3bc3 } // n = 7, score = 100 // 8d85bcf7ffff | lea eax, dword ptr [ebp - 0x844] // 50 | push eax // 6a03 | push 3 // 68???????? | // ff15???????? | // 8945e8 | mov dword ptr [ebp - 0x18], eax // 3bc3 | cmp eax, ebx $sequence_7 = { e9???????? f6456802 8d8550ffffff 740a 68???????? e9???????? } // n = 6, score = 100 // e9???????? | // f6456802 | test byte ptr [ebp + 0x68], 2 // 8d8550ffffff | lea eax, dword ptr [ebp - 0xb0] // 740a | je 0xc // 68???????? | // e9???????? | $sequence_8 = { 8ad0 46 80ea41 47 80fa19 } // n = 5, score = 100 // 8ad0 | mov dl, al // 46 | inc esi // 80ea41 | sub dl, 0x41 // 47 | inc edi // 80fa19 | cmp dl, 0x19 $sequence_9 = { 56 8d85bcefffff 50 8d4d18 } // n = 4, score = 100 // 56 | push esi // 8d85bcefffff | lea eax, dword ptr [ebp - 0x1044] // 50 | push eax // 8d4d18 | lea ecx, dword ptr [ebp + 0x18] condition: 7 of them and filesize < 65536 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY