Actor(s): Hellsing
There is no description at this point.
rule win_sisfader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.sisfader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 85c9 741f 33c0 85c9 } // n = 4, score = 300 // 85c9 | test ecx, ecx // 741f | je 0x21 // 33c0 | xor eax, eax // 85c9 | test ecx, ecx $sequence_1 = { e8???????? 85c0 b91d000000 0f44d9 } // n = 4, score = 300 // e8???????? | // 85c0 | test eax, eax // b91d000000 | mov ecx, 0x1d // 0f44d9 | cmove ebx, ecx $sequence_2 = { 8906 83f824 723e b824000000 } // n = 4, score = 200 // 8906 | mov dword ptr [esi], eax // 83f824 | cmp eax, 0x24 // 723e | jb 0x40 // b824000000 | mov eax, 0x24 $sequence_3 = { 8b4dfc 51 8b55f8 52 e8???????? 83c408 8945f4 } // n = 7, score = 200 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 51 | push ecx // 8b55f8 | mov edx, dword ptr [ebp - 8] // 52 | push edx // e8???????? | // 83c408 | add esp, 8 // 8945f4 | mov dword ptr [ebp - 0xc], eax $sequence_4 = { 33d2 b904000000 e8???????? 33c0 83f801 7425 baffffffff } // n = 7, score = 200 // 33d2 | xor edx, edx // b904000000 | mov ecx, 4 // e8???????? | // 33c0 | xor eax, eax // 83f801 | cmp eax, 1 // 7425 | je 0x27 // baffffffff | mov edx, 0xffffffff $sequence_5 = { 83793000 0f85be000000 8b55fc 8b45f0 } // n = 4, score = 200 // 83793000 | cmp dword ptr [ecx + 0x30], 0 // 0f85be000000 | jne 0xc4 // 8b55fc | mov edx, dword ptr [ebp - 4] // 8b45f0 | mov eax, dword ptr [ebp - 0x10] $sequence_6 = { 837c245000 7402 eb12 c744245401000000 33c0 } // n = 5, score = 200 // 837c245000 | cmp dword ptr [esp + 0x50], 0 // 7402 | je 4 // eb12 | jmp 0x14 // c744245401000000 | mov dword ptr [esp + 0x54], 1 // 33c0 | xor eax, eax $sequence_7 = { c705????????07000000 8b442438 8905???????? c705????????00000000 8b442440 8905???????? c705????????b80b0000 } // n = 7, score = 200 // c705????????07000000 | // 8b442438 | mov eax, dword ptr [esp + 0x38] // 8905???????? | // c705????????00000000 | // 8b442440 | mov eax, dword ptr [esp + 0x40] // 8905???????? | // c705????????b80b0000 | $sequence_8 = { 837c242001 7425 837c242002 7441 837c242003 745d 837c242004 } // n = 7, score = 200 // 837c242001 | cmp dword ptr [esp + 0x20], 1 // 7425 | je 0x27 // 837c242002 | cmp dword ptr [esp + 0x20], 2 // 7441 | je 0x43 // 837c242003 | cmp dword ptr [esp + 0x20], 3 // 745d | je 0x5f // 837c242004 | cmp dword ptr [esp + 0x20], 4 $sequence_9 = { 85c0 752b 8d45f8 c745f882000000 50 8d8618010000 50 } // n = 7, score = 200 // 85c0 | test eax, eax // 752b | jne 0x2d // 8d45f8 | lea eax, [ebp - 8] // c745f882000000 | mov dword ptr [ebp - 8], 0x82 // 50 | push eax // 8d8618010000 | lea eax, [esi + 0x118] // 50 | push eax $sequence_10 = { 66837c246c2e 7518 0fb74c246e 6685c9 } // n = 4, score = 200 // 66837c246c2e | cmp word ptr [esp + 0x6c], 0x2e // 7518 | jne 0x1a // 0fb74c246e | movzx ecx, word ptr [esp + 0x6e] // 6685c9 | test cx, cx $sequence_11 = { 83790800 745d c745f800000000 eb09 8b55f8 83c201 } // n = 6, score = 200 // 83790800 | cmp dword ptr [ecx + 8], 0 // 745d | je 0x5f // c745f800000000 | mov dword ptr [ebp - 8], 0 // eb09 | jmp 0xb // 8b55f8 | mov edx, dword ptr [ebp - 8] // 83c201 | add edx, 1 $sequence_12 = { 746b c744242000000000 eb0a 8b442420 } // n = 4, score = 200 // 746b | je 0x6d // c744242000000000 | mov dword ptr [esp + 0x20], 0 // eb0a | jmp 0xc // 8b442420 | mov eax, dword ptr [esp + 0x20] $sequence_13 = { 6a04 e8???????? 83c40c 8b4d0c 51 } // n = 5, score = 200 // 6a04 | push 4 // e8???????? | // 83c40c | add esp, 0xc // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 51 | push ecx $sequence_14 = { 8b442448 89442420 837c242001 7402 eb05 e8???????? } // n = 6, score = 200 // 8b442448 | mov eax, dword ptr [esp + 0x48] // 89442420 | mov dword ptr [esp + 0x20], eax // 837c242001 | cmp dword ptr [esp + 0x20], 1 // 7402 | je 4 // eb05 | jmp 7 // e8???????? | $sequence_15 = { 8b45f0 83781000 750e 8b4df0 8b510c 0355cc 8955e4 } // n = 7, score = 200 // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // 83781000 | cmp dword ptr [eax + 0x10], 0 // 750e | jne 0x10 // 8b4df0 | mov ecx, dword ptr [ebp - 0x10] // 8b510c | mov edx, dword ptr [ecx + 0xc] // 0355cc | add edx, dword ptr [ebp - 0x34] // 8955e4 | mov dword ptr [ebp - 0x1c], edx $sequence_16 = { 0fb74c247e 6685c9 0f84cd010000 6683f92e 750f } // n = 5, score = 200 // 0fb74c247e | movzx ecx, word ptr [esp + 0x7e] // 6685c9 | test cx, cx // 0f84cd010000 | je 0x1d3 // 6683f92e | cmp cx, 0x2e // 750f | jne 0x11 $sequence_17 = { 720b 03f0 eb9c 5f 5e 33c0 5b } // n = 7, score = 200 // 720b | jb 0xd // 03f0 | add esi, eax // eb9c | jmp 0xffffff9e // 5f | pop edi // 5e | pop esi // 33c0 | xor eax, eax // 5b | pop ebx $sequence_18 = { e8???????? b90e000000 ff15???????? 33c0 e9???????? e9???????? ff15???????? } // n = 7, score = 200 // e8???????? | // b90e000000 | mov ecx, 0xe // ff15???????? | // 33c0 | xor eax, eax // e9???????? | // e9???????? | // ff15???????? | $sequence_19 = { 745d 837c242004 7479 837c242005 0f8480000000 } // n = 5, score = 200 // 745d | je 0x5f // 837c242004 | cmp dword ptr [esp + 0x20], 4 // 7479 | je 0x7b // 837c242005 | cmp dword ptr [esp + 0x20], 5 // 0f8480000000 | je 0x86 $sequence_20 = { ebbc 8b4dfc 8b5108 52 ff15???????? 83c404 8b45fc } // n = 7, score = 200 // ebbc | jmp 0xffffffbe // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 8b5108 | mov edx, dword ptr [ecx + 8] // 52 | push edx // ff15???????? | // 83c404 | add esp, 4 // 8b45fc | mov eax, dword ptr [ebp - 4] $sequence_21 = { 8d8574fdffff 6804010000 50 6a00 ff15???????? 8d8574fdffff } // n = 6, score = 200 // 8d8574fdffff | lea eax, [ebp - 0x28c] // 6804010000 | push 0x104 // 50 | push eax // 6a00 | push 0 // ff15???????? | // 8d8574fdffff | lea eax, [ebp - 0x28c] $sequence_22 = { 7426 8b4f04 85c9 741f } // n = 4, score = 200 // 7426 | je 0x28 // 8b4f04 | mov ecx, dword ptr [edi + 4] // 85c9 | test ecx, ecx // 741f | je 0x21 $sequence_23 = { 8139aaeeddff 0f858e000000 8b4104 85c0 } // n = 4, score = 200 // 8139aaeeddff | cmp dword ptr [ecx], 0xffddeeaa // 0f858e000000 | jne 0x94 // 8b4104 | mov eax, dword ptr [ecx + 4] // 85c0 | test eax, eax $sequence_24 = { 8b45fc 8b08 83792800 7457 } // n = 4, score = 200 // 8b45fc | mov eax, dword ptr [ebp - 4] // 8b08 | mov ecx, dword ptr [eax] // 83792800 | cmp dword ptr [ecx + 0x28], 0 // 7457 | je 0x59 $sequence_25 = { 85c9 7513 ffb318020000 ff15???????? 33c0 5b } // n = 6, score = 200 // 85c9 | test ecx, ecx // 7513 | jne 0x15 // ffb318020000 | push dword ptr [ebx + 0x218] // ff15???????? | // 33c0 | xor eax, eax // 5b | pop ebx $sequence_26 = { 8b45ac 894610 8b45b0 894614 ff15???????? 66894604 8d45e8 } // n = 7, score = 200 // 8b45ac | mov eax, dword ptr [ebp - 0x54] // 894610 | mov dword ptr [esi + 0x10], eax // 8b45b0 | mov eax, dword ptr [ebp - 0x50] // 894614 | mov dword ptr [esi + 0x14], eax // ff15???????? | // 66894604 | mov word ptr [esi + 4], ax // 8d45e8 | lea eax, [ebp - 0x18] $sequence_27 = { 8b55fc 8b4230 50 ff15???????? 83c404 } // n = 5, score = 200 // 8b55fc | mov edx, dword ptr [ebp - 4] // 8b4230 | mov eax, dword ptr [edx + 0x30] // 50 | push eax // ff15???????? | // 83c404 | add esp, 4 $sequence_28 = { ba08020000 0f114014 c7400856120000 89580c c700aaeeddff } // n = 5, score = 200 // ba08020000 | mov edx, 0x208 // 0f114014 | movups xmmword ptr [eax + 0x14], xmm0 // c7400856120000 | mov dword ptr [eax + 8], 0x1256 // 89580c | mov dword ptr [eax + 0xc], ebx // c700aaeeddff | mov dword ptr [eax], 0xffddeeaa $sequence_29 = { 85c0 7416 0f1f4000 8bc1 83e00f 8a0430 30441124 } // n = 7, score = 200 // 85c0 | test eax, eax // 7416 | je 0x18 // 0f1f4000 | nop dword ptr [eax] // 8bc1 | mov eax, ecx // 83e00f | and eax, 0xf // 8a0430 | mov al, byte ptr [eax + esi] // 30441124 | xor byte ptr [ecx + edx + 0x24], al condition: 7 of them and filesize < 417792 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY