There is no description at this point.
rule win_smominru_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.smominru." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 832100 8b4508 83f8f4 0f8439b3ab7b 83f8f5 0f841cb3ab7b } // n = 6, score = 100 // 832100 | and dword ptr [ecx], 0 // 8b4508 | mov eax, dword ptr [ebp + 8] // 83f8f4 | cmp eax, -0xc // 0f8439b3ab7b | je 0x7babb33f // 83f8f5 | cmp eax, -0xb // 0f841cb3ab7b | je 0x7babb322 $sequence_1 = { 8a00 2c01 0f8367240000 bf04000000 c602d5 c70105000000 83c602 } // n = 7, score = 100 // 8a00 | mov al, byte ptr [eax] // 2c01 | sub al, 1 // 0f8367240000 | jae 0x246d // bf04000000 | mov edi, 4 // c602d5 | mov byte ptr [edx], 0xd5 // c70105000000 | mov dword ptr [ecx], 5 // 83c602 | add esi, 2 $sequence_2 = { 8b15???????? 8b12 8b92b4000000 8d14fa e8???????? 8b45f8 e8???????? } // n = 7, score = 100 // 8b15???????? | // 8b12 | mov edx, dword ptr [edx] // 8b92b4000000 | mov edx, dword ptr [edx + 0xb4] // 8d14fa | lea edx, [edx + edi*8] // e8???????? | // 8b45f8 | mov eax, dword ptr [ebp - 8] // e8???????? | $sequence_3 = { 5b c9 c20400 57 5f 55 } // n = 6, score = 100 // 5b | pop ebx // c9 | leave // c20400 | ret 4 // 57 | push edi // 5f | pop edi // 55 | push ebp $sequence_4 = { 6f 6c 207369 7a65 207768 696c652074686520 706f } // n = 7, score = 100 // 6f | outsd dx, dword ptr [esi] // 6c | insb byte ptr es:[edi], dx // 207369 | and byte ptr [ebx + 0x69], dh // 7a65 | jp 0x67 // 207768 | and byte ptr [edi + 0x68], dh // 696c652074686520 | imul ebp, dword ptr [ebp + 0x20], 0x20656874 // 706f | jo 0x71 $sequence_5 = { 89460c 8b85e0fdffff 894610 8b85e4fdffff 894614 } // n = 5, score = 100 // 89460c | mov dword ptr [esi + 0xc], eax // 8b85e0fdffff | mov eax, dword ptr [ebp - 0x220] // 894610 | mov dword ptr [esi + 0x10], eax // 8b85e4fdffff | mov eax, dword ptr [ebp - 0x21c] // 894614 | mov dword ptr [esi + 0x14], eax $sequence_6 = { 8b4e24 894824 8b4e28 894828 8b4e2c 89482c f7402c00070000 } // n = 7, score = 100 // 8b4e24 | mov ecx, dword ptr [esi + 0x24] // 894824 | mov dword ptr [eax + 0x24], ecx // 8b4e28 | mov ecx, dword ptr [esi + 0x28] // 894828 | mov dword ptr [eax + 0x28], ecx // 8b4e2c | mov ecx, dword ptr [esi + 0x2c] // 89482c | mov dword ptr [eax + 0x2c], ecx // f7402c00070000 | test dword ptr [eax + 0x2c], 0x700 $sequence_7 = { 5d c20400 8bd0 c1ea0c 03d0 c1e80e 03d0 } // n = 7, score = 100 // 5d | pop ebp // c20400 | ret 4 // 8bd0 | mov edx, eax // c1ea0c | shr edx, 0xc // 03d0 | add edx, eax // c1e80e | shr eax, 0xe // 03d0 | add edx, eax $sequence_8 = { 8b7810 85f6 0f852dcca87b e8???????? } // n = 4, score = 100 // 8b7810 | mov edi, dword ptr [eax + 0x10] // 85f6 | test esi, esi // 0f852dcca87b | jne 0x7ba8cc33 // e8???????? | $sequence_9 = { 57 8bd8 55 51 8b732c 8b7b3c 2b7b74 } // n = 7, score = 100 // 57 | push edi // 8bd8 | mov ebx, eax // 55 | push ebp // 51 | push ecx // 8b732c | mov esi, dword ptr [ebx + 0x2c] // 8b7b3c | mov edi, dword ptr [ebx + 0x3c] // 2b7b74 | sub edi, dword ptr [ebx + 0x74] $sequence_10 = { 8bd0 51 ff7510 81e203000010 ff750c 50 83fa03 } // n = 7, score = 100 // 8bd0 | mov edx, eax // 51 | push ecx // ff7510 | push dword ptr [ebp + 0x10] // 81e203000010 | and edx, 0x10000003 // ff750c | push dword ptr [ebp + 0xc] // 50 | push eax // 83fa03 | cmp edx, 3 $sequence_11 = { 4e 75c1 8b45ec e8???????? 8bf7 8bc6 8b583c } // n = 7, score = 100 // 4e | dec esi // 75c1 | jne 0xffffffc3 // 8b45ec | mov eax, dword ptr [ebp - 0x14] // e8???????? | // 8bf7 | mov esi, edi // 8bc6 | mov eax, esi // 8b583c | mov ebx, dword ptr [eax + 0x3c] $sequence_12 = { 8b4318 e8???????? 50 8d4318 e8???????? 8b530c 33c9 } // n = 7, score = 100 // 8b4318 | mov eax, dword ptr [ebx + 0x18] // e8???????? | // 50 | push eax // 8d4318 | lea eax, [ebx + 0x18] // e8???????? | // 8b530c | mov edx, dword ptr [ebx + 0xc] // 33c9 | xor ecx, ecx $sequence_13 = { f7430800000401 5f 0f841b3ea97b 837b1000 0f84113ea97b } // n = 5, score = 100 // f7430800000401 | test dword ptr [ebx + 8], 0x1040000 // 5f | pop edi // 0f841b3ea97b | je 0x7ba93e21 // 837b1000 | cmp dword ptr [ebx + 0x10], 0 // 0f84113ea97b | je 0x7ba93e17 $sequence_14 = { 8b37 8975e0 85f6 0f842bfebb7b } // n = 4, score = 100 // 8b37 | mov esi, dword ptr [edi] // 8975e0 | mov dword ptr [ebp - 0x20], esi // 85f6 | test esi, esi // 0f842bfebb7b | je 0x7bbbfe31 $sequence_15 = { 897e1c 8b4604 8b4004 80b84402000000 7574 68000f0000 8b461c } // n = 7, score = 100 // 897e1c | mov dword ptr [esi + 0x1c], edi // 8b4604 | mov eax, dword ptr [esi + 4] // 8b4004 | mov eax, dword ptr [eax + 4] // 80b84402000000 | cmp byte ptr [eax + 0x244], 0 // 7574 | jne 0x76 // 68000f0000 | push 0xf00 // 8b461c | mov eax, dword ptr [esi + 0x1c] condition: 7 of them and filesize < 8167424 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY