There is no description at this point.
rule win_spyder_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.spyder." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4883d8ff c3 4053 4883ec40 488bd9 } // n = 5, score = 500 // 4883d8ff | lea eax, [0x1576] // c3 | dec eax // 4053 | lea eax, [0x14b0] // 4883ec40 | dec eax // 488bd9 | sbb eax, -1 $sequence_1 = { 443bce 753c 4585d2 7537 488d4b04 4c8d05173e0000 } // n = 6, score = 500 // 443bce | jne 0xde // 753c | dec eax // 4585d2 | lea ecx, [0x5f93] // 7537 | test eax, eax // 488d4b04 | jne 0x1e // 4c8d05173e0000 | dec eax $sequence_2 = { 48391d???????? 488bf8 0f85d5000000 488d0d935f0000 ff15???????? } // n = 5, score = 500 // 48391d???????? | // 488bf8 | dec eax // 0f85d5000000 | sub esp, 0x40 // 488d0d935f0000 | dec eax // ff15???????? | $sequence_3 = { 488d0590200000 488905???????? 488d0576150000 488905???????? 488d05b0140000 488905???????? } // n = 6, score = 500 // 488d0590200000 | dec eax // 488905???????? | // 488d0576150000 | lea eax, [0x2090] // 488905???????? | // 488d05b0140000 | dec eax // 488905???????? | $sequence_4 = { e8???????? 85c0 751a 488d1588890000 41b810200100 488bcd } // n = 6, score = 500 // e8???????? | // 85c0 | mov ebx, ecx // 751a | dec eax // 488d1588890000 | lea eax, [0x1625] // 41b810200100 | dec eax // 488bcd | lea ecx, [0x216e] $sequence_5 = { ff15???????? 488bf0 4885c0 0f8493010000 488d156a5f0000 488bc8 } // n = 6, score = 500 // ff15???????? | // 488bf0 | lea edx, [0x8988] // 4885c0 | inc ecx // 0f8493010000 | mov eax, 0x12010 // 488d156a5f0000 | dec eax // 488bc8 | mov ecx, ebp $sequence_6 = { 488d0525160000 488d0d6e210000 488905???????? 488d0500160000 } // n = 4, score = 500 // 488d0525160000 | ret // 488d0d6e210000 | inc eax // 488905???????? | // 488d0500160000 | push ebx $sequence_7 = { ff15???????? 496374243c 4903f4 813e50450000 740b } // n = 5, score = 500 // ff15???????? | // 496374243c | dec eax // 4903f4 | lea eax, [0x1600] // 813e50450000 | dec eax // 740b | mov edi, eax $sequence_8 = { 8088014a091008 40 3dff000000 72f1 53 e8???????? 59 } // n = 7, score = 100 // 8088014a091008 | or byte ptr [eax + 0x10094a01], 8 // 40 | inc eax // 3dff000000 | cmp eax, 0xff // 72f1 | jb 0xfffffff3 // 53 | push ebx // e8???????? | // 59 | pop ecx $sequence_9 = { 8bf1 8bc1 c1fe05 83e01f 8b34b5204b0910 } // n = 5, score = 100 // 8bf1 | mov esi, ecx // 8bc1 | mov eax, ecx // c1fe05 | sar esi, 5 // 83e01f | and eax, 0x1f // 8b34b5204b0910 | mov esi, dword ptr [esi*4 + 0x10094b20] $sequence_10 = { 3bfb 7e16 8a8c04880d0000 80f162 888c04880d0000 } // n = 5, score = 100 // 3bfb | cmp edi, ebx // 7e16 | jle 0x18 // 8a8c04880d0000 | mov cl, byte ptr [esp + eax + 0xd88] // 80f162 | xor cl, 0x62 // 888c04880d0000 | mov byte ptr [esp + eax + 0xd88], cl $sequence_11 = { b9ff000000 33c0 8dbc2489010000 889c2488010000 } // n = 4, score = 100 // b9ff000000 | mov ecx, 0xff // 33c0 | xor eax, eax // 8dbc2489010000 | lea edi, [esp + 0x189] // 889c2488010000 | mov byte ptr [esp + 0x188], bl $sequence_12 = { 83c404 85c0 7514 68???????? e8???????? 83c404 } // n = 6, score = 100 // 83c404 | add esp, 4 // 85c0 | test eax, eax // 7514 | jne 0x16 // 68???????? | // e8???????? | // 83c404 | add esp, 4 $sequence_13 = { 80f162 888c04880d0000 40 3bc7 } // n = 4, score = 100 // 80f162 | xor cl, 0x62 // 888c04880d0000 | mov byte ptr [esp + eax + 0xd88], cl // 40 | inc eax // 3bc7 | cmp eax, edi $sequence_14 = { 0fb6da f683014a091004 7406 8816 } // n = 4, score = 100 // 0fb6da | movzx ebx, dl // f683014a091004 | test byte ptr [ebx + 0x10094a01], 4 // 7406 | je 8 // 8816 | mov byte ptr [esi], dl $sequence_15 = { 57 50 56 895c2430 ff15???????? 56 ff15???????? } // n = 7, score = 100 // 57 | push edi // 50 | push eax // 56 | push esi // 895c2430 | mov dword ptr [esp + 0x30], ebx // ff15???????? | // 56 | push esi // ff15???????? | condition: 7 of them and filesize < 1458176 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY