There is no description at this point.
There are currently no references.
rule win_tempedreve_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.tempedreve." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 011e 015e10 015e0c 0fb75706 } // n = 4, score = 300 // 011e | add dword ptr [esi], ebx // 015e10 | add dword ptr [esi + 0x10], ebx // 015e0c | add dword ptr [esi + 0xc], ebx // 0fb75706 | movzx edx, word ptr [edi + 6] $sequence_1 = { 011a 8b87dc000000 83c204 03c6 } // n = 4, score = 300 // 011a | add dword ptr [edx], ebx // 8b87dc000000 | mov eax, dword ptr [edi + 0xdc] // 83c204 | add edx, 4 // 03c6 | add eax, esi $sequence_2 = { 01042f 034c2ff8 8d45ec 894c2ff8 } // n = 4, score = 300 // 01042f | add dword ptr [edi + ebp], eax // 034c2ff8 | add ecx, dword ptr [edi + ebp - 8] // 8d45ec | lea eax, [ebp - 0x14] // 894c2ff8 | mov dword ptr [edi + ebp - 8], ecx $sequence_3 = { 754f 85f6 744b 214524 8d4520 } // n = 5, score = 300 // 754f | jne 0x51 // 85f6 | test esi, esi // 744b | je 0x4d // 214524 | and dword ptr [ebp + 0x24], eax // 8d4520 | lea eax, [ebp + 0x20] $sequence_4 = { 011a 45 8d14a9 8b02 } // n = 4, score = 300 // 011a | add dword ptr [edx], ebx // 45 | inc ebp // 8d14a9 | lea edx, [ecx + ebp*4] // 8b02 | mov eax, dword ptr [edx] $sequence_5 = { 0103 a1???????? 83c004 50 ff15???????? } // n = 5, score = 300 // 0103 | add dword ptr [ebx], eax // a1???????? | // 83c004 | add eax, 4 // 50 | push eax // ff15???????? | $sequence_6 = { 0104b7 8b8424a8000000 83c704 4d } // n = 4, score = 300 // 0104b7 | add dword ptr [edi + esi*4], eax // 8b8424a8000000 | mov eax, dword ptr [esp + 0xa8] // 83c704 | add edi, 4 // 4d | dec ebp $sequence_7 = { 010f 8b07 83c704 3bc1 } // n = 4, score = 300 // 010f | add dword ptr [edi], ecx // 8b07 | mov eax, dword ptr [edi] // 83c704 | add edi, 4 // 3bc1 | cmp eax, ecx $sequence_8 = { 89542430 eb09 83f801 0f86c8010000 0fb64500 0fb64d01 } // n = 6, score = 200 // 89542430 | mov dword ptr [esp + 0x30], edx // eb09 | jmp 0xb // 83f801 | cmp eax, 1 // 0f86c8010000 | jbe 0x1ce // 0fb64500 | movzx eax, byte ptr [ebp] // 0fb64d01 | movzx ecx, byte ptr [ebp + 1] $sequence_9 = { 85c0 0f85a9090000 53 8916 8d4e04 } // n = 5, score = 200 // 85c0 | test eax, eax // 0f85a9090000 | jne 0x9af // 53 | push ebx // 8916 | mov dword ptr [esi], edx // 8d4e04 | lea ecx, [esi + 4] $sequence_10 = { 8bc8 c1e903 8d440140 c20400 } // n = 4, score = 200 // 8bc8 | mov ecx, eax // c1e903 | shr ecx, 3 // 8d440140 | lea eax, [ecx + eax + 0x40] // c20400 | ret 4 $sequence_11 = { 899e1c040000 895c2458 3bc3 0f86eb070000 8d9b00000000 8b44245c 85c0 } // n = 7, score = 200 // 899e1c040000 | mov dword ptr [esi + 0x41c], ebx // 895c2458 | mov dword ptr [esp + 0x58], ebx // 3bc3 | cmp eax, ebx // 0f86eb070000 | jbe 0x7f1 // 8d9b00000000 | lea ebx, [ebx] // 8b44245c | mov eax, dword ptr [esp + 0x5c] // 85c0 | test eax, eax $sequence_12 = { 55 51 8bce 8d5c0301 e8???????? 3bd8 8b5c2458 } // n = 7, score = 200 // 55 | push ebp // 51 | push ecx // 8bce | mov ecx, esi // 8d5c0301 | lea ebx, [ebx + eax + 1] // e8???????? | // 3bd8 | cmp ebx, eax // 8b5c2458 | mov ebx, dword ptr [esp + 0x58] $sequence_13 = { 72f3 8b4c2414 8b6c2428 3bda 0f84e1000000 } // n = 5, score = 200 // 72f3 | jb 0xfffffff5 // 8b4c2414 | mov ecx, dword ptr [esp + 0x14] // 8b6c2428 | mov ebp, dword ptr [esp + 0x28] // 3bda | cmp ebx, edx // 0f84e1000000 | je 0xe7 $sequence_14 = { 8b6c2410 8bd3 2bd7 52 55 8bce e8???????? } // n = 7, score = 200 // 8b6c2410 | mov ebp, dword ptr [esp + 0x10] // 8bd3 | mov edx, ebx // 2bd7 | sub edx, edi // 52 | push edx // 55 | push ebp // 8bce | mov ecx, esi // e8???????? | $sequence_15 = { 8b542430 3bda 7320 8d4d02 8be8 2b6c2428 } // n = 6, score = 200 // 8b542430 | mov edx, dword ptr [esp + 0x30] // 3bda | cmp ebx, edx // 7320 | jae 0x22 // 8d4d02 | lea ecx, [ebp + 2] // 8be8 | mov ebp, eax // 2b6c2428 | sub ebp, dword ptr [esp + 0x28] condition: 7 of them and filesize < 155648 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY