Actor(s): IXESHE
There is no description at this point.
rule win_threebyte_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.threebyte." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 85c0 0f8511010000 c68514ffffff5b c68515ffffff3e c68516ffffff3e c68517ffffff20 } // n = 6, score = 200 // 85c0 | test eax, eax // 0f8511010000 | jne 0x117 // c68514ffffff5b | mov byte ptr [ebp - 0xec], 0x5b // c68515ffffff3e | mov byte ptr [ebp - 0xeb], 0x3e // c68516ffffff3e | mov byte ptr [ebp - 0xea], 0x3e // c68517ffffff20 | mov byte ptr [ebp - 0xe9], 0x20 $sequence_1 = { 8a8415fcfeffff 88840dfcfeffff 8b8df0feffff 8a95f8feffff 88940dfcfeffff } // n = 5, score = 200 // 8a8415fcfeffff | mov al, byte ptr [ebp + edx - 0x104] // 88840dfcfeffff | mov byte ptr [ebp + ecx - 0x104], al // 8b8df0feffff | mov ecx, dword ptr [ebp - 0x110] // 8a95f8feffff | mov dl, byte ptr [ebp - 0x108] // 88940dfcfeffff | mov byte ptr [ebp + ecx - 0x104], dl $sequence_2 = { 6a00 8d4dbc 51 6801000080 ff15???????? 85c0 7407 } // n = 7, score = 200 // 6a00 | push 0 // 8d4dbc | lea ecx, [ebp - 0x44] // 51 | push ecx // 6801000080 | push 0x80000001 // ff15???????? | // 85c0 | test eax, eax // 7407 | je 9 $sequence_3 = { e8???????? 83c404 83c8ff eb44 8b8d24f7ffff 038d14f7ffff 898d24f7ffff } // n = 7, score = 200 // e8???????? | // 83c404 | add esp, 4 // 83c8ff | or eax, 0xffffffff // eb44 | jmp 0x46 // 8b8d24f7ffff | mov ecx, dword ptr [ebp - 0x8dc] // 038d14f7ffff | add ecx, dword ptr [ebp - 0x8ec] // 898d24f7ffff | mov dword ptr [ebp - 0x8dc], ecx $sequence_4 = { 8b8d10f7ffff ff510c 8b9564f7ffff 52 8b8510f7ffff ff500c 8b4df4 } // n = 7, score = 200 // 8b8d10f7ffff | mov ecx, dword ptr [ebp - 0x8f0] // ff510c | call dword ptr [ecx + 0xc] // 8b9564f7ffff | mov edx, dword ptr [ebp - 0x89c] // 52 | push edx // 8b8510f7ffff | mov eax, dword ptr [ebp - 0x8f0] // ff500c | call dword ptr [eax + 0xc] // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] $sequence_5 = { 8d8d68f3ffff e8???????? e9???????? c78568f2ffff00000000 c645fc00 8d4df0 e8???????? } // n = 7, score = 200 // 8d8d68f3ffff | lea ecx, [ebp - 0xc98] // e8???????? | // e9???????? | // c78568f2ffff00000000 | mov dword ptr [ebp - 0xd98], 0 // c645fc00 | mov byte ptr [ebp - 4], 0 // 8d4df0 | lea ecx, [ebp - 0x10] // e8???????? | $sequence_6 = { 33c0 8dbddefcffff f3ab 66ab c78594faffff00010000 8d9594faffff 52 } // n = 7, score = 200 // 33c0 | xor eax, eax // 8dbddefcffff | lea edi, [ebp - 0x322] // f3ab | rep stosd dword ptr es:[edi], eax // 66ab | stosw word ptr es:[edi], ax // c78594faffff00010000 | mov dword ptr [ebp - 0x56c], 0x100 // 8d9594faffff | lea edx, [ebp - 0x56c] // 52 | push edx $sequence_7 = { 8b4d10 894df8 c745ec00000000 eb09 8b55ec } // n = 5, score = 200 // 8b4d10 | mov ecx, dword ptr [ebp + 0x10] // 894df8 | mov dword ptr [ebp - 8], ecx // c745ec00000000 | mov dword ptr [ebp - 0x14], 0 // eb09 | jmp 0xb // 8b55ec | mov edx, dword ptr [ebp - 0x14] $sequence_8 = { e8???????? 8985a8fbffff 668b15???????? 668995ecfbffff b9ff000000 } // n = 5, score = 200 // e8???????? | // 8985a8fbffff | mov dword ptr [ebp - 0x458], eax // 668b15???????? | // 668995ecfbffff | mov word ptr [ebp - 0x414], dx // b9ff000000 | mov ecx, 0xff $sequence_9 = { e8???????? 83c404 e9???????? c7459801010000 8b9564ffffff 8955a4 8b45ec } // n = 7, score = 200 // e8???????? | // 83c404 | add esp, 4 // e9???????? | // c7459801010000 | mov dword ptr [ebp - 0x68], 0x101 // 8b9564ffffff | mov edx, dword ptr [ebp - 0x9c] // 8955a4 | mov dword ptr [ebp - 0x5c], edx // 8b45ec | mov eax, dword ptr [ebp - 0x14] condition: 7 of them and filesize < 180224 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY