There is no description at this point.
rule win_tofsee_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2020-10-14" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.5.0" tool_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee" malpedia_rule_date = "20201014" malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9" malpedia_version = "20201014" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 5f 5e 5b c9 c3 891d???????? } // n = 6, score = 400 // 5f | pop edi // 5e | pop esi // 5b | pop ebx // c9 | leave // c3 | ret // 891d???????? | $sequence_1 = { 59 894e08 ff4710 8b4710 3b4714 7c1b 894f08 } // n = 7, score = 400 // 59 | pop ecx // 894e08 | mov dword ptr [esi + 8], ecx // ff4710 | inc dword ptr [edi + 0x10] // 8b4710 | mov eax, dword ptr [edi + 0x10] // 3b4714 | cmp eax, dword ptr [edi + 0x14] // 7c1b | jl 0x1d // 894f08 | mov dword ptr [edi + 8], ecx $sequence_2 = { 50 57 56 6a0c 68???????? 53 e8???????? } // n = 7, score = 400 // 50 | push eax // 57 | push edi // 56 | push esi // 6a0c | push 0xc // 68???????? | // 53 | push ebx // e8???????? | $sequence_3 = { eb08 8a1c30 881c11 41 40 3b4510 7cf3 } // n = 7, score = 400 // eb08 | jmp 0xa // 8a1c30 | mov bl, byte ptr [eax + esi] // 881c11 | mov byte ptr [ecx + edx], bl // 41 | inc ecx // 40 | inc eax // 3b4510 | cmp eax, dword ptr [ebp + 0x10] // 7cf3 | jl 0xfffffff5 $sequence_4 = { 75e4 5f 5e 5d 5b c3 83610400 } // n = 7, score = 400 // 75e4 | jne 0xffffffe6 // 5f | pop edi // 5e | pop esi // 5d | pop ebp // 5b | pop ebx // c3 | ret // 83610400 | and dword ptr [ecx + 4], 0 $sequence_5 = { 85c9 7e24 0fbec0 89442410 55 0fbe0437 6bdb1a } // n = 7, score = 400 // 85c9 | test ecx, ecx // 7e24 | jle 0x26 // 0fbec0 | movsx eax, al // 89442410 | mov dword ptr [esp + 0x10], eax // 55 | push ebp // 0fbe0437 | movsx eax, byte ptr [edi + esi] // 6bdb1a | imul ebx, ebx, 0x1a $sequence_6 = { 8bc2 03c6 eb02 8bc6 5b 5e 5f } // n = 7, score = 400 // 8bc2 | mov eax, edx // 03c6 | add eax, esi // eb02 | jmp 4 // 8bc6 | mov eax, esi // 5b | pop ebx // 5e | pop esi // 5f | pop edi $sequence_7 = { 33ff ff7510 53 eb1b 3d46270000 741d 03f8 } // n = 7, score = 400 // 33ff | xor edi, edi // ff7510 | push dword ptr [ebp + 0x10] // 53 | push ebx // eb1b | jmp 0x1d // 3d46270000 | cmp eax, 0x2746 // 741d | je 0x1f // 03f8 | add edi, eax $sequence_8 = { 0fb70433 8b3d???????? 50 ffd7 43 668945e0 } // n = 6, score = 400 // 0fb70433 | movzx eax, word ptr [ebx + esi] // 8b3d???????? | // 50 | push eax // ffd7 | call edi // 43 | inc ebx // 668945e0 | mov word ptr [ebp - 0x20], ax $sequence_9 = { 53 56 68???????? 33db e8???????? 8b35???????? 81fe???????? } // n = 7, score = 400 // 53 | push ebx // 56 | push esi // 68???????? | // 33db | xor ebx, ebx // e8???????? | // 8b35???????? | // 81fe???????? | condition: 7 of them and filesize < 147456 }
rule win_tofsee_w0 { meta: author="akrasuski1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee" malpedia_version = "20171121" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14} $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E} $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C} $string_res1 = "loader_id" $string_res2 = "born_date" $string_res3 = "work_srv" $string_res4 = "flags_upd" $string_res5 = "lid_file_upd" $string_res6 = "localcfg" $string_var0 = "%RND_NUM" $string_var1 = "%SYS_JR" $string_var2 = "%SYS_N" $string_var3 = "%SYS_RN" $string_var4 = "%RND_SPACE" $string_var5 = "%RND_DIGIT" $string_var6 = "%RND_HEX" $string_var7 = "%RND_hex" $string_var8 = "%RND_char" $string_var9 = "%RND_CHAR" condition: (7 of ($string_var*) and 4 of ($string_res*)) or (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt)) or (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt)) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY