There is no description at this point.
rule win_torrentlocker_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.torrentlocker." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c3 83f801 7405 83f802 } // n = 4, score = 500 // c3 | ret // 83f801 | cmp eax, 1 // 7405 | je 7 // 83f802 | cmp eax, 2 $sequence_1 = { 40 83f806 72f1 33f6 } // n = 4, score = 400 // 40 | inc eax // 83f806 | cmp eax, 6 // 72f1 | jb 0xfffffff3 // 33f6 | xor esi, esi $sequence_2 = { 0102 0102 0201 0202 0202 0202 } // n = 6, score = 400 // 0102 | add dword ptr [edx], eax // 0102 | add dword ptr [edx], eax // 0201 | add al, byte ptr [ecx] // 0202 | add al, byte ptr [edx] // 0202 | add al, byte ptr [edx] // 0202 | add al, byte ptr [edx] $sequence_3 = { ffd6 83f801 7502 5e c3 } // n = 5, score = 400 // ffd6 | call esi // 83f801 | cmp eax, 1 // 7502 | jne 4 // 5e | pop esi // c3 | ret $sequence_4 = { 85db 7412 ff15???????? 33c9 3db7000000 } // n = 5, score = 400 // 85db | test ebx, ebx // 7412 | je 0x14 // ff15???????? | // 33c9 | xor ecx, ecx // 3db7000000 | cmp eax, 0xb7 $sequence_5 = { c705????????ffffffff 8b15???????? 6a00 6a01 68???????? 895608 } // n = 6, score = 400 // c705????????ffffffff | // 8b15???????? | // 6a00 | push 0 // 6a01 | push 1 // 68???????? | // 895608 | mov dword ptr [esi + 8], edx $sequence_6 = { 83f801 7526 68400000f0 50 6a00 6a00 68???????? } // n = 7, score = 400 // 83f801 | cmp eax, 1 // 7526 | jne 0x28 // 68400000f0 | push 0xf0000040 // 50 | push eax // 6a00 | push 0 // 6a00 | push 0 // 68???????? | $sequence_7 = { 85c0 7510 6a78 50 68???????? } // n = 5, score = 400 // 85c0 | test eax, eax // 7510 | jne 0x12 // 6a78 | push 0x78 // 50 | push eax // 68???????? | $sequence_8 = { b801000000 81f9170000c0 7415 81f9340000c0 7407 85c9 750e } // n = 7, score = 400 // b801000000 | mov eax, 1 // 81f9170000c0 | cmp ecx, 0xc0000017 // 7415 | je 0x17 // 81f9340000c0 | cmp ecx, 0xc0000034 // 7407 | je 9 // 85c9 | test ecx, ecx // 750e | jne 0x10 $sequence_9 = { 85c0 7412 83c8ff 5f } // n = 4, score = 400 // 85c0 | test eax, eax // 7412 | je 0x14 // 83c8ff | or eax, 0xffffffff // 5f | pop edi $sequence_10 = { ff15???????? 85c0 8d4601 7502 8bc6 5e } // n = 6, score = 400 // ff15???????? | // 85c0 | test eax, eax // 8d4601 | lea eax, [esi + 1] // 7502 | jne 4 // 8bc6 | mov eax, esi // 5e | pop esi $sequence_11 = { 8b35???????? 68000000f0 6a18 6a00 6a00 68???????? ffd6 } // n = 7, score = 400 // 8b35???????? | // 68000000f0 | push 0xf0000000 // 6a18 | push 0x18 // 6a00 | push 0 // 6a00 | push 0 // 68???????? | // ffd6 | call esi $sequence_12 = { 85c0 751f ff15???????? 3d16000980 753d } // n = 5, score = 400 // 85c0 | test eax, eax // 751f | jne 0x21 // ff15???????? | // 3d16000980 | cmp eax, 0x80090016 // 753d | jne 0x3f $sequence_13 = { 3d16000980 753d 68080000f0 6a18 6a00 6a00 } // n = 6, score = 400 // 3d16000980 | cmp eax, 0x80090016 // 753d | jne 0x3f // 68080000f0 | push 0xf0000008 // 6a18 | push 0x18 // 6a00 | push 0 // 6a00 | push 0 $sequence_14 = { eb39 8b15???????? 6a0c 6a00 52 ffd6 } // n = 6, score = 400 // eb39 | jmp 0x3b // 8b15???????? | // 6a0c | push 0xc // 6a00 | push 0 // 52 | push edx // ffd6 | call esi $sequence_15 = { 740e 51 50 a1???????? } // n = 4, score = 400 // 740e | je 0x10 // 51 | push ecx // 50 | push eax // a1???????? | condition: 7 of them and filesize < 933888 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY