Actor(s): Lazarus Group
There is no description at this point.
rule win_unidentified_042_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-05-16" version = "1" description = "Detects win.unidentified_042." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042" malpedia_rule_date = "20220513" malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26" malpedia_version = "20220516" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 7438 8b8528f9ffff 5f 5e 5b 8b4dfc 33cd } // n = 7, score = 100 // 7438 | je 0x3a // 8b8528f9ffff | mov eax, dword ptr [ebp - 0x6d8] // 5f | pop edi // 5e | pop esi // 5b | pop ebx // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 33cd | xor ecx, ebp $sequence_1 = { 8b78fc 897dfc 8b79fc 8978fc 8b7dfc 8979fc 8b38 } // n = 7, score = 100 // 8b78fc | mov edi, dword ptr [eax - 4] // 897dfc | mov dword ptr [ebp - 4], edi // 8b79fc | mov edi, dword ptr [ecx - 4] // 8978fc | mov dword ptr [eax - 4], edi // 8b7dfc | mov edi, dword ptr [ebp - 4] // 8979fc | mov dword ptr [ecx - 4], edi // 8b38 | mov edi, dword ptr [eax] $sequence_2 = { 57 ffd2 8b4f08 894110 8b4708 8b4810 83c410 } // n = 7, score = 100 // 57 | push edi // ffd2 | call edx // 8b4f08 | mov ecx, dword ptr [edi + 8] // 894110 | mov dword ptr [ecx + 0x10], eax // 8b4708 | mov eax, dword ptr [edi + 8] // 8b4810 | mov ecx, dword ptr [eax + 0x10] // 83c410 | add esp, 0x10 $sequence_3 = { 03b36cf94200 8bdf 0375ec c1cb02 0175dc 899dc8feffff 8bdf } // n = 7, score = 100 // 03b36cf94200 | add esi, dword ptr [ebx + 0x42f96c] // 8bdf | mov ebx, edi // 0375ec | add esi, dword ptr [ebp - 0x14] // c1cb02 | ror ebx, 2 // 0175dc | add dword ptr [ebp - 0x24], esi // 899dc8feffff | mov dword ptr [ebp - 0x138], ebx // 8bdf | mov ebx, edi $sequence_4 = { e8???????? 8b4d40 8b553c 8b4538 51 8b4d34 52 } // n = 7, score = 100 // e8???????? | // 8b4d40 | mov ecx, dword ptr [ebp + 0x40] // 8b553c | mov edx, dword ptr [ebp + 0x3c] // 8b4538 | mov eax, dword ptr [ebp + 0x38] // 51 | push ecx // 8b4d34 | mov ecx, dword ptr [ebp + 0x34] // 52 | push edx $sequence_5 = { 81fa00400000 7616 b87cffffff 5f 5e 5b 8b4dfc } // n = 7, score = 100 // 81fa00400000 | cmp edx, 0x4000 // 7616 | jbe 0x18 // b87cffffff | mov eax, 0xffffff7c // 5f | pop edi // 5e | pop esi // 5b | pop ebx // 8b4dfc | mov ecx, dword ptr [ebp - 4] $sequence_6 = { f7e2 c1ea02 8d4415f4 8d1452 03d2 } // n = 5, score = 100 // f7e2 | mul edx // c1ea02 | shr edx, 2 // 8d4415f4 | lea eax, [ebp + edx - 0xc] // 8d1452 | lea edx, [edx + edx*2] // 03d2 | add edx, edx $sequence_7 = { 8bc8 2b4508 53 56 2bca 2bc2 57 } // n = 7, score = 100 // 8bc8 | mov ecx, eax // 2b4508 | sub eax, dword ptr [ebp + 8] // 53 | push ebx // 56 | push esi // 2bca | sub ecx, edx // 2bc2 | sub eax, edx // 57 | push edi $sequence_8 = { c78568faffff4a705876 c7856cfaffff59517a54 c78570faffff655a4b78 c78574faffff660d0a64 c78578faffff516d6a53 c7857cfaffff38514e38 c78580faffff49467476 } // n = 7, score = 100 // c78568faffff4a705876 | mov dword ptr [ebp - 0x598], 0x7658704a // c7856cfaffff59517a54 | mov dword ptr [ebp - 0x594], 0x547a5159 // c78570faffff655a4b78 | mov dword ptr [ebp - 0x590], 0x784b5a65 // c78574faffff660d0a64 | mov dword ptr [ebp - 0x58c], 0x640a0d66 // c78578faffff516d6a53 | mov dword ptr [ebp - 0x588], 0x536a6d51 // c7857cfaffff38514e38 | mov dword ptr [ebp - 0x584], 0x384e5138 // c78580faffff49467476 | mov dword ptr [ebp - 0x580], 0x76744649 $sequence_9 = { 3d67ffffff 7405 ba???????? e8???????? 8b4dfc 83c404 5f } // n = 7, score = 100 // 3d67ffffff | cmp eax, 0xffffff67 // 7405 | je 7 // ba???????? | // e8???????? | // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 83c404 | add esp, 4 // 5f | pop edi condition: 7 of them and filesize < 516096 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY