Actor(s): Lazarus Group
There is no description at this point.
rule win_unidentified_077_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.unidentified_077." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488bd5 33c9 ff15???????? 4c8bf0 4885c0 7510 } // n = 6, score = 600 // 488bd5 | dec eax // 33c9 | arpl word ptr [ecx + 0x3c], cx // ff15???????? | // 4c8bf0 | dec eax // 4885c0 | lea eax, [ecx + 0x108] // 7510 | dec esp $sequence_1 = { 488bce ff15???????? 4c8bf0 4885c0 751b ff15???????? } // n = 6, score = 600 // 488bce | mov ebp, 4 // ff15???????? | // 4c8bf0 | mov eax, ebp // 4885c0 | dec ebp // 751b | lea ecx, [esp + 0x10] // ff15???????? | $sequence_2 = { 498b9cf740c70100 4885db 7407 483bdf 747a } // n = 5, score = 600 // 498b9cf740c70100 | dec eax // 4885db | cmp ebx, eax // 7407 | jne 0x361 // 483bdf | dec eax // 747a | and dword ptr [ebx], 0 $sequence_3 = { 4c3be8 72c2 42813c2150450000 4c897c2460 4e8d3c21 7515 b864860000 } // n = 7, score = 600 // 4c3be8 | sub esp, 0x20 // 72c2 | dec eax // 42813c2150450000 | mov ebx, ecx // 4c897c2460 | dec eax // 4e8d3c21 | lea edi, [0xfffefadc] // 7515 | dec eax // b864860000 | mov ecx, edi $sequence_4 = { 0fb68c8252400100 0fb6b48253400100 8bd9 8bf8 } // n = 4, score = 600 // 0fb68c8252400100 | test ebx, ebx // 0fb6b48253400100 | je 0x12e // 8bd9 | inc ebp // 8bf8 | sub esp, ebp $sequence_5 = { 4d8be1 498be8 4c8bea 4b8b8cf7e0c70100 4c8b15???????? } // n = 5, score = 600 // 4d8be1 | dec eax // 498be8 | test ebx, ebx // 4c8bea | jne 0x2b9 // 4b8b8cf7e0c70100 | dec eax // 4c8b15???????? | $sequence_6 = { eb28 493bd0 720e 488d95d0040000 e8???????? } // n = 5, score = 600 // eb28 | dec eax // 493bd0 | lea ecx, [0x12f5c] // 720e | dec eax // 488d95d0040000 | mov eax, ebx // e8???????? | $sequence_7 = { 6690 b910000000 e8???????? 488bf0 4885c0 0f84ef000000 } // n = 6, score = 600 // 6690 | dec eax // b910000000 | sub esp, 0x20 // e8???????? | // 488bf0 | inc ecx // 4885c0 | mov ebp, eax // 0f84ef000000 | dec esp $sequence_8 = { f30f6f0418 660fefc1 f30f7f0418 413bd1 72d7 413bd0 } // n = 6, score = 600 // f30f6f0418 | mov dword ptr [ecx + eax], 2 // 660fefc1 | mov eax, 8 // f30f7f0418 | dec eax // 413bd1 | imul eax, eax, 0 // 72d7 | dec eax // 413bd0 | mov dword ptr [esp + eax + 0x20], ecx $sequence_9 = { 4c8bf0 4885c0 752d 448d4804 41b800300000 488bd5 } // n = 6, score = 600 // 4c8bf0 | mov esi, ecx // 4885c0 | dec esp // 752d | lea edi, [0xffff6aa2] // 448d4804 | dec ebp // 41b800300000 | mov esp, ecx // 488bd5 | dec ecx condition: 7 of them and filesize < 270336 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY