Actor(s): Lazarus Group
There is no description at this point.
rule win_veiledsignal_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.veiledsignal." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.veiledsignal" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b825000000 0f05 c3 4c8bd1 b824000000 0f05 } // n = 6, score = 100 // b825000000 | lea eax, [0x4b173] // 0f05 | dec ebx // c3 | inc eax // 4c8bd1 | push ebx // b824000000 | dec eax // 0f05 | sub esp, 0x20 $sequence_1 = { 41b806000000 488d15d9470400 483950f0 740c 488b10 4885d2 } // n = 6, score = 100 // 41b806000000 | dec eax // 488d15d9470400 | test ecx, ecx // 483950f0 | je 0x3ca // 740c | dec eax // 488b10 | cmp ecx, -1 // 4885d2 | dec eax $sequence_2 = { 48894547 8bf9 e8???????? 85c0 } // n = 4, score = 100 // 48894547 | mov eax, 8 // 8bf9 | dec eax // e8???????? | // 85c0 | imul eax, eax, 0 $sequence_3 = { c3 83f801 7571 488d058a000000 } // n = 4, score = 100 // c3 | syscall // 83f801 | ret // 7571 | dec esp // 488d058a000000 | mov edx, ecx $sequence_4 = { 488975cf 488975e7 4889753f ff15???????? } // n = 4, score = 100 // 488975cf | dec eax // 488975e7 | and dword ptr [esp + 0x30], 0 // 4889753f | dec eax // ff15???????? | $sequence_5 = { 4533c0 488d0daeb10400 baa00f0000 e8???????? } // n = 4, score = 100 // 4533c0 | inc eax // 488d0daeb10400 | push ebx // baa00f0000 | dec eax // e8???????? | $sequence_6 = { 4885c0 7509 488d0517820400 eb04 } // n = 4, score = 100 // 4885c0 | mov ecx, dword ptr [esp + 0x140] // 7509 | dec eax // 488d0517820400 | xor ecx, esp // eb04 | dec eax $sequence_7 = { e8???????? 488db328010000 bd06000000 488d7b38 488d052e490400 } // n = 5, score = 100 // e8???????? | // 488db328010000 | sar ecx, 6 // bd06000000 | dec eax // 488d7b38 | mov ebx, eax // 488d052e490400 | dec eax $sequence_8 = { 7513 488d15ad940000 488d0d86940000 e8???????? } // n = 4, score = 100 // 7513 | lea edx, [0xac62] // 488d15ad940000 | mov ecx, ebx // 488d0d86940000 | dec eax // e8???????? | $sequence_9 = { 4c8d0d44880000 f20f5cca f2410f590cc1 660f28d1 } // n = 4, score = 100 // 4c8d0d44880000 | dec eax // f20f5cca | mov ecx, ebx // f2410f590cc1 | dec eax // 660f28d1 | lea eax, [0x9d] condition: 7 of them and filesize < 667648 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY