SYMBOLCOMMON_NAMEaka. SYNONYMS
win.virtualgate (Back to overview)

VIRTUALGATE

There is no description at this point.

References
2022-10-03One Night in NorfolkNorfolk
@online{norfolk:20221003:some:115e620, author = {Norfolk}, title = {{Some Notes on VIRTUALGATE}}, date = {2022-10-03}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/some-notes-on-virtualgate/}, language = {English}, urldate = {2022-10-05} } Some Notes on VIRTUALGATE
VIRTUALGATE
Yara Rules
[TLP:WHITE] win_virtualgate_auto (20230125 | Detects win.virtualgate.)
rule win_virtualgate_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.virtualgate."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virtualgate"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffc3 895d9b 428844f13e 4b8b84e0f0250200 42804cf03d04 38558f }
            // n = 6, score = 100
            //   ffc3                 | cmp                 eax, -1
            //   895d9b               | jne                 0x397
            //   428844f13e           | mov                 edx, eax
            //   4b8b84e0f0250200     | dec                 eax
            //   42804cf03d04         | mov                 ecx, ebx
            //   38558f               | test                eax, eax

        $sequence_1 = { 8bc3 488b5c2450 488b742460 4883c430 415e 415c 5f }
            // n = 7, score = 100
            //   8bc3                 | dec                 eax
            //   488b5c2450           | mov                 esi, edx
            //   488b742460           | inc                 ecx
            //   4883c430             | push                esi
            //   415e                 | inc                 ecx
            //   415c                 | push                edi
            //   5f                   | dec                 eax

        $sequence_2 = { 460fbebc3920190200 41ffc7 458bef 442bea 4d63dd 4d3bd8 0f8f68020000 }
            // n = 7, score = 100
            //   460fbebc3920190200     | cmp    edx, ecx
            //   41ffc7               | je                  0x28e
            //   458bef               | mov                 al, byte ptr [ecx]
            //   442bea               | test                al, al
            //   4d63dd               | je                  0x2aa
            //   4d3bd8               | dec                 eax
            //   0f8f68020000         | inc                 edx

        $sequence_3 = { 488bc8 4c896c2438 4c896c2430 44896c2428 c744242001000000 e8???????? 85c0 }
            // n = 7, score = 100
            //   488bc8               | lea                 eax, [0xcfb7]
            //   4c896c2438           | dec                 esp
            //   4c896c2430           | lea                 ecx, [0xd2ed]
            //   44896c2428           | xor                 ecx, ecx
            //   c744242001000000     | dec                 esp
            //   e8????????           |                     
            //   85c0                 | lea                 eax, [0xd2e0]

        $sequence_4 = { 4c8b45b7 4c2bc6 420fb64cf03e 460fbebc3920190200 41ffc7 458bef 442bea }
            // n = 7, score = 100
            //   4c8b45b7             | dec                 eax
            //   4c2bc6               | lea                 ecx, [0x1f933]
            //   420fb64cf03e         | dec                 eax
            //   460fbebc3920190200     | mov    eax, dword ptr [esp + 0x28]
            //   41ffc7               | dec                 eax
            //   458bef               | lea                 eax, [esp + 0x28]
            //   442bea               | shr                 eax, 1

        $sequence_5 = { 488d0d30ecfeff 4c8945e7 4d03e8 48895df7 4c8be3 4c896db7 }
            // n = 6, score = 100
            //   488d0d30ecfeff       | je                  0x38b
            //   4c8945e7             | dec                 eax
            //   4d03e8               | cmp                 ebx, edi
            //   48895df7             | mov                 esi, dword ptr [ebp]
            //   4c8be3               | dec                 ecx
            //   4c896db7             | mov                 ebx, dword ptr [edi + esi*8 + 0x221c8]

        $sequence_6 = { 66895c2438 488d542438 c7442440ffffffff 488bcf 8974243c ff15???????? 83f8ff }
            // n = 7, score = 100
            //   66895c2438           | je                  0x59c
            //   488d542438           | mov                 al, byte ptr [ecx]
            //   c7442440ffffffff     | jmp                 0x5a3
            //   488bcf               | dec                 eax
            //   8974243c             | add                 esi, esi
            //   ff15????????         |                     
            //   83f8ff               | inc                 ecx

        $sequence_7 = { 488b4530 488b8888000000 488d05b2430100 483bc8 }
            // n = 4, score = 100
            //   488b4530             | dec                 eax
            //   488b8888000000       | mov                 dword ptr [esp + 0x2070], eax
            //   488d05b2430100       | je                  0x361
            //   483bc8               | dec                 eax

        $sequence_8 = { be05000000 488d1574df0000 448bc6 488bcf e8???????? 85c0 7506 }
            // n = 7, score = 100
            //   be05000000           | dec                 eax
            //   488d1574df0000       | inc                 ecx
            //   448bc6               | mov                 al, byte ptr [ecx]
            //   488bcf               | inc                 ecx
            //   e8????????           |                     
            //   85c0                 | cmp                 al, bl
            //   7506                 | je                  0x529

        $sequence_9 = { 741c e8???????? 448938 e8???????? c70016000000 }
            // n = 5, score = 100
            //   741c                 | mov                 ecx, edi
            //   e8????????           |                     
            //   448938               | dec                 ecx
            //   e8????????           |                     
            //   c70016000000         | mov                 ecx, esp

    condition:
        7 of them and filesize < 323584
}
Download all Yara Rules