Actor(s): Lazarus Group
There is no description at this point.
rule win_volgmer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.volgmer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? } // n = 5, score = 300 // 48897c2418 | xor edx, edx // 55 | dec eax // 488d6c24b0 | lea ecx, [esp + 0x40] // 4881ec50010000 | inc ecx // 488b05???????? | $sequence_1 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 } // n = 7, score = 300 // 488b4d40 | mov dword ptr [esp + 0x30], ebx // 4833cc | dec esp // e8???????? | // 4c8d9c2450010000 | lea eax, [esp + 0x58] // 498b5b18 | xor edx, edx // 498b7b20 | xor ecx, ecx // 498be3 | mov dword ptr [esp + 0x28], 0x10 $sequence_2 = { e8???????? e8???????? e8???????? e8???????? c705????????04000000 } // n = 5, score = 200 // e8???????? | // e8???????? | // e8???????? | // e8???????? | // c705????????04000000 | $sequence_3 = { 488dbdd0050000 66f2af 4883c9ff 8957fe 488dbdd0050000 488d95b0010000 66f2af } // n = 7, score = 200 // 488dbdd0050000 | dec eax // 66f2af | xor ecx, esp // 4883c9ff | dec eax // 8957fe | add esp, 0x528 // 488dbdd0050000 | inc ecx // 488d95b0010000 | pop esi // 66f2af | inc ecx $sequence_4 = { eb14 41b904000000 4533c0 488bd3 488bce } // n = 5, score = 200 // eb14 | pop ebp // 41b904000000 | dec eax // 4533c0 | lea edi, [ebp + 0x5d0] // 488bd3 | repne scasd eax, dword ptr es:[edi] // 488bce | dec eax $sequence_5 = { 4c8bbc2410050000 488b8d00040000 4833cc e8???????? 4881c428050000 415e 415d } // n = 7, score = 200 // 4c8bbc2410050000 | inc ebp // 488b8d00040000 | test bh, bh // 4833cc | dec esp // e8???????? | // 4881c428050000 | mov edi, dword ptr [esp + 0x510] // 415e | dec eax // 415d | mov ecx, dword ptr [ebp + 0x400] $sequence_6 = { 895c2448 8d4b40 8bfb ff542450 488bd8 4885c0 7507 } // n = 7, score = 200 // 895c2448 | dec eax // 8d4b40 | lea ebp, [esp - 0x50] // 8bfb | dec eax // ff542450 | sub esp, 0x150 // 488bd8 | dec eax // 4885c0 | xor eax, esp // 7507 | dec eax $sequence_7 = { 4833cc e8???????? 4881c428160000 415f 415e 415d 415c } // n = 7, score = 200 // 4833cc | dec eax // e8???????? | // 4881c428160000 | mov dword ptr [ebp + 0x40], eax // 415f | dec eax // 415e | mov dword ptr [esp + 0x18], edi // 415d | push ebp // 415c | dec eax $sequence_8 = { e8???????? 85c0 7503 458bf7 418bc6 e9???????? 4533c9 } // n = 7, score = 200 // e8???????? | // 85c0 | add eax, ebp // 7503 | add ecx, eax // 458bf7 | dec eax // 418bc6 | mov dword ptr [esp + 0x18], edi // e9???????? | // 4533c9 | push ebp $sequence_9 = { 385401fe 7505 c644242000 33f6 448d6608 4584ff } // n = 6, score = 200 // 385401fe | cmp byte ptr [ecx + eax - 2], dl // 7505 | jne 7 // c644242000 | mov byte ptr [esp + 0x20], 0 // 33f6 | xor esi, esi // 448d6608 | inc esp // 4584ff | lea esp, [esi + 8] $sequence_10 = { e8???????? c7442420271a16ab 4533d2 c74424246d7a900e 418bc2 c7442428f3fa677d 488bcf } // n = 7, score = 200 // e8???????? | // c7442420271a16ab | inc ecx // 4533d2 | mov eax, edx // c74424246d7a900e | inc ecx // 418bc2 | and ecx, ecx // c7442428f3fa677d | rol eax, 5 // 488bcf | xor ecx, edx $sequence_11 = { 74b7 33d2 488d4c2444 41b804040000 e8???????? 6644897c2444 c744244037180000 } // n = 7, score = 200 // 74b7 | lea ebp, [esp - 0x50] // 33d2 | dec eax // 488d4c2444 | sub esp, 0x150 // 41b804040000 | dec eax // e8???????? | // 6644897c2444 | xor eax, esp // c744244037180000 | xor ecx, edx $sequence_12 = { b800000800 e9???????? 48899c2498020000 488b5908 33d2 488d4c2440 } // n = 6, score = 200 // b800000800 | or ecx, 0xffffffff // e9???????? | // 48899c2498020000 | mov dword ptr [edi - 2], edx // 488b5908 | dec eax // 33d2 | lea edi, [ebp + 0x5d0] // 488d4c2440 | dec eax $sequence_13 = { 8b05???????? 8905???????? e8???????? 85c0 7450 488b0d???????? e8???????? } // n = 7, score = 200 // 8b05???????? | // 8905???????? | // e8???????? | // 85c0 | mov dword ptr [ebp + 0x40], eax // 7450 | dec eax // 488b0d???????? | // e8???????? | $sequence_14 = { e8???????? e9???????? 4183fd01 750d 498bd6 488bcb } // n = 6, score = 200 // e8???????? | // e9???????? | // 4183fd01 | lea edx, [ebp + 0x1b0] // 750d | repne scasd eax, dword ptr es:[edi] // 498bd6 | jmp 0x16 // 488bcb | inc ecx $sequence_15 = { 6a00 50 e8???????? 83c40c c785e0f3ffff00040000 8d85e0f3ffff 50 } // n = 7, score = 100 // 6a00 | dec ecx // 50 | mov esp, ebx // e8???????? | // 83c40c | dec eax // c785e0f3ffff00040000 | mov dword ptr [esp + 0x18], edi // 8d85e0f3ffff | push ebp // 50 | dec eax $sequence_16 = { 8bf8 7452 8d8e18030000 51 8d85f4fbffff 68???????? 50 } // n = 7, score = 100 // 8bf8 | dec eax // 7452 | xor eax, esp // 8d8e18030000 | dec eax // 51 | mov dword ptr [ebp + 0x40], eax // 8d85f4fbffff | dec eax // 68???????? | // 50 | mov dword ptr [esp + 0x18], edi $sequence_17 = { c745e0e0ba7300 e9???????? 83e80f 7451 83e809 7443 } // n = 6, score = 100 // c745e0e0ba7300 | lea ebp, [esp - 0x50] // e9???????? | // 83e80f | dec eax // 7451 | sub esp, 0x150 // 83e809 | dec eax // 7443 | mov dword ptr [esp + 0x10], ebx $sequence_18 = { 59 83cfff 897de4 8365fc00 8b049d80f17300 } // n = 5, score = 100 // 59 | dec eax // 83cfff | mov dword ptr [esp + 0x18], edi // 897de4 | push ebp // 8365fc00 | dec eax // 8b049d80f17300 | lea ebp, [esp - 0x50] $sequence_19 = { 83f8ff 89442404 7508 ff15???????? eb29 8d4c2404 } // n = 6, score = 100 // 83f8ff | cmp eax, -1 // 89442404 | mov dword ptr [esp + 4], eax // 7508 | jne 0xa // ff15???????? | // eb29 | jmp 0x2b // 8d4c2404 | lea ecx, [esp + 4] $sequence_20 = { d9f1 833d????????00 0f859c190000 8d0d90b86e00 ba1b000000 e9???????? } // n = 6, score = 100 // d9f1 | xor edx, edx // 833d????????00 | // 0f859c190000 | mov dword ptr [esp + 0x24], 0xe907a6d // 8d0d90b86e00 | inc ecx // ba1b000000 | mov eax, edx // e9???????? | $sequence_21 = { 395c2410 0f8450020000 3bfb 0f8448020000 50 6804010000 } // n = 6, score = 100 // 395c2410 | cmp dword ptr [esp + 0x10], ebx // 0f8450020000 | je 0x256 // 3bfb | cmp edi, ebx // 0f8448020000 | je 0x24e // 50 | push eax // 6804010000 | push 0x104 $sequence_22 = { eba2 894ddc c745e0d4ba6e00 e9???????? c745dc03000000 c745e0e0ba6e00 e9???????? } // n = 7, score = 100 // eba2 | dec eax // 894ddc | mov dword ptr [esp + 0x10], ebx // c745e0d4ba6e00 | dec eax // e9???????? | // c745dc03000000 | mov dword ptr [esp + 0x18], edi // c745e0e0ba6e00 | push ebp // e9???????? | $sequence_23 = { 746a 83e805 7456 83e801 0f859b010000 c745e0d8ba6e00 8b4508 } // n = 7, score = 100 // 746a | push ebp // 83e805 | dec eax // 7456 | lea ebp, [esp - 0x50] // 83e801 | dec eax // 0f859b010000 | sub esp, 0x150 // c745e0d8ba6e00 | dec eax // 8b4508 | xor eax, esp $sequence_24 = { 746b 56 8d442408 57 50 53 } // n = 6, score = 100 // 746b | je 0x6d // 56 | push esi // 8d442408 | lea eax, [esp + 8] // 57 | push edi // 50 | push eax // 53 | push ebx $sequence_25 = { 8d4101 f7d8 1bc0 23c1 eb57 53 8b1c85d8887300 } // n = 7, score = 100 // 8d4101 | dec eax // f7d8 | sub esp, 0x150 // 1bc0 | push ebp // 23c1 | dec eax // eb57 | lea ebp, [esp - 0x50] // 53 | dec eax // 8b1c85d8887300 | sub esp, 0x150 $sequence_26 = { 57 8975fc e8???????? 99 b90a000000 f7f9 81c618030000 } // n = 7, score = 100 // 57 | push ebp // 8975fc | dec eax // e8???????? | // 99 | lea ebp, [esp - 0x50] // b90a000000 | dec eax // f7f9 | sub esp, 0x150 // 81c618030000 | dec eax $sequence_27 = { 56 8b048580f17300 33db 8b7508 57 } // n = 5, score = 100 // 56 | dec eax // 8b048580f17300 | sub esp, 0x150 // 33db | dec eax // 8b7508 | mov ecx, dword ptr [ebp + 0x40] // 57 | dec eax $sequence_28 = { c74048b8e46e00 8b4508 6689486c 8b4508 66898872010000 } // n = 5, score = 100 // c74048b8e46e00 | inc sp // 8b4508 | mov dword ptr [esp + 0x44], edi // 6689486c | mov dword ptr [esp + 0x40], 0x1837 // 8b4508 | mov dword ptr [esp + 0x20], 0xab161a27 // 66898872010000 | inc ebp $sequence_29 = { 7603 6a26 58 0fb60c8536977300 0fb6348537977300 8bf9 8985b4f8ffff } // n = 7, score = 100 // 7603 | xor ecx, esp // 6a26 | dec esp // 58 | lea ebx, [esp + 0x150] // 0fb60c8536977300 | dec ecx // 0fb6348537977300 | mov ebx, dword ptr [ebx + 0x18] // 8bf9 | dec ecx // 8985b4f8ffff | mov edi, dword ptr [ebx + 0x20] $sequence_30 = { 6a26 58 0fb60c8536976e00 0fb6348537976e00 8bf9 8985a4f8ffff c1e702 } // n = 7, score = 100 // 6a26 | xor eax, esp // 58 | dec eax // 0fb60c8536976e00 | xor ecx, esp // 0fb6348537976e00 | dec eax // 8bf9 | add esp, 0x1628 // 8985a4f8ffff | inc ecx // c1e702 | pop edi $sequence_31 = { c644244239 c644244342 c644244483 c64424458e 88542446 c644244796 } // n = 6, score = 100 // c644244239 | mov byte ptr [esp + 0x42], 0x39 // c644244342 | mov byte ptr [esp + 0x43], 0x42 // c644244483 | mov byte ptr [esp + 0x44], 0x83 // c64424458e | mov byte ptr [esp + 0x45], 0x8e // 88542446 | mov byte ptr [esp + 0x46], dl // c644244796 | mov byte ptr [esp + 0x47], 0x96 $sequence_32 = { 8b1c9d24726e00 56 6800080000 6a00 53 } // n = 5, score = 100 // 8b1c9d24726e00 | pop esp // 56 | je 0xffffffb9 // 6800080000 | xor edx, edx // 6a00 | dec eax // 53 | lea ecx, [esp + 0x44] $sequence_33 = { 8b9c2484000000 33d3 8b5c247c 33d3 8bdf } // n = 5, score = 100 // 8b9c2484000000 | mov ebx, dword ptr [esp + 0x84] // 33d3 | xor edx, ebx // 8b5c247c | mov ebx, dword ptr [esp + 0x7c] // 33d3 | xor edx, ebx // 8bdf | mov ebx, edi $sequence_34 = { e9???????? c745e0f0ba6e00 e9???????? c745e0f8ba6e00 e9???????? } // n = 5, score = 100 // e9???????? | // c745e0f0ba6e00 | inc ecx // e9???????? | // c745e0f8ba6e00 | mov eax, 0x404 // e9???????? | $sequence_35 = { 7507 c74634047b6e00 57 ff7634 e8???????? 59 } // n = 6, score = 100 // 7507 | dec eax // c74634047b6e00 | lea ebp, [esp - 0x50] // 57 | dec eax // ff7634 | sub esp, 0x150 // e8???????? | // 59 | dec eax condition: 7 of them and filesize < 393216 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY