Actor(s): Lazarus Group
There is no description at this point.
rule win_volgmer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-07-11" version = "1" description = "Detects win.volgmer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer" malpedia_rule_date = "20230705" malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41" malpedia_version = "20230715" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 } // n = 7, score = 300 // 488b4d40 | dec esp // 4833cc | mov dword ptr [esp + 0x518], esp // e8???????? | // 4c8d9c2450010000 | dec eax // 498b5b18 | lea ecx, [ebp + 0x2f0] // 498b7b20 | dec esp // 498be3 | mov dword ptr [esp + 0x510], edi $sequence_1 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? 4833c4 } // n = 6, score = 300 // 48897c2418 | xor ebx, ebx // 55 | dec eax // 488d6c24b0 | lea eax, [esp + 0x40] // 4881ec50010000 | dec esp // 488b05???????? | // 4833c4 | mov dword ptr [esp + 0x38], ebx $sequence_2 = { e8???????? 8905???????? 85c0 7543 488b7c2440 } // n = 5, score = 200 // e8???????? | // 8905???????? | // 85c0 | dec eax // 7543 | mov dword ptr [esp + 0x38], ebx // 488b7c2440 | dec eax $sequence_3 = { ff15???????? 448b4c2440 48895c2438 488d442448 } // n = 4, score = 200 // ff15???????? | // 448b4c2440 | mov dword ptr [esp + 0x558], esi // 48895c2438 | dec esp // 488d442448 | mov dword ptr [esp + 0x518], esp $sequence_4 = { 024c1420 0fb6c1 0fb64c0420 304bff 4983ea01 75a9 488b4d40 } // n = 7, score = 200 // 024c1420 | mov dword ptr [ebp - 0x20], 0x6ebae0 // 0fb6c1 | sub eax, 0xf // 0fb64c0420 | je 0x5d // 304bff | mov edx, edi // 4983ea01 | sar edx, 6 // 75a9 | mov eax, edi // 488b4d40 | and eax, 0x3f $sequence_5 = { e9???????? 4889b42458050000 4c89a42418050000 488d8df0020000 } // n = 4, score = 200 // e9???????? | // 4889b42458050000 | lea ecx, [esp + 0x40] // 4c89a42418050000 | inc ecx // 488d8df0020000 | mov eax, 0x208 $sequence_6 = { e9???????? 48899c2498020000 488b5908 33d2 488d4c2440 41b808020000 4183f902 } // n = 7, score = 200 // e9???????? | // 48899c2498020000 | dec eax // 488b5908 | mov dword ptr [esp + 0x298], ebx // 33d2 | dec eax // 488d4c2440 | mov ebx, dword ptr [ecx + 8] // 41b808020000 | xor edx, edx // 4183f902 | dec eax $sequence_7 = { 488d8d70040000 488bf3 482bf1 0f1f4000 66660f1f840000000000 448b45d8 } // n = 6, score = 200 // 488d8d70040000 | mov ecx, ebx // 488bf3 | jmp 0xffffffc8 // 482bf1 | mov dword ptr [ebp - 0x20], 0x6ebae8 // 0f1f4000 | mov dword ptr [ebp - 0x20], 0x6ebaf0 // 66660f1f840000000000 | mov dword ptr [ebp - 0x20], 0x6ebaf8 // 448b45d8 | and esi, 0x3f $sequence_8 = { eb50 e8???????? 4533db 488d442440 } // n = 4, score = 200 // eb50 | dec eax // e8???????? | // 4533db | mov dword ptr [esp + 0x38], ebx // 488d442440 | dec eax $sequence_9 = { d1c6 c1c105 03c6 89742404 03c3 } // n = 5, score = 200 // d1c6 | jmp 0x52 // c1c105 | inc ebp // 03c6 | xor ebx, ebx // 89742404 | dec eax // 03c3 | lea eax, [esp + 0x40] $sequence_10 = { 90 807c100100 488d5201 75f5 8d4201 668903 } // n = 6, score = 200 // 90 | mov ecx, edi // 807c100100 | dec eax // 488d5201 | lea edx, [esp + 0x40] // 75f5 | dec esp // 8d4201 | mov eax, esi // 668903 | dec eax $sequence_11 = { 772f b92c010000 ff15???????? 498b4d18 4c8bce 4c897c2430 } // n = 6, score = 200 // 772f | lock xadd dword ptr [eax], ebx // b92c010000 | dec ebx // ff15???????? | // 498b4d18 | jne 0x1f // 4c8bce | mov eax, dword ptr [ebp - 4] // 4c897c2430 | cmp dword ptr [eax + 0x48], 0x6ee4b8 $sequence_12 = { e8???????? e8???????? e8???????? c705????????04000000 } // n = 4, score = 200 // e8???????? | // e8???????? | // e8???????? | // c705????????04000000 | $sequence_13 = { 7320 85ff 7e1c 8b742440 4533c9 e9???????? } // n = 6, score = 200 // 7320 | sar ecx, 6 // 85ff | imul esi, esi, 0x30 // 7e1c | mov ecx, dword ptr [ecx*4 + 0x6ef180] // 8b742440 | and byte ptr [ecx + esi + 0x28], 0xfd // 4533c9 | mov eax, dword ptr [eax + 0x48] // e9???????? | $sequence_14 = { 488d8d30110000 e8???????? 8bd7 c6843d3011000000 488d8d30110000 } // n = 5, score = 200 // 488d8d30110000 | imul ecx, eax, 0x30 // e8???????? | // 8bd7 | mov eax, dword ptr [edx*4 + 0x6ef180] // c6843d3011000000 | test byte ptr [eax + ecx + 0x28], 1 // 488d8d30110000 | jne 0x1936 $sequence_15 = { 3c9f 3da43dab3d b13d cd3d } // n = 4, score = 100 // 3c9f | sub esp, 0x150 // 3da43dab3d | dec eax // b13d | mov dword ptr [esp + 0x18], edi // cd3d | push ebp $sequence_16 = { ff7508 8d83200c0000 50 e8???????? 33db } // n = 5, score = 100 // ff7508 | dec eax // 8d83200c0000 | mov dword ptr [esp + 0x18], edi // 50 | push ebp // e8???????? | // 33db | dec eax $sequence_17 = { 6888210000 50 8d856cdaffff 50 8d8b200c0000 } // n = 5, score = 100 // 6888210000 | lea ebp, [esp - 0x50] // 50 | dec eax // 8d856cdaffff | sub esp, 0x150 // 50 | dec eax // 8d8b200c0000 | xor eax, esp $sequence_18 = { 83e63f c1f906 6bf630 8b0c8d80f16e00 80643128fd } // n = 5, score = 100 // 83e63f | add eax, ebx // c1f906 | mov ebx, dword ptr [esp + 0xa8] // 6bf630 | inc ecx // 8b0c8d80f16e00 | mov dword ptr [esp + 8], eax // 80643128fd | dec ebp $sequence_19 = { 397310 b850000000 b9bb010000 0f45c1 89831c0c0000 eb15 } // n = 6, score = 100 // 397310 | dec eax // b850000000 | lea ebp, [esp - 0x50] // b9bb010000 | dec eax // 0f45c1 | sub esp, 0x150 // 89831c0c0000 | dec eax // eb15 | mov dword ptr [esp + 0x10], ebx $sequence_20 = { 8bd7 c1fa06 8bc7 83e03f 6bc830 8b049580f16e00 f644082801 } // n = 7, score = 100 // 8bd7 | dec eax // c1fa06 | xor eax, esp // 8bc7 | dec eax // 83e03f | mov dword ptr [esp + 0x18], edi // 6bc830 | push ebp // 8b049580f16e00 | dec eax // f644082801 | lea ebp, [esp - 0x50] $sequence_21 = { 8b4048 f00fc118 4b 7515 8b45fc 817848b8e46e00 } // n = 6, score = 100 // 8b4048 | test edi, edi // f00fc118 | je 0x2a // 4b | dec eax // 7515 | mov dword ptr [esp + 0x18], edi // 8b45fc | push ebp // 817848b8e46e00 | dec eax $sequence_22 = { 8bd6 8bd8 899df0f3ffff 8d4201 0f1f00 8a0a } // n = 6, score = 100 // 8bd6 | dec eax // 8bd8 | xor ecx, esp // 899df0f3ffff | dec esp // 8d4201 | lea ebx, [esp + 0x150] // 0f1f00 | dec ecx // 8a0a | mov ebx, dword ptr [ebx + 0x18] $sequence_23 = { ebc6 c745e0e8ba6e00 e9???????? c745e0f0ba6e00 e9???????? c745e0f8ba6e00 e9???????? } // n = 7, score = 100 // ebc6 | rol esi, 1 // c745e0e8ba6e00 | rol ecx, 5 // e9???????? | // c745e0f0ba6e00 | add eax, esi // e9???????? | // c745e0f8ba6e00 | mov dword ptr [esp + 4], esi // e9???????? | $sequence_24 = { 0f8530190000 8d0d90b86e00 ba1b000000 e8???????? } // n = 4, score = 100 // 0f8530190000 | dec eax // 8d0d90b86e00 | sub esp, 0x150 // ba1b000000 | dec eax // e8???????? | $sequence_25 = { 837e0c00 8bf8 0f84f7030000 8d8618030000 50 } // n = 5, score = 100 // 837e0c00 | dec ecx // 8bf8 | mov edi, dword ptr [ebx + 0x20] // 0f84f7030000 | dec ecx // 8d8618030000 | mov esp, ebx // 50 | nop $sequence_26 = { 50 e8???????? 6a00 6a00 8d8c2484000000 6a32 } // n = 6, score = 100 // 50 | push eax // e8???????? | // 6a00 | push 0 // 6a00 | push 0 // 8d8c2484000000 | lea ecx, [esp + 0x84] // 6a32 | push 0x32 $sequence_27 = { c6442425b8 c64424267c c64424278d c6442429c1 c644242bff c644242c99 c644242d21 } // n = 7, score = 100 // c6442425b8 | mov byte ptr [esp + 0x25], 0xb8 // c64424267c | mov byte ptr [esp + 0x26], 0x7c // c64424278d | mov byte ptr [esp + 0x27], 0x8d // c6442429c1 | mov byte ptr [esp + 0x29], 0xc1 // c644242bff | mov byte ptr [esp + 0x2b], 0xff // c644242c99 | mov byte ptr [esp + 0x2c], 0x99 // c644242d21 | mov byte ptr [esp + 0x2d], 0x21 $sequence_28 = { 8bfb be1e000000 f3ab 8b4c2454 8d431c 894b04 } // n = 6, score = 100 // 8bfb | mov edi, ebx // be1e000000 | mov esi, 0x1e // f3ab | rep stosd dword ptr es:[edi], eax // 8b4c2454 | mov ecx, dword ptr [esp + 0x54] // 8d431c | lea eax, [ebx + 0x1c] // 894b04 | mov dword ptr [ebx + 4], ecx $sequence_29 = { eb7c c745e0e0ba6e00 ebbb d9e8 8b4510 dd18 } // n = 6, score = 100 // eb7c | xor eax, esp // c745e0e0ba6e00 | dec eax // ebbb | mov dword ptr [ebp + 0x40], eax // d9e8 | dec eax // 8b4510 | mov dword ptr [esp + 0x18], edi // dd18 | push ebp $sequence_30 = { 8d3c85c8f47300 8b0f 85c9 740b 8d4101 f7d8 } // n = 6, score = 100 // 8d3c85c8f47300 | dec eax // 8b0f | lea ebp, [esp - 0x50] // 85c9 | dec eax // 740b | sub esp, 0x150 // 8d4101 | dec eax // f7d8 | mov ecx, dword ptr [ebp + 0x40] $sequence_31 = { 50 03fb 897c2420 e8???????? 8b0d???????? 83c410 a3???????? } // n = 7, score = 100 // 50 | push eax // 03fb | add edi, ebx // 897c2420 | mov dword ptr [esp + 0x20], edi // e8???????? | // 8b0d???????? | // 83c410 | add esp, 0x10 // a3???????? | $sequence_32 = { 50 8b85a4f8ffff 0fb7048534976e00 8d0485308e6e00 50 8d8590faffff } // n = 6, score = 100 // 50 | dec eax // 8b85a4f8ffff | lea ebp, [esp - 0x50] // 0fb7048534976e00 | dec eax // 8d0485308e6e00 | sub esp, 0x150 // 50 | dec eax // 8d8590faffff | mov dword ptr [esp + 0x10], ebx $sequence_33 = { 59 83cfff 897de4 8365fc00 8b049d80f17300 } // n = 5, score = 100 // 59 | dec eax // 83cfff | mov dword ptr [esp + 0x10], ebx // 897de4 | dec eax // 8365fc00 | mov dword ptr [esp + 0x18], edi // 8b049d80f17300 | push ebp $sequence_34 = { 3bf5 7554 8b742414 6aff 56 } // n = 5, score = 100 // 3bf5 | cmp esi, ebp // 7554 | jne 0x56 // 8b742414 | mov esi, dword ptr [esp + 0x14] // 6aff | push -1 // 56 | push esi $sequence_35 = { c745e0e0ba6e00 e9???????? 83e80f 7451 } // n = 4, score = 100 // c745e0e0ba6e00 | lea ebp, [esp - 0x50] // e9???????? | // 83e80f | dec eax // 7451 | sub esp, 0x150 $sequence_36 = { 7448 8d8c2488040000 8d542460 51 52 e8???????? 83c408 } // n = 7, score = 100 // 7448 | je 0x4a // 8d8c2488040000 | lea ecx, [esp + 0x488] // 8d542460 | lea edx, [esp + 0x60] // 51 | push ecx // 52 | push edx // e8???????? | // 83c408 | add esp, 8 condition: 7 of them and filesize < 393216 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY