Actor(s): Lazarus Group
There is no description at this point.
rule win_volgmer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.volgmer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b4d40 4833cc e8???????? 4c8d9c2450010000 498b5b18 498b7b20 498be3 } // n = 7, score = 300 // 488b4d40 | pop edi // 4833cc | je 0x16 // e8???????? | // 4c8d9c2450010000 | sub edx, ecx // 498b5b18 | mov cx, word ptr [edx + eax] // 498b7b20 | test cx, cx // 498be3 | mov cl, byte ptr [esp + 0x28] $sequence_1 = { 48897c2418 55 488d6c24b0 4881ec50010000 488b05???????? 4833c4 48894540 } // n = 7, score = 300 // 48897c2418 | jne 0x11 // 55 | cmp dword ptr [esp + 0x30], ebp // 488d6c24b0 | jne 0x11 // 4881ec50010000 | lea eax, [esp + 8] // 488b05???????? | // 4833c4 | push eax // 48894540 | test eax, eax $sequence_2 = { e8???????? 488b4dc3 41890424 e8???????? } // n = 4, score = 200 // e8???????? | // 488b4dc3 | inc ecx // 41890424 | mov eax, 0x206 // e8???????? | $sequence_3 = { d1c6 c1c105 03c6 89742404 03c3 } // n = 5, score = 200 // d1c6 | mov ecx, dword ptr [ebp - 0x3d] // c1c105 | inc ecx // 03c6 | mov dword ptr [esp], eax // 89742404 | dec eax // 03c3 | mov ecx, dword ptr [ebp - 0x4d] $sequence_4 = { ff15???????? 4885c0 740f 488b4018 488b08 8b01 8905???????? } // n = 7, score = 200 // ff15???????? | // 4885c0 | inc ecx // 740f | mov dword ptr [esp + 4], eax // 488b4018 | dec eax // 488b08 | mov ecx, dword ptr [ebp - 0x3d] // 8b01 | inc ecx // 8905???????? | $sequence_5 = { 8b45b0 488d8dc00f0000 4533c9 4889742430 89442428 ba00000080 c744242003000000 } // n = 7, score = 200 // 8b45b0 | test al, al // 488d8dc00f0000 | jne 0 // 4533c9 | push 0 // 4889742430 | sub ecx, edx // 89442428 | lea eax, [ebp - 0xa30] // ba00000080 | push eax // c744242003000000 | push dword ptr [edi + 8] $sequence_6 = { e8???????? 488bd8 eb03 488bdf 488d056efeffff } // n = 5, score = 200 // e8???????? | // 488bd8 | mov word ptr [ebp + 0x5d0], di // eb03 | dec eax // 488bdf | lea ecx, [ebp + 0x1b0] // 488d056efeffff | dec eax $sequence_7 = { 75e9 488d8d90140000 48ffc9 40387101 488d4901 75f6 4c8b45a0 } // n = 7, score = 200 // 75e9 | mov dword ptr [esi + 0x38], eax // 488d8d90140000 | jmp 0x13 // 48ffc9 | mov dword ptr [esi + 0x34], 0x737b04 // 40387101 | mov dword ptr [esi + 0x38], 6 // 488d4901 | mov al, byte ptr [edi + 0x73e1bc] // 75f6 | or byte ptr [esi + edx + 0x19], al // 4c8b45a0 | inc edx $sequence_8 = { c6843de011000000 488d8de0110000 e8???????? 488b4c2440 488d95e0110000 ff15???????? 0fb63d???????? } // n = 7, score = 200 // c6843de011000000 | movzx eax, byte ptr [ecx + 1] // 488d8de0110000 | cmp edx, eax // e8???????? | // 488b4c2440 | dec eax // 488d95e0110000 | mov dword ptr [esp + 0x18], edi // ff15???????? | // 0fb63d???????? | $sequence_9 = { 488d4d60 41b808040000 8bf8 e8???????? ba32d00200 b940000000 ff55e0 } // n = 7, score = 200 // 488d4d60 | dec eax // 41b808040000 | mov dword ptr [esp + 0x18], edi // 8bf8 | push ebp // e8???????? | // ba32d00200 | dec eax // b940000000 | lea ebp, [esp - 0x50] // ff55e0 | dec eax $sequence_10 = { e8???????? 488d8dd2050000 33d2 41b806020000 6689bdd0050000 e8???????? } // n = 6, score = 200 // e8???????? | // 488d8dd2050000 | dec eax // 33d2 | lea ecx, [ebp + 0x5d2] // 41b806020000 | xor edx, edx // 6689bdd0050000 | inc ecx // e8???????? | $sequence_11 = { ff15???????? 85c0 7507 b800000100 eb26 } // n = 5, score = 200 // ff15???????? | // 85c0 | mov ecx, dword ptr [ebp - 0x3d] // 7507 | inc ecx // b800000100 | mov dword ptr [esp], eax // eb26 | dec eax $sequence_12 = { e8???????? e8???????? e8???????? e8???????? c705????????04000000 } // n = 5, score = 200 // e8???????? | // e8???????? | // e8???????? | // e8???????? | // c705????????04000000 | $sequence_13 = { e8???????? 85c0 7466 33d2 488d8c24e4000000 41b804040000 e8???????? } // n = 7, score = 200 // e8???????? | // 85c0 | push ebp // 7466 | dec eax // 33d2 | lea ebp, [esp - 0x50] // 488d8c24e4000000 | dec eax // 41b804040000 | sub esp, 0x150 // e8???????? | $sequence_14 = { 8bd6 c68435000a000000 488d8d000a0000 e8???????? 488d95000a0000 498bce ff15???????? } // n = 7, score = 200 // 8bd6 | call dword ptr [ebp - 0xc1c] // c68435000a000000 | cmp dword ptr [edi + 0x14], 0x800000 // 488d8d000a0000 | mov dword ptr [edi + 0xc], eax // e8???????? | // 488d95000a0000 | jne 0x31 // 498bce | jmp 0x19 // ff15???????? | $sequence_15 = { eb17 894638 eb0e c74634047b7300 c7463806000000 } // n = 5, score = 100 // eb17 | mov dword ptr [esp + 0x18], edi // 894638 | push ebp // eb0e | dec eax // c74634047b7300 | lea ebp, [esp - 0x50] // c7463806000000 | dec eax $sequence_16 = { 8a07 8b0c9580f16e00 8844192e 8b049580f16e00 804c182d04 } // n = 5, score = 100 // 8a07 | dec eax // 8b0c9580f16e00 | mov dword ptr [esp + 0x18], edi // 8844192e | push ebp // 8b049580f16e00 | dec eax // 804c182d04 | lea ebp, [esp - 0x50] $sequence_17 = { 8b4504 8b4d0c 6a00 52 } // n = 4, score = 100 // 8b4504 | test eax, eax // 8b4d0c | jne 0x45 // 6a00 | dec eax // 52 | mov edi, dword ptr [esp + 0x40] $sequence_18 = { 8b048dd4926d00 ffe0 f7c703000000 7413 8a06 8807 } // n = 6, score = 100 // 8b048dd4926d00 | dec ecx // ffe0 | mov ebx, dword ptr [ebx + 0x18] // f7c703000000 | dec ecx // 7413 | mov edi, dword ptr [ebx + 0x20] // 8a06 | dec ecx // 8807 | mov esp, ebx $sequence_19 = { e9???????? c745dc02000000 c745e0e4ba7300 8b4508 8bcf } // n = 5, score = 100 // e9???????? | // c745dc02000000 | sub esp, 0x150 // c745e0e4ba7300 | dec eax // 8b4508 | mov dword ptr [esp + 0x18], edi // 8bcf | push ebp $sequence_20 = { 83c408 85f6 0f84b7010000 8bce 8d85d0fdffff } // n = 5, score = 100 // 83c408 | dec eax // 85f6 | lea ebp, [esp - 0x50] // 0f84b7010000 | dec eax // 8bce | sub esp, 0x150 // 8d85d0fdffff | dec eax $sequence_21 = { 03048d80f16e00 50 ff15???????? 5d c3 8bff } // n = 6, score = 100 // 03048d80f16e00 | dec eax // 50 | sub esp, 0x150 // ff15???????? | // 5d | dec eax // c3 | mov dword ptr [esp + 0x10], ebx // 8bff | dec eax $sequence_22 = { 50 68???????? ff7708 ff95e4f3ffff 817f1400008000 89470c 751c } // n = 7, score = 100 // 50 | lea ebp, [esp - 0x50] // 68???????? | // ff7708 | dec eax // ff95e4f3ffff | sub esp, 0x150 // 817f1400008000 | dec eax // 89470c | mov dword ptr [esp + 0x10], ebx // 751c | dec eax $sequence_23 = { 5f 5e c684101803000000 5b } // n = 4, score = 100 // 5f | dec eax // 5e | lea ebp, [esp - 0x50] // c684101803000000 | dec eax // 5b | sub esp, 0x150 $sequence_24 = { 8a4c2428 8d442428 3acb 741a } // n = 4, score = 100 // 8a4c2428 | mov eax, dword ptr [eax + 0x18] // 8d442428 | dec eax // 3acb | mov ecx, dword ptr [eax] // 741a | mov eax, dword ptr [ecx] $sequence_25 = { 40 c745ecb8996d00 894df8 8945fc 64a100000000 8945e8 8d45e8 } // n = 7, score = 100 // 40 | lea ebp, [esp - 0x50] // c745ecb8996d00 | dec eax // 894df8 | sub esp, 0x150 // 8945fc | dec eax // 64a100000000 | xor eax, esp // 8945e8 | dec eax // 8d45e8 | mov dword ptr [esp + 0x10], ebx $sequence_26 = { 50 52 56 6a00 68e9fd0000 ff95e8f3ffff ff7714 } // n = 7, score = 100 // 50 | dec ecx // 52 | mov edi, dword ptr [ebx + 0x20] // 56 | dec ecx // 6a00 | mov esp, ebx // 68e9fd0000 | dec eax // ff95e8f3ffff | mov dword ptr [esp + 0x18], edi // ff7714 | push ebp $sequence_27 = { 50 51 53 53 6800000008 } // n = 5, score = 100 // 50 | inc ecx // 51 | mov dword ptr [esp + 4], eax // 53 | rol esi, 1 // 53 | rol ecx, 5 // 6800000008 | add eax, esi $sequence_28 = { ff15???????? 8d442408 50 ff15???????? 85c0 5f 740c } // n = 7, score = 100 // ff15???????? | // 8d442408 | add eax, esi // 50 | mov dword ptr [esp + 4], esi // ff15???????? | // 85c0 | add eax, ebx // 5f | mov ebx, dword ptr [esp + 0xa8] // 740c | dec eax $sequence_29 = { ba???????? 2bd1 668b0c02 6685c9 } // n = 4, score = 100 // ba???????? | // 2bd1 | test eax, eax // 668b0c02 | je 0x11 // 6685c9 | dec eax $sequence_30 = { c745dc03000000 c745e0e0ba6e00 e9???????? 83e80f 7451 } // n = 5, score = 100 // c745dc03000000 | dec eax // c745e0e0ba6e00 | mov dword ptr [esp + 0x18], edi // e9???????? | // 83e80f | push ebp // 7451 | dec eax $sequence_31 = { 33d2 05d9e7ffff 56 83f815 0f8711010000 ff2485786b6d00 51 } // n = 7, score = 100 // 33d2 | dec eax // 05d9e7ffff | sub esp, 0x150 // 56 | dec eax // 83f815 | mov dword ptr [esp + 0x18], edi // 0f8711010000 | push ebp // ff2485786b6d00 | dec eax // 51 | lea ebp, [esp - 0x50] $sequence_32 = { 8a01 41 84c0 75f9 6a00 2bca 8d85d0f5ffff } // n = 7, score = 100 // 8a01 | xor eax, esp // 41 | dec eax // 84c0 | mov dword ptr [esp + 0x10], ebx // 75f9 | dec eax // 6a00 | mov dword ptr [esp + 0x18], edi // 2bca | push ebp // 8d85d0f5ffff | dec eax $sequence_33 = { 8d0d90b87300 ba1b000000 e9???????? a900000080 7517 ebd4 a9ffff0f00 } // n = 7, score = 100 // 8d0d90b87300 | dec eax // ba1b000000 | mov dword ptr [esp + 0x18], edi // e9???????? | // a900000080 | push ebp // 7517 | dec eax // ebd4 | lea ebp, [esp - 0x50] // a9ffff0f00 | dec eax $sequence_34 = { e9???????? 894ddc c745e0d8ba6e00 e9???????? c745e0d4ba6e00 eba2 894ddc } // n = 7, score = 100 // e9???????? | // 894ddc | mov dword ptr [esp + 0x18], edi // c745e0d8ba6e00 | push ebp // e9???????? | // c745e0d4ba6e00 | dec eax // eba2 | lea ebp, [esp - 0x50] // 894ddc | dec eax $sequence_35 = { 8b4de8 8b048580f16e00 f644082840 7409 } // n = 4, score = 100 // 8b4de8 | dec eax // 8b048580f16e00 | xor ecx, esp // f644082840 | dec esp // 7409 | lea ebx, [esp + 0x150] $sequence_36 = { 396c2434 750b 396c2430 7505 } // n = 4, score = 100 // 396c2434 | mov dword ptr [esp + 4], esi // 750b | add eax, ebx // 396c2430 | rol esi, 1 // 7505 | rol ecx, 5 condition: 7 of them and filesize < 393216 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY