Actor(s): Pirate Panda
There is no description at this point.
rule win_winsloader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Detects win.winsloader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "20220411" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 57 8bd8 ff15???????? 53 e8???????? } // n = 6, score = 200 // 6a00 | push 0 // 57 | push edi // 8bd8 | mov ebx, eax // ff15???????? | // 53 | push ebx // e8???????? | $sequence_1 = { f3a5 83c40c a4 ffd0 5b } // n = 5, score = 200 // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 83c40c | add esp, 0xc // a4 | movsb byte ptr es:[edi], byte ptr [esi] // ffd0 | call eax // 5b | pop ebx $sequence_2 = { 8bf8 83ffff 742e 6a00 } // n = 4, score = 200 // 8bf8 | mov edi, eax // 83ffff | cmp edi, -1 // 742e | je 0x30 // 6a00 | push 0 $sequence_3 = { 56 e8???????? 83c40c 6a00 8d45d8 50 } // n = 6, score = 200 // 56 | push esi // e8???????? | // 83c40c | add esp, 0xc // 6a00 | push 0 // 8d45d8 | lea eax, dword ptr [ebp - 0x28] // 50 | push eax $sequence_4 = { 51 8d943501fcffff 68???????? 52 } // n = 4, score = 200 // 51 | push ecx // 8d943501fcffff | lea edx, dword ptr [ebp + esi - 0x3ff] // 68???????? | // 52 | push edx $sequence_5 = { 81f901100000 72f0 8bd8 c745fcffffffff } // n = 4, score = 200 // 81f901100000 | cmp ecx, 0x1001 // 72f0 | jb 0xfffffff2 // 8bd8 | mov ebx, eax // c745fcffffffff | mov dword ptr [ebp - 4], 0xffffffff $sequence_6 = { 0fb6f0 8d5601 52 88841dfefbffff 8d841dfffbffff 68???????? 50 } // n = 7, score = 200 // 0fb6f0 | movzx esi, al // 8d5601 | lea edx, dword ptr [esi + 1] // 52 | push edx // 88841dfefbffff | mov byte ptr [ebp + ebx - 0x402], al // 8d841dfffbffff | lea eax, dword ptr [ebp + ebx - 0x401] // 68???????? | // 50 | push eax $sequence_7 = { 83c40c 6800040000 8d8dfcf7ffff 51 } // n = 4, score = 200 // 83c40c | add esp, 0xc // 6800040000 | push 0x400 // 8d8dfcf7ffff | lea ecx, dword ptr [ebp - 0x804] // 51 | push ecx $sequence_8 = { 8bf0 83c404 85f6 750e 57 ff15???????? 33c0 } // n = 7, score = 200 // 8bf0 | mov esi, eax // 83c404 | add esp, 4 // 85f6 | test esi, esi // 750e | jne 0x10 // 57 | push edi // ff15???????? | // 33c0 | xor eax, eax $sequence_9 = { ff15???????? 8b04bdc0c00110 834c0318ff 33c0 eb16 e8???????? } // n = 6, score = 100 // ff15???????? | // 8b04bdc0c00110 | mov eax, dword ptr [edi*4 + 0x1001c0c0] // 834c0318ff | or dword ptr [ebx + eax + 0x18], 0xffffffff // 33c0 | xor eax, eax // eb16 | jmp 0x18 // e8???????? | $sequence_10 = { 6690 8a040b 8d4901 8841ff 83ea01 75f2 } // n = 6, score = 100 // 6690 | nop // 8a040b | mov al, byte ptr [ebx + ecx] // 8d4901 | lea ecx, dword ptr [ecx + 1] // 8841ff | mov byte ptr [ecx - 1], al // 83ea01 | sub edx, 1 // 75f2 | jne 0xfffffff4 $sequence_11 = { 668985e8f3ffff 8b8df8f3ffff 668b95e8f3ffff 6689940dfcfbffff 8b85f8f3ffff } // n = 5, score = 100 // 668985e8f3ffff | mov word ptr [ebp - 0xc18], ax // 8b8df8f3ffff | mov ecx, dword ptr [ebp - 0xc08] // 668b95e8f3ffff | mov dx, word ptr [ebp - 0xc18] // 6689940dfcfbffff | mov word ptr [ebp + ecx - 0x404], dx // 8b85f8f3ffff | mov eax, dword ptr [ebp - 0xc08] $sequence_12 = { 6bf030 03348dc0c00110 837e18ff 740c 837e18fe 7406 } // n = 6, score = 100 // 6bf030 | imul esi, eax, 0x30 // 03348dc0c00110 | add esi, dword ptr [ecx*4 + 0x1001c0c0] // 837e18ff | cmp dword ptr [esi + 0x18], -1 // 740c | je 0xe // 837e18fe | cmp dword ptr [esi + 0x18], -2 // 7406 | je 8 $sequence_13 = { 741c 8b74241c 8bcf 2bf7 } // n = 4, score = 100 // 741c | je 0x1e // 8b74241c | mov esi, dword ptr [esp + 0x1c] // 8bcf | mov ecx, edi // 2bf7 | sub esi, edi $sequence_14 = { 8d0c48 894dfc 80fb08 750f 32db 46 889f10800000 } // n = 7, score = 100 // 8d0c48 | lea ecx, dword ptr [eax + ecx*2] // 894dfc | mov dword ptr [ebp - 4], ecx // 80fb08 | cmp bl, 8 // 750f | jne 0x11 // 32db | xor bl, bl // 46 | inc esi // 889f10800000 | mov byte ptr [edi + 0x8010], bl $sequence_15 = { 8bd6 83e03f c1fa06 6bc830 8b0495c0c00110 f644082801 } // n = 6, score = 100 // 8bd6 | mov edx, esi // 83e03f | and eax, 0x3f // c1fa06 | sar edx, 6 // 6bc830 | imul ecx, eax, 0x30 // 8b0495c0c00110 | mov eax, dword ptr [edx*4 + 0x1001c0c0] // f644082801 | test byte ptr [eax + ecx + 0x28], 1 condition: 7 of them and filesize < 270336 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY