There is no description at this point.
rule win_zeus_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2018-11-23" version = "1" description = "autogenerated rule brought to you by yara-signator" tool = "yara-signator 0.1a" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus" malpedia_version = "20180607" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using yara-signator. * The code and documentation / approach will be published in the near future here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83f8ff 0f8484000000 53 6a30 } // n = 4, score = 2000 // 83f8ff | cmp eax, 0xff // 0f8484000000 | je 0x411879 // 53 | push ebx // 6a30 | push 0x30 $sequence_1 = { 8975f8 e8a4ffffff 83f81e 0f82f4000000 } // n = 4, score = 2000 // 8975f8 | mov dword ptr [ebp - 8], esi // e8a4ffffff | call 0x40e028 // 83f81e | cmp eax, 0x1e // 0f82f4000000 | jb 0x40e181 $sequence_2 = { 57 6a25 57 ff15c8124000 } // n = 4, score = 2000 // 57 | push edi // 6a25 | push 0x25 // 57 | push edi // ff15c8124000 | call dword ptr [0x4012c8] $sequence_3 = { 85c0 0f84d9000000 6a23 6a90 } // n = 4, score = 2000 // 85c0 | test eax, eax // 0f84d9000000 | je 0x40e181 // 6a23 | push 0x23 // 6a90 | push -0x70 $sequence_4 = { 85c0 0f85c0010000 6a7d 8d742460 } // n = 4, score = 2000 // 85c0 | test eax, eax // 0f85c0010000 | jne 0x407dbc // 6a7d | push 0x7d // 8d742460 | lea esi, dword ptr [esp + 0x60] $sequence_5 = { 8bf0 e821080000 8bf8 8d5fff } // n = 4, score = 2000 // 8bf0 | mov esi, eax // e821080000 | call 0x40a363 // 8bf8 | mov edi, eax // 8d5fff | lea ebx, dword ptr [edi - 1] $sequence_6 = { 3d02010000 754d 8d442410 50 } // n = 4, score = 2000 // 3d02010000 | cmp eax, 0x102 // 754d | jne 0x412af7 // 8d442410 | lea eax, dword ptr [esp + 0x10] // 50 | push eax $sequence_7 = { 8bcf e853060000 85c0 7e62 } // n = 4, score = 2000 // 8bcf | mov ecx, edi // e853060000 | call 0x40a363 // 85c0 | test eax, eax // 7e62 | jle 0x409d76 $sequence_8 = { e821080000 8bf8 8d5fff b800020000 } // n = 4, score = 2000 // e821080000 | call 0x40a363 // 8bf8 | mov edi, eax // 8d5fff | lea ebx, dword ptr [edi - 1] // b800020000 | mov eax, 0x200 $sequence_9 = { e818e7ffff 8b4d0c 895598 895da0 } // n = 4, score = 2000 // e818e7ffff | call 0x4098d9 // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 895598 | mov dword ptr [ebp - 0x68], edx // 895da0 | mov dword ptr [ebp - 0x60], ebx condition: 7 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Your suggestion will be reviewed before being published. Thank you for contributing!