There is no description at this point.
rule win_zitmo_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-12-06" version = "1" description = "Detects win.zitmo." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo" malpedia_rule_date = "20231130" malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351" malpedia_version = "20230808" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 03d7 8bde f7de ffb544feffff 53 e8???????? c9 } // n = 7, score = 200 // 03d7 | add edx, edi // 8bde | mov ebx, esi // f7de | neg esi // ffb544feffff | push dword ptr [ebp - 0x1bc] // 53 | push ebx // e8???????? | // c9 | leave $sequence_1 = { 55 8bec 81c47cffffff 317588 f7d7 f7df } // n = 6, score = 200 // 55 | push ebp // 8bec | mov ebp, esp // 81c47cffffff | add esp, 0xffffff7c // 317588 | xor dword ptr [ebp - 0x78], esi // f7d7 | not edi // f7df | neg edi $sequence_2 = { 23d0 f7d9 8bd6 23d8 } // n = 4, score = 200 // 23d0 | and edx, eax // f7d9 | neg ecx // 8bd6 | mov edx, esi // 23d8 | and ebx, eax $sequence_3 = { c20400 55 8bec 81c410ffffff } // n = 4, score = 200 // c20400 | ret 4 // 55 | push ebp // 8bec | mov ebp, esp // 81c410ffffff | add esp, 0xffffff10 $sequence_4 = { 55 8bec 81c45cffffff 23cb 8bd6 f7d2 } // n = 6, score = 200 // 55 | push ebp // 8bec | mov ebp, esp // 81c45cffffff | add esp, 0xffffff5c // 23cb | and ecx, ebx // 8bd6 | mov edx, esi // f7d2 | not edx $sequence_5 = { 314dd8 f7d9 48 f7d2 03c1 ffb504ffffff } // n = 6, score = 200 // 314dd8 | xor dword ptr [ebp - 0x28], ecx // f7d9 | neg ecx // 48 | dec eax // f7d2 | not edx // 03c1 | add eax, ecx // ffb504ffffff | push dword ptr [ebp - 0xfc] $sequence_6 = { 4a f7d9 23c6 8bcb 46 } // n = 5, score = 200 // 4a | dec edx // f7d9 | neg ecx // 23c6 | and eax, esi // 8bcb | mov ecx, ebx // 46 | inc esi $sequence_7 = { 4f e8???????? 8bca 03f7 e8???????? 23d7 } // n = 6, score = 200 // 4f | dec edi // e8???????? | // 8bca | mov ecx, edx // 03f7 | add esi, edi // e8???????? | // 23d7 | and edx, edi $sequence_8 = { 81856cffffff36360000 03df f7d1 8bf8 } // n = 4, score = 200 // 81856cffffff36360000 | add dword ptr [ebp - 0x94], 0x3636 // 03df | add ebx, edi // f7d1 | not ecx // 8bf8 | mov edi, eax $sequence_9 = { 6a36 6a36 51 ffb550feffff 6834340000 57 8d4d88 } // n = 7, score = 200 // 6a36 | push 0x36 // 6a36 | push 0x36 // 51 | push ecx // ffb550feffff | push dword ptr [ebp - 0x1b0] // 6834340000 | push 0x3434 // 57 | push edi // 8d4d88 | lea ecx, [ebp - 0x78] condition: 7 of them and filesize < 843776 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY