【Yara Rule】
rule win_emotet_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2019-07-05"
version = "1"
description = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator 0.2a"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.geodo"
malpedia_version = "20190620"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using yara-signator.
* The code and documentation / approach is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 83f87f 76?? c1e807 41 83f87f 77?? }
// n = 6, score = 1500
// 83f87f | cmp eax, 0x7f
// 76?? |
// c1e807 | shr eax, 7
// 41 | inc ecx
// 83f87f | cmp eax, 0x7f
// 77?? |
$sequence_1 = { 83f87f 76?? c1e807 41 83f87f 77?? }
// n = 6, score = 1500
// 83f87f | cmp eax, 0x7f
// 76?? |
// c1e807 | shr eax, 7
// 41 | inc ecx
// 83f87f | cmp eax, 0x7f
// 77?? |
$sequence_2 = { 83f87f 76?? c1e807 41 }
// n = 4, score = 1500
// 83f87f | cmp eax, 0x7f
// 76?? |
// c1e807 | shr eax, 7
// 41 | inc ecx
$sequence_3 = { 76?? c1e807 41 83f87f }
// n = 4, score = 1500
// 76?? |
// c1e807 | shr eax, 7
// 41 | inc ecx
// 83f87f | cmp eax, 0x7f
$sequence_4 = { 76?? c1e807 41 83f87f 77?? }
// n = 5, score = 1500
// 76?? |
// c1e807 | shr eax, 7
// 41 | inc ecx
// 83f87f | cmp eax, 0x7f
// 77?? |
$sequence_5 = { 83f87f 76?? c1e807 41 83f87f }
// n = 5, score = 1500
// 83f87f | cmp eax, 0x7f
// 76?? |
// c1e807 | shr eax, 7
// 41 | inc ecx
// 83f87f | cmp eax, 0x7f
$sequence_6 = { 83f87f 76?? c1e807 41 }
// n = 4, score = 1500
// 83f87f | cmp eax, 0x7f
// 76?? |
// c1e807 | shr eax, 7
// 41 | inc ecx
$sequence_7 = { 76?? c1e807 41 83f87f 77?? }
// n = 5, score = 1500
// 76?? |
// c1e807 | shr eax, 7
// 41 | inc ecx
// 83f87f | cmp eax, 0x7f
// 77?? |
$sequence_8 = { 66894604 8bc1 83e03f c1e906 83e13f }
// n = 5, score = 1300
// 66894604 | mov word ptr [esi + 4], ax
// 8bc1 | mov eax, ecx
// 83e03f | and eax, 0x3f
// c1e906 | shr ecx, 6
// 83e13f | and ecx, 0x3f
$sequence_9 = { 66894604 8bc1 83e03f c1e906 83e13f }
// n = 5, score = 1300
// 66894604 | mov word ptr [esi + 4], ax
// 8bc1 | mov eax, ecx
// 83e03f | and eax, 0x3f
// c1e906 | shr ecx, 6
// 83e13f | and ecx, 0x3f
$sequence_10 = { 66894604 8bc1 83e03f c1e906 }
// n = 4, score = 1300
// 66894604 | mov word ptr [esi + 4], ax
// 8bc1 | mov eax, ecx
// 83e03f | and eax, 0x3f
// c1e906 | shr ecx, 6
$sequence_11 = { 66894604 8bc1 83e03f c1e906 }
// n = 4, score = 1300
// 66894604 | mov word ptr [esi + 4], ax
// 8bc1 | mov eax, ecx
// 83e03f | and eax, 0x3f
// c1e906 | shr ecx, 6
$sequence_12 = { 66894604 8bc1 83e03f c1e906 }
// n = 4, score = 1300
// 66894604 | mov word ptr [esi + 4], ax
// 8bc1 | mov eax, ecx
// 83e03f | and eax, 0x3f
// c1e906 | shr ecx, 6
$sequence_13 = { 66894604 8bc1 83e03f c1e906 83e13f }
// n = 5, score = 1300
// 66894604 | mov word ptr [esi + 4], ax
// 8bc1 | mov eax, ecx
// 83e03f | and eax, 0x3f
// c1e906 | shr ecx, 6
// 83e13f | and ecx, 0x3f
$sequence_14 = { 8d047d08000000 50 6a08 ff15???????? 50 }
// n = 5, score = 1200
// 8d047d08000000 | lea eax, [edi*2 + 8]
// 50 | push eax
// 6a08 | push 8
// ff15???????? |
// 50 | push eax
$sequence_15 = { 8d047d08000000 50 6a08 ff15???????? 50 ff15???????? }
// n = 6, score = 1200
// 8d047d08000000 | lea eax, [edi*2 + 8]
// 50 | push eax
// 6a08 | push 8
// ff15???????? |
// 50 | push eax
// ff15???????? |
$sequence_16 = { 8d047d08000000 50 6a08 ff15???????? }
// n = 4, score = 1200
// 8d047d08000000 | lea eax, [edi*2 + 8]
// 50 | push eax
// 6a08 | push 8
// ff15???????? |
$sequence_17 = { 8d047d08000000 50 6a08 ff15???????? 50 ff15???????? }
// n = 6, score = 1200
// 8d047d08000000 | lea eax, [edi*2 + 8]
// 50 | push eax
// 6a08 | push 8
// ff15???????? |
// 50 | push eax
// ff15???????? |
$sequence_18 = { 8d047d08000000 50 6a08 ff15???????? }
// n = 4, score = 1200
// 8d047d08000000 | lea eax, [edi*2 + 8]
// 50 | push eax
// 6a08 | push 8
// ff15???????? |
$sequence_19 = { 8d047d08000000 50 6a08 ff15???????? 50 }
// n = 5, score = 1200
// 8d047d08000000 | lea eax, [edi*2 + 8]
// 50 | push eax
// 6a08 | push 8
// ff15???????? |
// 50 | push eax
$sequence_20 = { 8bda 53 6a00 68e9fd0000 ff15???????? }
// n = 5, score = 1100
// 8bda | mov ebx, edx
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
// ff15???????? |
$sequence_21 = { 53 6a00 68e9fd0000 ff15???????? 8bf8 85ff 74?? }
// n = 7, score = 1100
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
// ff15???????? |
// 8bf8 | mov edi, eax
// 85ff | test edi, edi
// 74?? |
$sequence_22 = { 8bda 53 6a00 68e9fd0000 }
// n = 4, score = 1100
// 8bda | mov ebx, edx
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
$sequence_23 = { 6a00 68e9fd0000 ff15???????? 8bf8 85ff 74?? 56 }
// n = 7, score = 1100
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
// ff15???????? |
// 8bf8 | mov edi, eax
// 85ff | test edi, edi
// 74?? |
// 56 | push esi
$sequence_24 = { 8bda 53 6a00 68e9fd0000 ff15???????? 8bf8 85ff }
// n = 7, score = 1100
// 8bda | mov ebx, edx
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
// ff15???????? |
// 8bf8 | mov edi, eax
// 85ff | test edi, edi
$sequence_25 = { 8bda 53 6a00 68e9fd0000 }
// n = 4, score = 1100
// 8bda | mov ebx, edx
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
$sequence_26 = { 8bda 53 6a00 68e9fd0000 ff15???????? 8bf8 }
// n = 6, score = 1100
// 8bda | mov ebx, edx
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
// ff15???????? |
// 8bf8 | mov edi, eax
$sequence_27 = { 6a00 68e9fd0000 ff15???????? 8bf8 85ff 74?? 56 }
// n = 7, score = 1100
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
// ff15???????? |
// 8bf8 | mov edi, eax
// 85ff | test edi, edi
// 74?? |
// 56 | push esi
$sequence_28 = { 8bfa 8bf1 8d047d08000000 50 }
// n = 4, score = 1000
// 8bfa | mov edi, edx
// 8bf1 | mov esi, ecx
// 8d047d08000000 | lea eax, [edi*2 + 8]
// 50 | push eax
$sequence_29 = { 8bc2 c1e808 0fb6c0 668941fa c1ea10 }
// n = 5, score = 1000
// 8bc2 | mov eax, edx
// c1e808 | shr eax, 8
// 0fb6c0 | movzx eax, al
// 668941fa | mov word ptr [ecx - 6], ax
// c1ea10 | shr edx, 0x10
$sequence_30 = { 0fb6c0 668941fa c1ea10 0fb6c2 668941fc c1ea08 }
// n = 6, score = 1000
// 0fb6c0 | movzx eax, al
// 668941fa | mov word ptr [ecx - 6], ax
// c1ea10 | shr edx, 0x10
// 0fb6c2 | movzx eax, dl
// 668941fc | mov word ptr [ecx - 4], ax
// c1ea08 | shr edx, 8
$sequence_31 = { 668941fa c1ea10 0fb6c2 668941fc c1ea08 0fb6c2 }
// n = 6, score = 1000
// 668941fa | mov word ptr [ecx - 6], ax
// c1ea10 | shr edx, 0x10
// 0fb6c2 | movzx eax, dl
// 668941fc | mov word ptr [ecx - 4], ax
// c1ea08 | shr edx, 8
// 0fb6c2 | movzx eax, dl
$sequence_32 = { 75?? 66894604 83c608 2bf2 }
// n = 4, score = 1000
// 75?? |
// 66894604 | mov word ptr [esi + 4], ax
// 83c608 | add esi, 8
// 2bf2 | sub esi, edx
$sequence_33 = { c1ea10 0fb6c2 668941fc c1ea08 }
// n = 4, score = 1000
// c1ea10 | shr edx, 0x10
// 0fb6c2 | movzx eax, dl
// 668941fc | mov word ptr [ecx - 4], ax
// c1ea08 | shr edx, 8
$sequence_34 = { 0fb6c0 668941fa c1ea10 0fb6c2 668941fc }
// n = 5, score = 1000
// 0fb6c0 | movzx eax, al
// 668941fa | mov word ptr [ecx - 6], ax
// c1ea10 | shr edx, 0x10
// 0fb6c2 | movzx eax, dl
// 668941fc | mov word ptr [ecx - 4], ax
$sequence_35 = { eb?? eb?? 8b45e8 83c001 }
// n = 4, score = 800
// eb?? |
// eb?? |
// 8b45e8 | mov eax, dword ptr [ebp - 0x18]
// 83c001 | add eax, 1
$sequence_36 = { 56 ff7508 53 6a00 68e9fd0000 }
// n = 5, score = 700
// 56 | push esi
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
$sequence_37 = { 57 56 ff7508 53 6a00 68e9fd0000 }
// n = 6, score = 700
// 57 | push edi
// 56 | push esi
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
$sequence_38 = { 57 6a00 6a00 6a00 6a00 ff7508 }
// n = 6, score = 700
// 57 | push edi
// 6a00 | push 0
// 6a00 | push 0
// 6a00 | push 0
// 6a00 | push 0
// ff7508 | push dword ptr [ebp + 8]
$sequence_39 = { 53 56 8bf1 bb00c34c84 }
// n = 4, score = 700
// 53 | push ebx
// 56 | push esi
// 8bf1 | mov esi, ecx
// bb00c34c84 | mov ebx, 0x844cc300
$sequence_40 = { 6a00 57 56 ff7508 53 6a00 68e9fd0000 }
// n = 7, score = 700
// 6a00 | push 0
// 57 | push edi
// 56 | push esi
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
// 6a00 | push 0
// 68e9fd0000 | push 0xfde9
$sequence_41 = { 6a00 57 56 ff7508 53 6a00 }
// n = 6, score = 700
// 6a00 | push 0
// 57 | push edi
// 56 | push esi
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
// 6a00 | push 0
$sequence_42 = { 6a00 57 56 ff7508 53 }
// n = 5, score = 700
// 6a00 | push 0
// 57 | push edi
// 56 | push esi
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
$sequence_43 = { 53 57 6a00 6a00 6a00 6a00 ff7508 }
// n = 7, score = 700
// 53 | push ebx
// 57 | push edi
// 6a00 | push 0
// 6a00 | push 0
// 6a00 | push 0
// 6a00 | push 0
// ff7508 | push dword ptr [ebp + 8]
$sequence_44 = { 53 57 6a00 6a00 6a00 6a00 ff7508 }
// n = 7, score = 700
// 53 | push ebx
// 57 | push edi
// 6a00 | push 0
// 6a00 | push 0
// 6a00 | push 0
// 6a00 | push 0
// ff7508 | push dword ptr [ebp + 8]
$sequence_45 = { 6a03 6a00 6a00 ff7508 53 }
// n = 5, score = 600
// 6a03 | push 3
// 6a00 | push 0
// 6a00 | push 0
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
$sequence_46 = { 6a03 6a00 6a00 ff7508 53 50 }
// n = 6, score = 600
// 6a03 | push 3
// 6a00 | push 0
// 6a00 | push 0
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
// 50 | push eax
$sequence_47 = { 8bec 56 8b750c b856555555 }
// n = 4, score = 600
// 8bec | mov ebp, esp
// 56 | push esi
// 8b750c | mov esi, dword ptr [ebp + 0xc]
// b856555555 | mov eax, 0x55555556
$sequence_48 = { 55 8bec 56 8b750c b856555555 }
// n = 5, score = 600
// 55 | push ebp
// 8bec | mov ebp, esp
// 56 | push esi
// 8b750c | mov esi, dword ptr [ebp + 0xc]
// b856555555 | mov eax, 0x55555556
$sequence_49 = { 6a00 6a03 6a00 6a00 ff7508 53 50 }
// n = 7, score = 600
// 6a00 | push 0
// 6a03 | push 3
// 6a00 | push 0
// 6a00 | push 0
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
// 50 | push eax
$sequence_50 = { 53 56 8bf1 bb00c34c84 57 }
// n = 5, score = 600
// 53 | push ebx
// 56 | push esi
// 8bf1 | mov esi, ecx
// bb00c34c84 | mov ebx, 0x844cc300
// 57 | push edi
$sequence_51 = { 6a00 6a00 ff7508 53 }
// n = 4, score = 600
// 6a00 | push 0
// 6a00 | push 0
// ff7508 | push dword ptr [ebp + 8]
// 53 | push ebx
$sequence_52 = { 668378024d 75?? 6683780454 75?? }
// n = 4, score = 400
// 668378024d | cmp word ptr [eax + 2], 0x4d
// 75?? |
// 6683780454 | cmp word ptr [eax + 4], 0x54
// 75?? |
$sequence_53 = { 74?? 899824020000 889828020000 88982d030000 c7401801000000 88581c }
// n = 6, score = 400
// 74?? |
// 899824020000 | mov dword ptr [eax + 0x224], ebx
// 889828020000 | mov byte ptr [eax + 0x228], bl
// 88982d030000 | mov byte ptr [eax + 0x32d], bl
// c7401801000000 | mov dword ptr [eax + 0x18], 1
// 88581c | mov byte ptr [eax + 0x1c], bl
$sequence_54 = { 75?? 6683780454 75?? 6683780650 75?? }
// n = 5, score = 400
// 75?? |
// 6683780454 | cmp word ptr [eax + 4], 0x54
// 75?? |
// 6683780650 | cmp word ptr [eax + 6], 0x50
// 75?? |
$sequence_55 = { 75?? 6683780454 75?? 6683780650 75?? 668378083a 74?? }
// n = 7, score = 400
// 75?? |
// 6683780454 | cmp word ptr [eax + 4], 0x54
// 75?? |
// 6683780650 | cmp word ptr [eax + 6], 0x50
// 75?? |
// 668378083a | cmp word ptr [eax + 8], 0x3a
// 74?? |
$sequence_56 = { 66833853 75?? 668378024d 75?? 6683780454 75?? }
// n = 6, score = 400
// 66833853 | cmp word ptr [eax], 0x53
// 75?? |
// 668378024d | cmp word ptr [eax + 2], 0x4d
// 75?? |
// 6683780454 | cmp word ptr [eax + 4], 0x54
// 75?? |
$sequence_57 = { 74?? 899824020000 889828020000 88982d030000 c7401801000000 88581c 88981c010000 }
// n = 7, score = 400
// 74?? |
// 899824020000 | mov dword ptr [eax + 0x224], ebx
// 889828020000 | mov byte ptr [eax + 0x228], bl
// 88982d030000 | mov byte ptr [eax + 0x32d], bl
// c7401801000000 | mov dword ptr [eax + 0x18], 1
// 88581c | mov byte ptr [eax + 0x1c], bl
// 88981c010000 | mov byte ptr [eax + 0x11c], bl
$sequence_58 = { 889828020000 88982d030000 c7401801000000 88581c }
// n = 4, score = 400
// 889828020000 | mov byte ptr [eax + 0x228], bl
// 88982d030000 | mov byte ptr [eax + 0x32d], bl
// c7401801000000 | mov dword ptr [eax + 0x18], 1
// 88581c | mov byte ptr [eax + 0x1c], bl
$sequence_59 = { 668378024d 75?? 6683780454 75?? 6683780650 75?? }
// n = 6, score = 400
// 668378024d | cmp word ptr [eax + 2], 0x4d
// 75?? |
// 6683780454 | cmp word ptr [eax + 4], 0x54
// 75?? |
// 6683780650 | cmp word ptr [eax + 6], 0x50
// 75?? |
$sequence_60 = { 899824020000 889828020000 88982d030000 c7401801000000 }
// n = 4, score = 400
// 899824020000 | mov dword ptr [eax + 0x224], ebx
// 889828020000 | mov byte ptr [eax + 0x228], bl
// 88982d030000 | mov byte ptr [eax + 0x32d], bl
// c7401801000000 | mov dword ptr [eax + 0x18], 1
$sequence_61 = { 899824020000 889828020000 88982d030000 c7401801000000 88581c 88981c010000 eb?? }
// n = 7, score = 400
// 899824020000 | mov dword ptr [eax + 0x224], ebx
// 889828020000 | mov byte ptr [eax + 0x228], bl
// 88982d030000 | mov byte ptr [eax + 0x32d], bl
// c7401801000000 | mov dword ptr [eax + 0x18], 1
// 88581c | mov byte ptr [eax + 0x1c], bl
// 88981c010000 | mov byte ptr [eax + 0x11c], bl
// eb?? |
$sequence_62 = { 74?? 899824020000 889828020000 88982d030000 }
// n = 4, score = 400
// 74?? |
// 899824020000 | mov dword ptr [eax + 0x224], ebx
// 889828020000 | mov byte ptr [eax + 0x228], bl
// 88982d030000 | mov byte ptr [eax + 0x32d], bl
$sequence_63 = { 668378024d 75?? 6683780454 75?? 6683780650 75?? 668378083a }
// n = 7, score = 400
// 668378024d | cmp word ptr [eax + 2], 0x4d
// 75?? |
// 6683780454 | cmp word ptr [eax + 4], 0x54
// 75?? |
// 6683780650 | cmp word ptr [eax + 6], 0x50
// 75?? |
// 668378083a | cmp word ptr [eax + 8], 0x3a
$sequence_64 = { 75?? 6683780454 75?? 6683780650 75?? 668378083a }
// n = 6, score = 400
// 75?? |
// 6683780454 | cmp word ptr [eax + 4], 0x54
// 75?? |
// 6683780650 | cmp word ptr [eax + 6], 0x50
// 75?? |
// 668378083a | cmp word ptr [eax + 8], 0x3a
$sequence_65 = { 6683790454 75?? 6683790650 75?? }
// n = 4, score = 400
// 6683790454 | cmp word ptr [ecx + 4], 0x54
// 75?? |
// 6683790650 | cmp word ptr [ecx + 6], 0x50
// 75?? |
$sequence_66 = { 74?? 899824020000 889828020000 88982d030000 c7401801000000 }
// n = 5, score = 400
// 74?? |
// 899824020000 | mov dword ptr [eax + 0x224], ebx
// 889828020000 | mov byte ptr [eax + 0x228], bl
// 88982d030000 | mov byte ptr [eax + 0x32d], bl
// c7401801000000 | mov dword ptr [eax + 0x18], 1
$sequence_67 = { 889828020000 88982d030000 c7401801000000 88581c 88981c010000 }
// n = 5, score = 400
// 889828020000 | mov byte ptr [eax + 0x228], bl
// 88982d030000 | mov byte ptr [eax + 0x32d], bl
// c7401801000000 | mov dword ptr [eax + 0x18], 1
// 88581c | mov byte ptr [eax + 0x1c], bl
// 88981c010000 | mov byte ptr [eax + 0x11c], bl
$sequence_68 = { ff15???????? 85db 0f8????????? 85c0 0f8????????? }
// n = 5, score = 300
// ff15???????? |
// 85db | test ebx, ebx
// 0f8????????? |
// 85c0 | test eax, eax
// 0f8????????? |
$sequence_69 = { 8b7020 8b7840 89c3 83c33c }
// n = 4, score = 300
// 8b7020 | mov esi, dword ptr [eax + 0x20]
// 8b7840 | mov edi, dword ptr [eax + 0x40]
// 89c3 | mov ebx, eax
// 83c33c | add ebx, 0x3c
$sequence_70 = { ff15???????? 85db 0f8????????? 85c0 }
// n = 4, score = 300
// ff15???????? |
// 85db | test ebx, ebx
// 0f8????????? |
// 85c0 | test eax, eax
$sequence_71 = { eb?? f20f1005???????? f20f108c2480000000 660f2ec8 }
// n = 4, score = 100
// eb?? |
// f20f1005???????? |
// f20f108c2480000000 | movsd xmm1, qword ptr [esp + 0x80]
// 660f2ec8 | ucomisd xmm1, xmm0
$sequence_72 = { 8bd8 4c 8bca 4c 8bc1 48 89442428 }
// n = 7, score = 100
// 8bd8 | mov ebx, eax
// 4c | dec esp
// 8bca | mov ecx, edx
// 4c | dec esp
// 8bc1 | mov eax, ecx
// 48 | dec eax
// 89442428 | mov dword ptr [esp + 0x28], eax
$sequence_73 = { 89e0 c7400400000000 c7005830d800 e8???????? }
// n = 4, score = 100
// 89e0 | mov eax, esp
// c7400400000000 | mov dword ptr [eax + 4], 0
// c7005830d800 | mov dword ptr [eax], 0xd83058
// e8???????? |
$sequence_74 = { 8b4df0 2bc2 8d9594feffff 52 33d2 03cf }
// n = 6, score = 100
// 8b4df0 | mov ecx, dword ptr [ebp - 0x10]
// 2bc2 | sub eax, edx
// 8d9594feffff | lea edx, [ebp - 0x16c]
// 52 | push edx
// 33d2 | xor edx, edx
// 03cf | add ecx, edi
$sequence_75 = { 8945c0 8945dc 8d45ac 50 }
// n = 4, score = 100
// 8945c0 | mov dword ptr [ebp - 0x40], eax
// 8945dc | mov dword ptr [ebp - 0x24], eax
// 8d45ac | lea eax, [ebp - 0x54]
// 50 | push eax
$sequence_76 = { 8bec 83ec14 56 57 8bf0 33c0 50 }
// n = 7, score = 100
// 8bec | mov ebp, esp
// 83ec14 | sub esp, 0x14
// 56 | push esi
// 57 | push edi
// 8bf0 | mov esi, eax
// 33c0 | xor eax, eax
// 50 | push eax
$sequence_77 = { 8b5f70 899c24b4000000 8b5f74 899c24b8000000 8b5f68 899c24bc000000 8b5f64 }
// n = 7, score = 100
// 8b5f70 | mov ebx, dword ptr [edi + 0x70]
// 899c24b4000000 | mov dword ptr [esp + 0xb4], ebx
// 8b5f74 | mov ebx, dword ptr [edi + 0x74]
// 899c24b8000000 | mov dword ptr [esp + 0xb8], ebx
// 8b5f68 | mov ebx, dword ptr [edi + 0x68]
// 899c24bc000000 | mov dword ptr [esp + 0xbc], ebx
// 8b5f64 | mov ebx, dword ptr [edi + 0x64]
$sequence_78 = { 89542404 894c2418 e8???????? 8b4c2420 890c24 8b542430 89542404 }
// n = 7, score = 100
// 89542404 | mov dword ptr [esp + 4], edx
// 894c2418 | mov dword ptr [esp + 0x18], ecx
// e8???????? |
// 8b4c2420 | mov ecx, dword ptr [esp + 0x20]
// 890c24 | mov dword ptr [esp], ecx
// 8b542430 | mov edx, dword ptr [esp + 0x30]
// 89542404 | mov dword ptr [esp + 4], edx
$sequence_79 = { 8985ecfeffff 8d85f6feffff 6a00 50 c745f404010000 898df0feffff 668995f4feffff }
// n = 7, score = 100
// 8985ecfeffff | mov dword ptr [ebp - 0x114], eax
// 8d85f6feffff | lea eax, [ebp - 0x10a]
// 6a00 | push 0
// 50 | push eax
// c745f404010000 | mov dword ptr [ebp - 0xc], 0x104
// 898df0feffff | mov dword ptr [ebp - 0x110], ecx
// 668995f4feffff | mov word ptr [ebp - 0x10c], dx
$sequence_80 = { 56 83e4f8 81ecc8000000 8b4508 f20f1005???????? 31c9 8984249c000000 }
// n = 7, score = 100
// 56 | push esi
// 83e4f8 | and esp, 0xfffffff8
// 81ecc8000000 | sub esp, 0xc8
// 8b4508 | mov eax, dword ptr [ebp + 8]
// f20f1005???????? |
// 31c9 | xor ecx, ecx
// 8984249c000000 | mov dword ptr [esp + 0x9c], eax
$sequence_81 = { f20f11842490000000 8984248c000000 0f8????????? e9???????? 8b442454 }
// n = 5, score = 100
// f20f11842490000000 | movsd qword ptr [esp + 0x90], xmm0
// 8984248c000000 | mov dword ptr [esp + 0x8c], eax
// 0f8????????? |
// e9???????? |
// 8b442454 | mov eax, dword ptr [esp + 0x54]
$sequence_82 = { 74?? 48 8bcf e8???????? 0fb6c3 }
// n = 5, score = 100
// 74?? |
// 48 | dec eax
// 8bcf | mov ecx, edi
// e8???????? |
// 0fb6c3 | movzx eax, bl
$sequence_83 = { 74?? ff15???????? 89442408 8b442444 }
// n = 4, score = 100
// 74?? |
// ff15???????? |
// 89442408 | mov dword ptr [esp + 8], eax
// 8b442444 | mov eax, dword ptr [esp + 0x44]
condition:
7 of them
}
◆win_emotet_auto (20190620 | autogenerated rule brought to you by yara-signator) (Malpedia, 2019/06/20)
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet
