diff --git a/README.md b/README.md index 3917de3..eeb81a3 100644 --- a/README.md +++ b/README.md @@ -1 +1,18 @@ # Hachi: An Intelligent threat mapper + + +ATT&CK framework has become a benchmark in the security domain. ATT&CK provides data about each technique used across different attack stages. Hachi was created to contribute to the ATT&CK community. Hachi is based on the radare2 framework and uses data provided by ATT&CK to map the symptoms of malware on ATT&CK matrix. + +Following modules of Hachi make this tool a great addition to an analyst’s or company’s armaments: + +• Threat Intel: Hachi provides threat intelligence data like a possible parent campaign or author of a malware file. +• Malware behavior: It uncovers core malware behaviors using automated static analysis coupled with symbolic execution to explore multiple execution paths and maps it on ATT&CK matrix. +• RESTful API: Hachi provides RESTful API which enables this tool to seamlessly integration with malware processing frameworks. +• Visualization: It allows for the creation of detailed visual reports. + + +References: +https://attack.mitre.org/ +https://www.radare.org/get/THC2018.pdf +https://github.com/pinkflawd/r2graphity +https://github.com/Yara-Rules/rules \ No newline at end of file diff --git a/__init__.py b/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/hachi.py b/hachi.py new file mode 100644 index 0000000..3d85420 --- /dev/null +++ b/hachi.py @@ -0,0 +1,157 @@ +import os +import web +import uuid +import json +import hashlib +import pythoncom +import win32com.client +from utils import db_comm +from utils.config import Config +from utils.mitre_table import table_creation + +urls = ('/', 'Upload', + '/report/download/(.+)', 'Images', + '/report/images/(.+)', 'Images', + '/report/(.+)', 'Reporting', + '/images/(.*)', 'Images' + ) + +opts = Config().read_config() +pythoncom.CoInitialize() +qinfo = win32com.client.Dispatch("MSMQ.MSMQQueueInfo") +computer_name = os.getenv('COMPUTERNAME') +queue_name = opts["config"]["QUEUE_NAME"] +qinfo.FormatName = "direct=os:" + computer_name + "\\PRIVATE$\\" + queue_name + + +class Reporting: + + def __init__(self): + pass + + def GET(self, uid): + render = web.template.frender('templates/reporting.html') + filename = db_comm.get_column_val('uid', uid, 'filepath') + anomalies = [] + file_info = {} + cert_info = {} + table_data = {} + static_info = {} + campaign_info = {} + suspicious_api_seq = [] + report_path = os.path.join(opts["config"]["OUTPUT_DIR"], uid) + if os.path.exists(os.path.join(report_path, uid + '.campaign.json')): + with open(os.path.join(report_path, uid + '.campaign.json'), 'rb') as fp: + campaign_info = json.load(fp) + if os.path.exists(os.path.join(report_path, uid + '.basic_info.json')): + with open(os.path.join(report_path, uid+'.basic_info.json'), 'rb') as fp: + file_info = json.load(fp) + if os.path.exists(os.path.join(report_path, uid + '.static.json')): + with open(os.path.join(report_path, uid + '.static.json'), + 'rb') as fp: + static_info = json.load(fp) + if os.path.exists(os.path.join(report_path, uid + '.cert.json')): + with open(os.path.join(report_path, uid + '.cert.json'), + 'rb') as fp: + cert_info = json.load(fp) + if os.path.exists(os.path.join(report_path, uid + '.yara.json')): + with open(os.path.join(report_path, uid + '.yara.json'), + 'rb') as fp: + suspicious = json.load(fp) + if "Yara Matched" in suspicious: + for tag in suspicious["Yara Matched"].keys(): + for rule_name in suspicious["Yara Matched"][tag].keys(): + if "description" in suspicious["Yara Matched"][tag][rule_name]: + anomalies.append(suspicious["Yara Matched"][tag][rule_name]["description"]) + if os.path.exists(os.path.join(report_path, uid + '.behav.json')): + with open(os.path.join(report_path, uid + '.behav.json'), + 'rb') as fp: + behav_json = json.load(fp) + if "Suspicious Behaviors" in behav_json: + for api_seq in behav_json["Suspicious Behaviors"].keys(): + suspicious_api_seq.append(api_seq) + if os.path.exists('utils\mitre.json'): + with open('utils\mitre.json', 'rb') as fp: + mitre_json = json.load(fp) + if os.path.exists(os.path.join(report_path, uid + '.mitre.json')): + with open(os.path.join(report_path, uid+'.mitre.json'), 'rb') as fs: + sig_json = json.load(fs) + table_data = table_creation(sig_json, mitre_json) + if os.path.exists(os.path.join(report_path, uid + '.png')): + png_name = uid + '.png' + else: + png_name = 'Hachi-Logo.png' + html_data = render(uid, filename, file_info, campaign_info, table_data, static_info, cert_info, anomalies, + suspicious_api_seq, png_name) + return html_data + + +class Upload: + def __init__(self): + pass + + def GET(self): + render = web.template.frender('templates/hachi.html') + row = db_comm.get_data() + sample_count = db_comm.count('uid') + pending_count = db_comm.count_condition('uid', 'STATUS', 'PENDING') + complete_count = db_comm.count_condition('uid', 'STATUS', 'COMPLETED') + fail_count = db_comm.count_condition('uid', 'STATUS', 'FAILED') + status_count = [complete_count, pending_count, fail_count] + html_data = render(row, sample_count, status_count) + return html_data + + def POST(self): + x = web.input(myfile={}) + filename = x['myfile'].filename + if filename != "" and filename is not None: + uid = uuid.uuid4() + folderpath = os.path.join(opts["config"]["INPUT_DIR"], str(uid)) + os.mkdir(folderpath) + out_folderpath = os.path.join(opts["config"]["OUTPUT_DIR"], str(uid)) + os.mkdir(out_folderpath) + with open(os.path.join(folderpath, str(uid)), 'wb') as fp: + fp.write(x['myfile'].file.read()) + + queue = qinfo.Open(2, 0) # Open a ref to queue + msg = win32com.client.Dispatch("MSMQ.MSMQMessage") + msg.Label = "TestMsg" + msg.Body = str(uid) + msg.Send(queue) + queue.Close() + with open(os.path.join(folderpath, str(uid)), 'rb') as fp: + sha2 = hashlib.sha256(fp.read()).hexdigest() + db_comm.insert(str(uid), sha2, filename, "PENDING") + raise web.seeother('/') + + +class Images: + def __init__(self): + pass + + def GET(self, name): + ext = name.split(".")[-1] # Gather extension + + cType = { + "png": "image/png", + "jpg": "image/jpeg", + "gif": "image/gif", + "ico": "image/x-icon", + "zip": "application/octet-stream" + } + + if name in os.listdir('images'): # Security + web.header("Content-Type", cType[ext]) # Set the Header + return open('images/%s' % name, "rb").read() # Notice 'rb' for reading images + else: + for root, dir, filenames in os.walk(opts["config"]["OUTPUT_DIR"]): + if name in filenames: + png_path = os.path.join(root, name) + web.header("Content-Type", cType[ext]) + return open(png_path, "rb").read() + raise web.notfound() + + +if __name__ == "__main__": + app = web.application(urls, globals()) + app.run() \ No newline at end of file diff --git a/images/Hachi-Logo-Final-3.png b/images/Hachi-Logo-Final-3.png new file mode 100644 index 0000000..df66dca Binary files /dev/null and b/images/Hachi-Logo-Final-3.png differ diff --git a/images/Hachi-Logo.png b/images/Hachi-Logo.png new file mode 100644 index 0000000..369c7f0 Binary files /dev/null and b/images/Hachi-Logo.png differ diff --git a/images/favicon.ico b/images/favicon.ico new file mode 100644 index 0000000..6560b29 Binary files /dev/null and b/images/favicon.ico differ diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..054dd80 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,8 @@ +r2pipe==0.9.9 +pypiwin32==219 +yara_python==3.8.1 +web.py==0.39 +pefile==2017.11.5 +networkx==2.2 +web==0.6.0 +yara==1.7.7 diff --git a/scanda.py b/scanda.py new file mode 100644 index 0000000..8922dfa --- /dev/null +++ b/scanda.py @@ -0,0 +1,151 @@ +import os +import yara +import json +import pefile +import zipfile +import hashlib +import win32com.client +from utils import db_comm +from utils import peparser +from utils.config import Config +from utils.yarascan import YaraScan +from utils.playbookSig import playbooksig +from utils.digicheck import DigitalSignatureCheck +from utils.graphity.graphity import get_behaviors + +RE_EMBEDDED_FILE = r'0x([A-F0-9]+)\s+([0-9]+)\s+([^,:\(\.]+)' + +opts = Config().read_config() + + +def zipdir(path, ziph): + for root, dirs, files in os.walk(path): + for file in files: + ziph.write(os.path.join(root, file)) + + +def process_file(yara_scan, yara_rules, yara_id_rules, yara_mitre_rules, input_file, output_file_static, + outputfile_mitre): + with open(input_file, 'rb') as f: + file_data = f.read() + + yara_mitre_rules.match(data=file_data, callback=yara_scan.yara_callback_desc, + which_callbacks=yara.CALLBACK_MATCHES) + json_data = yara_scan.yara_sig_matched + with open(outputfile_mitre, 'w') as fw: + json_report = json.dumps(json_data, sort_keys=True, indent=4) + fw.write(json_report.encode('utf-8')) + + json_data = {} + yara_id_rules.match(data=file_data, callback=yara_scan.yara_callback, which_callbacks=yara.CALLBACK_MATCHES) + json_data['File Type Information'] = yara_scan.yara_idsig_matched + + yara_scan.yara_sig_matched = {} + yara_rules.match(data=file_data, callback=yara_scan.yara_callback_desc, which_callbacks=yara.CALLBACK_MATCHES) + json_data['Yara Matched'] = yara_scan.yara_sig_matched + + with open(output_file_static, 'w') as fw: + json_report = json.dumps(json_data, sort_keys=True, indent=4) + fw.write(json_report.encode('utf-8')) + return json_data + + +def process_dir(src_dir, dst_dir): + + print("Processing: " + src_dir + " ...") + yara_scan = YaraScan() + yara_rules = yara.compile('./yara_sigs/index.yar') + yara_idrules = yara.compile('./yara_sigs/index_id.yar') + yara_mitre_rules = yara.compile('./yara_sigs/index_mitre.yar') + + for root_dir, dirs, files in os.walk(src_dir): + for filename in files: + print(filename) + src_file = os.path.join(root_dir, filename) + try: + pefile.PE(src_file) + print "PE File loaded" + with open(src_file, 'rb') as f: + contents = f.read() + file_size = len(contents) + sha1 = hashlib.sha1(contents).hexdigest() + sha2 = hashlib.sha256(contents).hexdigest() + # md5 accepts only chunks of 128*N bytes + md5_obj = hashlib.md5() + for i in range(0, len(contents), 8192): + md5_obj.update(contents[i:i + 8192]) + md5 = md5_obj.hexdigest() + except Exception as e: + print("Skipping: " + src_file) + print("Error: " + str(e)) + return + + basic_info = {'MD5': md5, 'SHA1': sha1, 'SHA256': sha2, 'File Size': file_size} + + with open(os.path.join(dst_dir, filename) + ".basic_info.json", 'wb') as fw: + json.dump(basic_info, fw) + peparsed = peparser.parse(src_file) + with open(os.path.join(dst_dir, filename) + ".static.json", 'wb') as fp: + json.dump(peparsed, fp) + dst_file_static = os.path.join(dst_dir, filename) + ".yara.json" + dst_file_mitre = os.path.join(dst_dir, filename) + ".mitre.json" + # run yara rules on file + process_file(yara_scan, yara_rules, yara_idrules, yara_mitre_rules, src_file, dst_file_static, + dst_file_mitre) + + dst_file = os.path.join(dst_dir, filename) + ".behav.json" + get_behaviors(src_file, dst_file, dst_dir) + if os.path.exists(os.path.join(dst_dir, filename) + ".behav.json"): + with open(os.path.join(dst_dir, filename) + ".behav.json", 'rb') as fp: + file_data = fp.read() + + json_data = {} + yara_mitre_api = yara.compile('.\\yara_sigs\\mitre\\api_based.yar') + yara_scan.yara_sig_matched = {} + yara_mitre_api.match(data=file_data, callback=yara_scan.yara_callback_desc, + which_callbacks=yara.CALLBACK_MATCHES) + json_data['API_MITRE'] = yara_scan.yara_sig_matched + with open(dst_file_mitre, 'rb') as fs: + mitre_matched_json = json.loads(fs.read()) + for matched_tid in mitre_matched_json.keys(): + if matched_tid in json_data['API_MITRE']: + mitre_matched_json[matched_tid].update(json_data['API_MITRE'][matched_tid]) + with open(dst_file_mitre, 'wb') as fs: + fs.write(json.dumps(mitre_matched_json, sort_keys=True, indent=4).encode('utf-8')) + dst_campaign_file = os.path.join(dst_dir, filename) + ".campaign.json" + playbooksig(opts["config"]["PLAYBOOK_JSON"], dst_file_mitre, dst_campaign_file) + + with open(os.path.join(dst_dir, filename) + ".cert.json", 'wb') as fp: + DigiSig = DigitalSignatureCheck() + DigiSig.run(src_file) + json.dump(DigiSig._REQ_DATA_FIELD, fp) + report_folder_name = dst_dir.split("\\")[-1] + zipf = zipfile.ZipFile(os.path.join(opts["config"]["OUTPUT_DIR"], report_folder_name+'.zip'), 'w', + zipfile.ZIP_DEFLATED) + zipdir(dst_dir, zipf) + zipf.close() + return True + + +def check_queue(): + qinfo = win32com.client.Dispatch("MSMQ.MSMQQueueInfo") + computer_name = os.getenv('COMPUTERNAME') + qinfo.FormatName = "direct=os:" + computer_name + "\\PRIVATE$\\" + opts["config"]["QUEUE_NAME"] + queue = qinfo.Open(1, 0) # Open a ref to queue to read(1) + while True: + msg = queue.Receive() + if msg: + print("Found new sample:") + print "Label:", msg.Label + print "Body :", msg.Body + bDone = process_dir(os.path.join(opts["config"]["INPUT_DIR"], msg.Body.encode('utf-8')), + os.path.join(opts["config"]["OUTPUT_DIR"], msg.Body.encode('utf-8'))) + if bDone: + db_comm.update(msg.Body.encode('utf-8'), "COMPLETED") + else: + db_comm.update(msg.Body.encode('utf-8'), "FAILED") + queue.Close() + + +if __name__ == '__main__': + check_queue() \ No newline at end of file diff --git a/templates/hachi.html b/templates/hachi.html new file mode 100644 index 0000000..9627ac9 --- /dev/null +++ b/templates/hachi.html @@ -0,0 +1,87 @@ +$def with (table_data, sample_count, status_count) + + + Welcome to Hachi + + + + + + + + + + + + +
+ +
+
+ + Hachi + +
+
+ +
+
+
+
+

+

$sample_count

+
+
+
+

+ + +
+
+
​ +

Pending $status_count[1]

+

Completed $status_count[0]

+

Failed $status_count[2]

+
+
+ +
+ + + + + + + + + + $for todo in table_data: + + + + + + +
UIDFilenameStatus
$todo[0] $todo[1]$todo[2]
+
+ + +
+ + + \ No newline at end of file diff --git a/templates/reporting.html b/templates/reporting.html new file mode 100644 index 0000000..df9183e --- /dev/null +++ b/templates/reporting.html @@ -0,0 +1,326 @@ +$def with (uid, filename, file_info, campaign_info, table_data, static_data, cert_info, anomalies, sus_api_seq, png_name) + + + Welcome to Hachi + + + + + + + + + + + +
+ +
+
+ + Hachi + +
+
+ +
+
+ +
+

Filename: $filename

+ +
+
+ +
+
+
+

+ + Campaign Details +

+
+
+
+ + + + + + + + + $for entry in campaign_info: + + + + + +
FieldValue
$entry$campaign_info[entry]
+
+
+
+
+
+

+ + File Information +

+
+
+
+

Basic Details

+ + + + + + + + + $for entry in file_info: + + + + + +
FieldValue
$entry$file_info[entry]
+

Version and Certificate Details

+ + + + + + + + + $for entry in cert_info: + + + + + +
FieldValue
$entry$cert_info[entry]
+
+
+
+
+
+

+ + Header Information +

+
+
+
+ $if "IMAGE_FILE_HEADER" in static_data: +

File Header

+ + + + + + + + + $for entry in static_data["IMAGE_FILE_HEADER"]: + + + + + +
FieldValue
$entry$static_data["IMAGE_FILE_HEADER"][entry]
+ $if "IMAGE_OPTIONAL_HEADER" in static_data: +

Optional Header

+ + + + + + + + + $for entry in static_data["IMAGE_OPTIONAL_HEADER"]: + + + + + +
FieldValue
$entry$static_data["IMAGE_OPTIONAL_HEADER"][entry]
+ $if "IMAGE_SECTIONS" in static_data: +

Section Header

+ + + + + + + + + + + + $for entry in static_data["IMAGE_SECTIONS"]: + + + + + + + + +
NameSizeOfRawDataVirtualSizeentropypermissions
$entry['Name']$entry['SizeOfRawData']$entry['VirtualSize']$entry['entropy']$entry['permissions']
+
+
+
+ $if len(anomalies) > 0 or len(sus_api_seq) > 0: +
+
+

+ Suspicious Artifacts +

+
+
+
+ $if len(anomalies) > 0: + + + + + + + + $for description in anomalies: + + + + +
Description
$description
+ $if len(sus_api_seq) > 0: + + + + + + + + $for api_seq in sus_api_seq: + + + + +
Suspicious API Patterns
$api_seq
+
+
+
+
+
+

+ + Mapping on MITRE Matrix +

+
+
+
+ + + + $for entry in table_data[0]: + + + + + $for i in range(1, len(table_data)): + + $for tid in table_data[i]: + $if tid=="": + + $else: + + + +
$entry
$tid$tid["name"]
+
+
+ +
+
+

+ + Function call +

+
+
+
+ + + +
+
+
+
+
+
+ + +
+ + + +
+ + + + diff --git a/utils/Hachi.config b/utils/Hachi.config new file mode 100644 index 0000000..378a898 --- /dev/null +++ b/utils/Hachi.config @@ -0,0 +1,14 @@ +[config] +input_dir = .\\input +output_dir = .\\output +PLAYBOOK_JSON = .\\utils\\Playbooksig.json +MITRE_JSON = .\\utils\\mitre.json +DB_PATH = .\\utils\\hachi.db +SIG_CHECK_EXE = .\\utils\\sigcheck64.exe +QUEUE_NAME = hachi + +[logging] +log_verbosity = info +log_backup_count = 5 +log_date_format = '%%a, %%d %%b %%Y %%H:%%M:%%S' +log_rotate_at = midnight \ No newline at end of file diff --git a/utils/Playbooksig.json b/utils/Playbooksig.json new file mode 100644 index 0000000..cfe68a9 --- /dev/null +++ b/utils/Playbooksig.json @@ -0,0 +1,327 @@ +{ + "APT18":[ + "T1059", + "T1043", + "T1133", + "T1083", + "T1107", + "T1027", + "T1060", + "T1105", + "T1053", + "T1071", + "T1082", + "T1078" + ], + "APT28":[ + "T1134", + "T1119", + "T1067", + "T1059", + "T1092", + "T1122", + "T1090", + "T1003", + "T1002", + "T1213", + "T1005", + "T1025", + "T1001", + "T1074", + "T1140", + "T1173", + "T1114", + "T1203", + "T1211", + "T1068", + "T1210", + "T1083", + "T1107", + "T1158", + "T1070", + "T1056", + "T1037", + "T1040", + "T1027", + "T1137", + "T1075", + "T1120", + "T1086", + "T1057", + "T1105", + "T1091", + "T1014", + "T1085", + "T1113", + "T1064", + "T1193", + "T1192", + "T1071", + "T1221", + "T1099", + "T1199", + "T1204", + "T1078" + ], + "APT32":[ + "T1087", + "T1017", + "T1009", + "T1059", + "T1043", + "T1003", + "T1094", + "T1002", + "T1022", + "T1073", + "T1189", + "T1041", + "T1203", + "T1068", + "T1083", + "T1107", + "T1222", + "T1158", + "T1070", + "T1036", + "T1031", + "T1112", + "T1170", + "T1046", + "T1050", + "T1096", + "T1027", + "T1137", + "T1075", + "T1097", + "T1086", + "T1012", + "T1060", + "T1117", + "T1105", + "T1018", + "T1053", + "T1064", + "T1035", + "T1216", + "T1045", + "T1193", + "T1192", + "T1071", + "T1082", + "T1016", + "T1049", + "T1033", + "T1099", + "T1065", + "T1204", + "T1078", + "T1100", + "T1077", + "T1047" + ], + "DarkHotel":[ + "T1116", + "T1140", + "T1189", + "T1056", + "T1027", + "T1057", + "T1060", + "T1091", + "T1064", + "T1063", + "T1023", + "T1193", + "T1082", + "T1016", + "T1080", + "T1204" + ], + "FIN8":[ + "T1059", + "T1043", + "T1003", + "T1002", + "T1074", + "T1048", + "T1068", + "T1107", + "T1070", + "T1112", + "T1027", + "T1086", + "T1076", + "T1105", + "T1018", + "T1053", + "T1064", + "T1063", + "T1193", + "T1192", + "T1032", + "T1204", + "T1078", + "T1077", + "T1047" + ], + "Lazarus":[ + "T1134", + "T1098", + "T1010", + "T1067", + "T1110", + "T1059", + "T1043", + "T1223", + "T1090", + "T1003", + "T1024", + "T1002", + "T1485", + "T1132", + "T1022", + "T1005", + "T1074", + "T1089", + "T1488", + "T1487", + "T1189", + "T1048", + "T1041", + "T1203", + "T1008", + "T1083", + "T1107", + "T1158", + "T1056", + "T1026", + "T1050", + "T1027", + "T1057", + "T1055", + "T1012", + "T1060", + "T1076", + "T1105", + "T1496", + "T1064", + "T1489", + "T1023", + "T1193", + "T1071", + "T1032", + "T1082", + "T1016", + "T1033", + "T1124", + "T1099", + "T1065", + "T1204", + "T1077", + "T1047" + ], + "Tropic Trooper":[ + "T1197", + "T1043", + "T1140", + "T1073", + "T1203", + "T1158", + "T1046", + "T1135", + "T1050", + "T1027", + "T1057", + "T1055", + "T1063", + "T1193", + "T1032", + "T1082", + "T1033", + "T1221", + "T1004" + ], + "OilRig":[ + "T1087", + "T1119", + "T1110", + "T1059", + "T1223", + "T1003", + "T1094", + "T1140", + "T1048", + "T1133", + "T1008", + "T1107", + "T1066", + "T1056", + "T1046", + "T1027", + "T1201", + "T1069", + "T1086", + "T1057", + "T1012", + "T1108", + "T1076", + "T1105", + "T1021", + "T1053", + "T1113", + "T1064", + "T1193", + "T1192", + "T1071", + "T1032", + "T1082", + "T1016", + "T1049", + "T1033", + "T1007", + "T1204", + "T1078", + "T1100", + "T1047" + ], + "Turla":[ + "T1134", + "T1110", + "T1059", + "T1090", + "T1081", + "T1022", + "T1005", + "T1025", + "T1140", + "T1089", + "T1106", + "T1048", + "T1083", + "T1066", + "T1112", + "T1027", + "T1086", + "T1057", + "T1055", + "T1012", + "T1060", + "T1105", + "T1018", + "T1064", + "T1193", + "T1192", + "T1071", + "T1082", + "T1016", + "T1049", + "T1007", + "T1124", + "T1204", + "T1102", + "T1077", + "T1084", + "T1004" + ] +} \ No newline at end of file diff --git a/utils/__init__.py b/utils/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/utils/config.py b/utils/config.py new file mode 100644 index 0000000..ed1eb30 --- /dev/null +++ b/utils/config.py @@ -0,0 +1,71 @@ +import ConfigParser +import sys +from ConfigParser import SafeConfigParser + +# import warnings +# warnings.filterwarnings("error") + + +# http://stackoverflow.com/a/21190382 +reload(sys) +sys.setdefaultencoding("utf8") + + +class Config: + def __init__(self, filename=".\\utils\\Hachi.config"): + + self.parser = SafeConfigParser() + self.parser.read(filename) + self.opts = dict({ + "config": dict(), + "logging": dict() + }) + + def read_config(self): + + self.opts["config"]["INPUT_DIR"] = self.parser.get("config", "input_dir") + self.opts["config"]["OUTPUT_DIR"] = self.parser.get("config", "output_dir") + self.opts["config"]["PLAYBOOK_JSON"] = self.parser.get("config", "PLAYBOOK_JSON") + self.opts["config"]["MITRE_JSON"] = self.parser.get("config", "MITRE_JSON") + self.opts["config"]["DB_PATH"] = self.parser.get("config", "DB_PATH") + self.opts["config"]["SIG_CHECK_EXE"] = self.parser.get("config", "SIG_CHECK_EXE") + self.opts["config"]["QUEUE_NAME"] = self.parser.get("config", "QUEUE_NAME") + + self.opts["logging"]["log_verbosity"] = self.parser.get("logging", "log_verbosity") + self.opts["logging"]["log_backup_count"] = self.parser.get("logging", "log_backup_count") + self.opts["logging"]["log_date_format"] = self.parser.get("logging", "log_date_format") + self.opts["logging"]["log_rotate_at"] = self.parser.get("logging", "log_rotate_at") + + return self.opts + + def get_var(self, section, var): + try: + return self.parser.get(section, var) + except (ConfigParser.NoOptionError, ConfigParser.NoSectionError): + return None + + def get_section(self, section): + try: + options = self.parser.items(section) + except ConfigParser.NoSectionError: + return None + + opt_dict = dict() + for pairs in options: + opt_dict[pairs[0]] = pairs[1] + + return opt_dict + + def set_var(self, section, var, value): + try: + return self.parser.set(section, var, value) + except ConfigParser.NoSectionError: + return None + + def list_config(self): + print "Configuration Options:" + for section in self.parser.sections(): + print "%s" % (section) + for (name, value) in self.parser.items(section): + print "\t%s:\t%s" % (name, value) + return diff --git a/utils/db_comm.py b/utils/db_comm.py new file mode 100644 index 0000000..dfbc70d --- /dev/null +++ b/utils/db_comm.py @@ -0,0 +1,67 @@ +import sqlite3 +from config import Config + + +opts = Config().read_config() + + +def insert(uid, hash, filename, status): + conn = sqlite3.connect(opts["config"]["DB_PATH"]) + conn.execute("""INSERT INTO HACHI (UID,HASH,FILEPATH, STATUS) VALUES (?, ?, ?, ? );""", (uid, hash, filename, status)) + conn.commit() + conn.close() + + +def get_data(): + conn = sqlite3.connect(opts["config"]["DB_PATH"]) + cursor = conn.execute("SELECT uid, filepath, status from HACHI") + data = [] + for row in cursor: + data.append(row) + conn.close() + return data + + +def update(uid, value): + conn = sqlite3.connect(opts["config"]["DB_PATH"]) + conn.execute("""UPDATE HACHI SET STATUS = ? where UID = ?;""", (value, uid)) + conn.commit() + conn.close() + + +def count(column_name): + conn = sqlite3.connect(opts["config"]["DB_PATH"]) + cursor = conn.execute("""SELECT COUNT(?) from HACHI;""", (column_name,)) + value = cursor.fetchone()[0] + conn.close() + return value + + +def count_condition(column_name, cond_coulmn_name, value): + conn = sqlite3.connect(opts["config"]["DB_PATH"]) + q = """SELECT COUNT(%s) FROM HACHI WHERE %s = "%s";""" %(column_name, cond_coulmn_name, value) + cursor = conn.execute(q) + value = cursor.fetchone()[0] + conn.close() + return value + + +def get_column_val(uid_column, uid, column_name): + conn = sqlite3.connect(opts["config"]["DB_PATH"]) + q = """SELECT %s FROM HACHI WHERE %s = "%s";""" % (column_name, uid_column, uid) + cursor = conn.execute(q) + value = cursor.fetchone()[0] + conn.close() + return value + + +def create_table(): + conn = sqlite3.connect(opts["config"]["DB_PATH"]) + conn.execute('''CREATE TABLE HACHI + (UID CHAR(50) PRIMARY KEY NOT NULL, + hash CHAR(50), + filepath CHAR(50), + status TEXT, + timestamp DATETIME DEFAULT CURRENT_TIMESTAMP);''') + conn.close() + diff --git a/utils/digicheck.py b/utils/digicheck.py new file mode 100644 index 0000000..dd86729 --- /dev/null +++ b/utils/digicheck.py @@ -0,0 +1,97 @@ +import subprocess +from config import Config + + +class DigitalSignatureCheck: + def __init__(self): + pass + + opts = Config().read_config() + # Commandline input + _SIGCHECK_EXE = opts["config"]["SIG_CHECK_EXE"] + _SIGCHECK_ARGS = ' -i -h' + + # extract record information + _DIGISIG_KEY_LIST = ["Verified", "Link date", "Signing date", "Catalog", "Signers", "Cert Status", "Valid Usage", + "Cert Issuer", "Serial Number", "Thumbprint", "Algorithm", "Valid from", "Valid to", "Company", + "Description", "Product", "Prod version", "File version", "MachineType", "MD5", "SHA1", + "SHA256", "IMP", ] + _DIGISIG_DATA_RECORD = { + "Verified": "n/a", "Link date": "n/a", "Signing date": "n/a", "Catalog": "n/a", "Signers": "n/a", + "Cert Status": "n/a", + "Valid Usage": "n/a", "Cert Issuer": "n/a", "Serial Number": "n/a", "Thumbprint": "n/a", "Algorithm": "n/a", + "Valid from": "n/a", + "Valid to": "n/a", "Company": "n/a", "Description": "n/a", "Product": "n/a", "Prod version": "n/a", + "File version": "n/a", + "MachineType": "n/a", "MD5": "n/a", "SHA1": "n/a", "SHA256": "n/a", "IMP": "n/a" + } + + _REQ_DATA_FIELD = {"Verified": "n/a", + "Signing date": "n/a", + "Signers": "n/a", + "Cert Issuer": "n/a", + "Valid from": "n/a", + "Valid to": "n/a", + "Company": "n/a", + "Description": "n/a" + } + _DIGISIG_DATA = {} + + Delimiter = "|" + + def parse_sigcheck_output(self, output): + self._DIGISIG_DATA = dict(self._DIGISIG_DATA_RECORD) + result = output.split("\r\n") + signers_sig_flag = 0 + key = "" + for line in result: + if len(line.split(":")) == 2: + # Key value pair is present + key = line.split(":")[0].strip("\t") + value = line.split(":")[1].strip("\t") + if key in self._DIGISIG_KEY_LIST: + if self._DIGISIG_DATA[key] == "n/a": + if key == "Signers": + signers_sig_flag = signers_sig_flag + 1 + else: + self._DIGISIG_DATA[key] = value + elif (line.strip(" ") != "") and len(line.split(":")) == 1 and signers_sig_flag == 1: + + # Get Signers information + publisher_value = line.strip("\t").strip(" ") + self._DIGISIG_DATA[key] = publisher_value + + signers_sig_flag = signers_sig_flag + 1 + elif len(line.split(":")) > 2: + other_fields = ["Catalog", "Valid from", "Valid to", "Link date", "Signing date"] + + key = line.split(":")[0].strip("\t") + if key in other_fields: + value = ":".join(line.split(":")[1:]).strip("\t") + self._DIGISIG_DATA[key] = value + + def run(self, filetoscan): + + ExceptionOccured = False + cmd = ("%s %s \"%s\"") % (self._SIGCHECK_EXE, self._SIGCHECK_ARGS, filetoscan) + result = "" + try: + result = subprocess.check_output(cmd, shell=True) + except subprocess.CalledProcessError, e: + if e.returncode < 0: + ExceptionOccured = True + else: + result = e.output + + if not ExceptionOccured: + try: + self.parse_sigcheck_output(result) + for key in self._DIGISIG_DATA: + if key in self._REQ_DATA_FIELD: + self._REQ_DATA_FIELD[key] = self._DIGISIG_DATA[key] + except Exception as e: + print(str(e)) + self._DIGISIG_DATA = {} + + else: + self._DIGISIG_DATA = {} diff --git a/utils/graphity/__init__.py b/utils/graphity/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/utils/graphity/graphity.py b/utils/graphity/graphity.py new file mode 100644 index 0000000..e5fa3c9 --- /dev/null +++ b/utils/graphity/graphity.py @@ -0,0 +1,651 @@ +#!/usr/bin/env python + +import re +import json +import r2pipe +import graphityFunc +from time import time +import networkx as nx +from base64 import b64decode +from datetime import datetime +from collections import Counter +from graphityOps import patternScan, graphvizPlot +from graphityUtils import gimmeDatApiName, getAllAttributes, check_pe_header + + +# Checks whether an address is located in an executable section +def isValidCode(callAddress, sectionsList): + # sectionsList contains executable sections as 2-element lists, containing start and end of each section + for execSection in sectionsList: + if execSection[0] <= int(callAddress, 16) < execSection[1]: + return True + return False + + +# Returns a list of executable sections +def getCodeSections(): + returnSections = [] + + # regular expression to pick out the executable section(s) + execSection = re.compile("perm=....x") + + # will return the section table from radare2 + sections = R2PY.cmd("iS") + + sectionData = {} + + for line in sections.splitlines(): + if re.search(execSection, line): + for element in line.split(): + items = element.split('=') + sectionData[items[0]] = items[1] + + start = int(sectionData['vaddr'], 16) + end = start + int(sectionData['vsz']) + psize = int(sectionData['sz']) + returnSections.append([start, end, psize]) + + return returnSections + + +# Returns an executables imports as a list +def getIat(): + iatlist = [] + cmd = "iij" + iatjson = json.loads(R2PY.cmd(cmd)) + # print(iatjson) + for item in iatjson: + iatlist.append(hex(item['plt'])) + return iatlist + + +# Returns a dictionary of xrefs to symbols +def crossRefScan(): + cmd = "axtj @@ sym.*" + finalCalls = {} + + # fixing the JSON... issue reported to radare2, keep in mind to remove workaround + out = R2PY.cmd(cmd) + out = out.strip("\n") + temp = out.replace("]", "],") + temp = temp.replace(",,", ",") + temp = temp.rstrip("\r\n") + if temp.endswith(","): + temp = temp[:-1] + temp = "[" + temp + "]" + xrefj = json.loads(temp) + # TODO check!! + + for xrefitem in xrefj: + for xreflevel2 in xrefitem: + + # not data xref means its code or call + if xreflevel2['type'] != 'd': + finalCalls[hex(xreflevel2['from'])] = xreflevel2['opcode'] + pass + + # data potentially means API referenced by register; please note these are rather uncommon in the long list of symbol refs + # thus, bottelneck in parsing speed lies in number of refs + if xreflevel2['type'] == 'd' and ( + xreflevel2['opcode'].startswith('mov') or xreflevel2['opcode'].startswith('lea')): + + # 'grepping' out the register from mov/lea operation + register = xreflevel2['opcode'].split()[1].replace(',', '') + + # disassemble downwards; mmmaybe smarter to disassemble until end of function, but possible that there is no function at all + # TODO find end of function, just in case + cmd = "pd 300 @ " + hex(xreflevel2['from']) + moreDisasm = R2PY.cmd(cmd) + + # possible branches towards target + realCall = "call %s" % register + aJmp = "jmp %s" % register + + for disasmLine in moreDisasm.splitlines()[1:]: + if realCall in disasmLine or aJmp in disasmLine: + # found a call!! + temp = disasmLine + ";" + xreflevel2['opcode'].split(',')[1].rstrip() + tempSplit = temp.split() + finalCalls[hex(int(tempSplit[0], 16))] = ' '.join(tempSplit[1:]) + + elif register in disasmLine: + # TODO if mov dword abc, reg is found -> follow abc? + # TODO could be parsed in more detail, e.g. mov dword, reg won't change the reg + # print disasmLine + + break + # pass + return finalCalls + + +# Parses the binary for strings and their references to nodes +def stringScan(debugDict): + # Workflow is: get string, get xrefs to string if any, get functions of xrefs if any; fit node in graph with the string + allMyStrings = [] + return allMyStrings + + # izzj parses entire binary + stringCmd = "izzj" + strings = R2PY.cmd(stringCmd) + + parsedStrings = json.loads(strings) + + debugDict['stringsDangling'] = [] + debugDict['stringsNoRef'] = [] + + i = 0 + j = 1 + while i < len(parsedStrings["strings"]): + stringItem = parsedStrings["strings"][i] + + # Strings when retrieved through izzj command are BASE64 encoded + thatOneString = b64decode(stringItem['string']).replace(b'\\', b' \\\\ ') + thatOneString.replace(b'\'', b'') + + try: + + thatOneString = thatOneString.decode() + + xrefCmd = "axtj @ " + hex(stringItem['vaddr']) + stringXrefsJ = R2PY.cmd(xrefCmd) + # RN + stringXrefsJ = stringXrefsJ.replace("\"\"", "\"") + # print(stringXrefsJ) + # TODO this should be a list, but is returned as a string now? + # if stringXrefsJ != []: + if len(stringXrefsJ) > 2: + stringXrefs = json.loads(stringXrefsJ) + + # check whether string item is root of list of strings + j = 1 + lastItem = stringItem + while (i + j) < len(parsedStrings["strings"]): + nextStringItem = parsedStrings["strings"][i + j] + lastAddr = lastItem['vaddr'] + lastSize = lastItem['size'] + + # string offsets are 4 byte aligned, TODO check whether this is always the case + padding = 4 - (lastSize % 4) + if padding == 4: + padding = 0 + nextAddr = lastAddr + lastSize + padding + + if nextAddr != nextStringItem['vaddr'] or hasXref(hex(nextStringItem['vaddr'])): + # end.. exit here + break + else: + thatOneString = thatOneString + "|" + b64decode(nextStringItem['string']).decode() + j = j + 1 + lastItem = nextStringItem + + # iterate refs on string, if any + for ref in stringXrefs: + + # sort out strings with code ref, i.e. non-strings + if ref['type'] != 'c' and ref['type'] != 'C': + stringAddr = hex(ref['from']) + stringFuncRef = gimmeRespectiveFunction(stringAddr) + if stringFuncRef != '0x0': + allMyStrings.append([stringAddr, stringFuncRef, thatOneString]) + else: + # TODO this is merely still useful strings, see how to fit them in the graphs and db + # RN print("DANGLING STRING NO FUNCREF %s %s" % (stringAddr, thatOneString)) + debugDict['stringsDangling'].append(thatOneString) + + else: + debugDict['stringsNoRef'].append(thatOneString) + + + except UnicodeDecodeError: + pass + if j > 1: + i = i + j + else: + i = i + 1 + + debugDict['stringsDanglingTotal'] = len(debugDict['stringsDangling']) + debugDict['stringsNoRefTotal'] = len(debugDict['stringsNoRef']) + return allMyStrings + + +# Text whether xrefs exist for given address +def hasXref(vaddr): + refs = R2PY.cmd("axtj @ " + vaddr) + if refs: + return True + else: + return False + + +# Creating the NetworkX graph, nodes are functions, edges are calls or callbacks +def createRawGraph(): + graphity = nx.DiGraph() + debugDict = {} + + functions = R2PY.cmd("aflj") + # print("Functions") + # print(functions) + # return {},{} + if functions: + functionList = json.loads(functions) + # print json.dumps(functionList, indent=4, sort_keys=True) + else: + functionList = [] + + # figuring out code section size total + sectionsList = getCodeSections() + xlen = 0 + for execSec in sectionsList: + xlen = xlen + execSec[2] + debugDict['xsectionsize'] = xlen + + # CREATING THE GRAPH + + refsGlobalVar = 0 + refsUnrecognized = 0 + refsFunc = 0 + debugDict['functions'] = len(functionList) + + ### NetworkX Graph Structure ### + + # FUNCTION as node, attributes: function address, size, calltype, list of calls, list of strings, count of calls; functiontype[Callback, Export], alias (e.g. export name), mnemonic distribution + # FUNCTIoN REFERENCE as edge (function address -> target address), attributes: ref offset (at) + # INDIRECT REFERENCE as edge (currently for threads and Windows hooks, also indirect code and indirect data references) + # API CALLS (list attribute of function node): address, API name + # STRINGS (list attribute of function node): address, string, evaluation + + #### + + # TODO add count of refs from A to B as weights to edges + # TODO count calls to global vars, to indirect targets + + for item in functionList: + # print hex(item['offset']) + graphity.add_node(hex(item['offset']), size=item['realsz'], calltype=item['calltype'], calls=[], apicallcount=0, + strings=[], stringcount=0, functiontype='') + + for item in functionList: + + # TODO look into new values provided by aflj + # print(item) + if 'callrefs' in item: + for xref in item['callrefs']: + + if xref['type'] == 'C': + + # If an edge is added, that includes a non-existent node, the node will be added, but w/o the necessary attributes + # Thasss why we iterate twice, can theoretically be speeded up but needs testing + if hex(xref['addr']) in graphity: + if item['offset'] != xref['addr']: + graphity.add_edge(hex(item['offset']), hex(xref['addr']), pos=hex(xref['at'])) + refsFunc = refsFunc + 1 + + elif hex(xref['addr']) in getIat(): + pass + + elif not isValidCode(hex(xref['addr']), sectionsList): + # TODO do something + '''print( + "DANGLING call to address outside code section, glob var, dynamic API loading %s -> %s" % ( + hex(item['offset']), hex(xref['addr'])))''' + refsGlobalVar = refsGlobalVar + 1 + + else: + print( + "FAIL: Call to code thats not a function, an import/symbol or otherwise recognized. Missed function perhaps. %s -> %s" % ( + hex(item['offset']), hex(xref['addr']))) + refsUnrecognized = refsUnrecognized + 1 + + print('* %s Graph created with NetworkX ' % str(datetime.now())) + debugDict['refsFunctions'] = refsFunc + debugDict['refsGlobalVar'] = refsGlobalVar + debugDict['refsUnrecognized'] = refsUnrecognized + + apiRefs = crossRefScan() + + callNum = len(apiRefs) + missesNum = 0 + + # FITTING GRAPH WITH API REFS + + for call in apiRefs: + + # get the address of the function, that contains the call to a given symbol + funcAddress = gimmeRespectiveFunction(call) + # TODO check if funcAddress is the real function address + if funcAddress in graphity: + + # node(funcAddress) has attribute calls, which contains a list of API calls + api = gimmeDatApiName(apiRefs[call]) + + graphity.node[funcAddress]['calls'].append([call, api]) + + # detected API call reference does not resolve to a function offset, insert handling for this here + else: + # print("DANGLING API CALL %s %s" % (call, apiRefs[call])) + missesNum = missesNum + 1 + + # debug: print total API refs and functionless API refs, maybe indicator for obfuscated code + print('* %s Graph extended with API calls, %d calls in total, %d dangling w/o function reference ' % ( + str(datetime.now()), callNum, missesNum)) + debugDict['apiTotal'] = callNum + debugDict['apiMisses'] = missesNum + + # FITTING GRAPH WITH STRING REFS + + allTheStrings = stringScan(debugDict) + stringrefs = 0 + + for aString in allTheStrings: + + stringAddr = aString[0] + stringFunc = aString[1] + stringData = aString[2] + + # add string to respective function node in graph + if stringFunc in graphity: + graphity.node[stringFunc]['strings'].append([stringAddr, stringData]) + stringrefs = stringrefs + 1 + + else: + print("\n*** BIG FAIL *** String's function not in graph %s %s" % (stringFunc, stringData)) + + print('* %s Graph extended with string references ' % (str(datetime.now()))) + debugDict['stringsReferencedTotal'] = stringrefs + + return graphity, debugDict + + +# Tag exports of DLLs +# TODO : check whether exports are coming back after bugfix (?) +def analyzeExports(graphity): + exportsj = json.loads(R2PY.cmd("iEj")) + for item in exportsj: + + exportAddress = hex(item['vaddr']) + exportName = item['name'] + + exportFunction = gimmeRespectiveFunction(exportAddress) + + if exportFunction in graphity: + graphity.node[exportFunction]['functiontype'] = 'Export' + graphity.node[exportFunction]['alias'] = exportName + + +# Removing thunks as they make my graphs fat, replace by API calls +def thunkPruning(graphity): + for aNode in graphity.nodes(data=True): + + # most obvious thunks, other thunks exist too, len seen was 11, 13 + # TODO !!!!!!!! check for 64bit + # TODO check with radare for thunk detection? + # funclets that contain nothing but a jump to an import, and do not call other functions + if len(aNode[1]['calls']) == 1 and aNode[1]['size'] == 6 and not graphity.successors(aNode[0]): + + thunk = aNode[0] + thunkApi = aNode[1]['calls'][0] + + # need to go on with radare from here, cause graphity doesn't know all the addressed of the xrefs to thunks from within a function + # getting all xrefs on thunk, then getting function its located in to get to node of graph + temp = R2PY.cmd("axtj " + thunk) + + thunkRefs = [] + if temp: + thunkRefs = json.loads(temp) + + for aRef in thunkRefs: + + thunkCallAddr = hex(aRef['from']) + thunkFuncRef = gimmeRespectiveFunction(thunkCallAddr) + + # if thunk's xrefs include a detected function then add thunk as a regular API call to calls list of respective node + if thunkFuncRef != '0x0': + graphity.node[thunkFuncRef]['calls'].append([thunkCallAddr, thunkApi[1]]) + + # after xref to thunk has been added to all calling functions, remove thunk node from graph + graphity.remove_node(thunk) + + +# Adding edges to indirectly referenced functions, thread handlers and hook functions for now only +def tagCallbacks(graphity): + for aNode in graphity.nodes(data=True): + for call in aNode[1]['calls']: + + xrefTarget = '' + # TODO consider this bad practise, do something smarter, not sure yet what, consider _beginthread API etc. etc. + # also, maybe this is fixed in radare later, so consider this code redundant by then + if 'CreateThread' in call[1]: + xrefTarget = getCallback(call[0], 3) + + if 'SetWindowsHookEx' in call[1]: + xrefTarget = getCallback(call[0], 2) + + if xrefTarget: + #print (xrefTarget, aNode[0]) + addIndirectEdge(graphity, aNode[0], xrefTarget, "apicallback", "Callback") + + # implicitly filters out callbacks fixed already - gets all nodes with zero in-degre + # TODO see if feasible for all functions, even with such already having in edges + for aNode in graphity.nodes(data=True): + if graphity.in_degree(aNode[0]) == 0: + jay = R2PY.cmd("axtj @ " + aNode[0]) + jay = jay.rstrip() + if jay: + xrefs = json.loads(jay) + for xref in xrefs: + + # if xref is code its almost certainly an edge to add + if xref['type'] == 'c': + + # TODO circle back on jumptable-as-a-function bug from r2 + # really ugly workaround, really really ugly.. + if not 'dword [' in xref['opcode']: + addIndirectEdge(graphity, hex(xref['from']), aNode[0], "coderef", "IndirectCode") + + # if xref is data + if xref['type'] == 'd': + + opcd = xref['opcode'] + # TODO run more tests on this list not sure these are all possible cases + # TODO make datarefs optional! + if opcd.startswith('push') or opcd.startswith('lea') or opcd.startswith('mov'): + #print (hex(xref['from']), opcd) + addIndirectEdge(graphity, hex(xref['from']), aNode[0], "dataref", "IndirectData") + else: + # TODO look into add reg, ThreadRoutine -> as xref + print ("up for discussion: " + hex(xref['from']), xref['type'], xref['opcode']) + + +def addIndirectEdge(graphity, fromAddr, toAddr, calltype, functiontype): + fromNode = gimmeRespectiveFunction(fromAddr) + toNode = gimmeRespectiveFunction(toAddr) + if fromNode in graphity and toNode in graphity: + graphity.node[toNode]['functiontype'] = functiontype + graphity.add_edge(fromNode, toNode, calltype=calltype) + # print ("added callback edge", fromNode, toNode, calltype, "\n") + else: + print ("Something went wrong with indirect edge ", fromAddr, toAddr, calltype) + + +# Parsing the handler offset out of the function arguments +def getCallback(call, argcount): + # simplistic: walk up the code until xref to code is found, works as long as API only receives one code ref, works well with Windows APIs + disasmMore = "pd -30 @" + call + upwards = R2PY.cmd(disasmMore) + + for otherLine in reversed(upwards.splitlines()): + if 'push' in otherLine: + argcount = argcount - 1 + + # TODO better done with a regex, bug prone + if not argcount: + address = otherLine.split("push", 1)[1].split()[0] + if 'fcn.' in address: + return hex(int(address.split('.')[1], 16)) + if '0x' in address: + return hex(int(address.split('0x')[1], 16)) + else: + return '' + + +# WORKAROUND until function detection - bug? feature? in radare is fixed and export vaddr equal actual offsets again +def gimmeRespectiveFunction(address): + if address: + return R2PY.cmd("?v $FB @ " + address).strip("\r\n").strip("\n").strip("\r") + return '' + + +def mnemonicism(offset): + mnems = [] + fsize = 0 + weight = 0 + + funcdump = R2PY.cmd("pdfj @ " + offset) + if funcdump: + dumpj = json.loads(funcdump) + for item in dumpj["ops"]: + # print(item) + if "type" in item: + mnems.append(item["type"]) + # print (item["type"], item["opcode"]) + fsize = dumpj["size"] + + # print ("\n" + offset + " " + str(fsize)) + mnemdict = Counter(mnems) + # for mnem in sorted(mnemdict): + # print (mnem, mnemdict[mnem]) + + for mnem in mnemdict: + if mnem in ['shl', 'shr', 'mul', 'div', 'rol', 'ror', 'sar', 'load', 'store']: + weight += mnemdict[mnem] + return (weight * 10) / fsize + + +# TODO count how many above certain threshold, see how close they are together in the graph? + + +# super graph creation function, radare-analyses the sample, puts together all of the graph and debug info +def graphMagix(filepath, allAtts, deactivatecache): + global R2PY + + print('* %s R2 started analysis ' % str(datetime.now())) + + BENCH['r2_start'] = time() + print("filepath:" + filepath) + + R2PY = r2pipe.open(filepath) + + R2PY.cmd("e asm.lines = false") + R2PY.cmd("e asm.fcnlines = false") + R2PY.cmd("e anal.autoname= false") + R2PY.cmd("e anal.jmptbl = true") + R2PY.cmd("e anal.hasnext = true") + R2PY.cmd("e anal.bb.maxsize = 1M") + # R2PY.cmd("e src.null = true") + R2PY.cmd("aaa") + # R2PY.cmd("afr") + # R2PY.cmd("afr @@ sym*") + + + BENCH['r2_end'] = time() + print('* %s R2 finished analysis' % str(datetime.now())) + + # GRAPH CREATION + graphity, debug = createRawGraph() + + # TODO testing lib code detected + # flagLibraryCode(graphity) + + # DLL PROCESSING + if 'DLL' in allAtts['filetype']: + analyzeExports(graphity) + + # Thunk pruning, thunks are unnecessary information in the graph + thunkPruning(graphity) + + # handler tagging + tagCallbacks(graphity) + + # update api and string count attributes + for aNode in graphity.nodes(data=True): + aNode[1]['apicallcount'] = len(aNode[1]['calls']) + aNode[1]['stringcount'] = len(aNode[1]['strings']) + + # calc mnemonic dist + for aNode in graphity.nodes(): + graphity.node[aNode]['mnemonicism'] = mnemonicism(aNode) + + BENCH['graph_end'] = time() + + + return graphity, debug + + +def get_behaviors(filepath, dst_file, out_dir): + global BENCH + BENCH = {} + + behaviours = {} + if check_pe_header(filepath): + print('* %s Parsing %s ' % (str(datetime.now()), filepath)) + allAtts = getAllAttributes(filepath) + graphity, debug = graphMagix(filepath, allAtts, True) # args.deactivatecache) + + # BEHAVIOR + print('* %s Scanning for API patterns ' % str(datetime.now())) + BENCH['behavior_start'] = time() + allThePatterns = graphityFunc.funcDict + + for patty in allThePatterns: + # print(patty) + findings = patternScan(graphity, allThePatterns[patty]) + # print("Findings:") + # print(findings) + for hit in findings: + if not False in hit['patterns'].values(): + #print("For %s found %s" % (patty, str(hit['patterns']))) + if patty in behaviours: + list_hit = behaviours[patty] + list_hit.append(hit['patterns']) + behaviours[patty] = list_hit + else: + behaviours[patty] = [hit['patterns']] + BENCH['behavior_end'] = time() + + ret_info = {} + function_list = {} + # print("printing behaviors found above") + if behaviours: + for behav in behaviours: + info = behaviours[behav] + # print(info) + for entry in info: + for name in entry: + if not str(entry[name]) in function_list: + function_list[str(entry[name])] = behav + # print(entry) + # print function_list + + base_file = dst_file.replace(".behav.json", "") + for funct in function_list: + R2PY.cmd("s." + funct) + pseudo_code = R2PY.cmd("pdc") + code_file = base_file + "." + function_list[funct] + "_" + funct + ".c" + with open(code_file, "w") as out: + for line in pseudo_code.split("\n"): + line = line.rstrip() + if line: + out.write(line + "\n") + + # print(function_list) + ret_info["Suspicious Behaviors"] = behaviours + with open(dst_file, "w") as out: + out.write(json.dumps(ret_info, sort_keys=True, indent=4)) + + print('* %s Plotting routine starting ' % str(datetime.now())) + BENCH['plotting_start'] = time() + graphvizPlot(graphity, allAtts, function_list, out_dir) + BENCH['plotting_end'] = time() + print('* %s Plotting routine finished ' % str(datetime.now())) + + return ret_info diff --git a/utils/graphity/graphityFunc.py b/utils/graphity/graphityFunc.py new file mode 100644 index 0000000..500eb28 --- /dev/null +++ b/utils/graphity/graphityFunc.py @@ -0,0 +1,215 @@ +#!/usr/bin/env python + + +funcDict = { + # + 'THREAD_CREATE': ['CreateThread'], + 'RTL_THREAD_CREATE': ['RtlCreateUserThread'], + 'ZW_THREAD_CREATE': ['ZwCreateThread'], + + 'PROCESS_ENUM': ['CreateToolhelp32Snapshot', 'Process32First', 'Process32Next'], + 'MODULE_ENUM': ['CreateToolhelp32Snapshot', 'Module32First', 'Module32Next'], + 'PROCESS_ENUM_1': ['EnumProcesses'], + 'MODULE_ENUM_1': ['EnumProcessModules'], + + 'WIN_EXEC': ['WinExec'], + 'SHELL_EXEC': ['ShellExecute'], + 'PROCESS_CREATE': ['CreateProcess'], + 'PROCESS_CREATE_INTR': ['CreateProcessInternal'], + 'PROCESS_CREATE_USER': ['CreateProcessAsUser'], + 'PROCESS_CREATE_LOGON': ['CreateProcessWithLogon'], + 'PROCESS_CREATE_1': ['system'], + 'PROCESS_CREATE_2': ['ZwCreateProcess'], + + 'PROCESS_TERM': ['TerminateProcess'], + 'PROCESS_SUSPEND_': ['ZwSuspendProcess'], + 'PROCESS_TERM_1': ['ZwTerminateProcess'], + + 'REMOTE_THREAD_INJECTION': ['CreateThread', 'WriteProcessMemory','ResumeThread'], + 'REMOTE_THREAD_1': ['CreateRemoteThread'], + 'RETRO_INJECTION': ['GetCurrentProcess', 'CreatePipe', 'DuplicateHandle'], + 'MEMORY_WRITE': ['WriteProcessMemory'], + 'MEMORY_READ': ['ReadProcessMemory'], + 'MEMORY_READ_1': ['Toolhelp32ReadProcessMemory'], + 'MEMORY_READ_2': ['ZwReadVirtualMemory'], + + 'EXIT_SYSTEM': ['ExitWindows'], + 'EXIT_SYSTEM_1': ['InitiateSystemShutdown'], + + 'ANTI-SANDBOX_1': ['GetForegroundWindow', 'Sleep'], + 'ANTI-SANDBOX_2': ['GetCursorPos', 'Sleep'], + 'ANTI-SANDBOX_3': ['GetLastInputInfo', 'Sleep'], + 'ANTI-SANDBOX_4': ['GetTickCount', 'Sleep'], + + 'WINHOOK': ['SetWindowsHook'], + + 'TIME_ZONE': ['GetTimeZoneInformation'], + 'USER': ['LogonUser'], + 'USER_IMPERSONATE': ['ImpersonateLoggedOnUser'], + + # Autostarts & infiltration + 'REG_SETVAL': ['RegOpenKey', 'RegSetValue'], + 'REG_QUERY': ['RegOpenKey', 'RegQueryValue'], + + 'CREATE_SERVICE': ['OpenSCManager', 'CreateService'], # 'OpenService', 'StartService'], + 'CREATE_START_SERVICE': ['OpenSCManager', 'CreateService'], + + #'RES_DROPPER_1': ['FindResource', 'LoadResource', 'CreateFile', 'WriteFile'], + 'RES_DROPPER': ['FindResource', 'LoadResource'], # 'LockResource', 'SizeofResource'], + 'LOAD_RES': ['LoadResource'], + 'UPDATE_RESOURCE': ['BeginUpdateResource', 'UpdateResource', 'EndUpdateResource'], + + # Dynamic API loading + 'APILOADING': ['GetProcAddress'], + #'APILOADING2': ['GetModuleHandle', 'GetProcAddress'], + + # File interaction + 'WRITE_FILE': ['CreateFile', 'WriteFile'], + 'FILE_WRITE_1': ['FlushFileBuffers'], + 'FILE_WRITE_2': ['FlushViewOfFile'], + 'FILE_WRITE_3': ['WriteFile'], + 'FILE_WRITE_4': ['fflush'], + 'FILE_WRITE_5': ['fprintf'], + 'FILE_WRITE_6': ['fputs'], + 'FILE_WRITE_7': ['fwrite'], + 'FILE_WRITE_8': ['ZwWriteFile'], + + 'READ_FILE': ['CreateFile', 'ReadFile'], + + 'TEMP_FILE_WRITE': ['GetTempFileName', 'CreateFile', 'WriteFile'], + 'FPRINT': ['fopen', 'fprintf'], + + 'FILE_COPY': ['CopyFile'], + 'FILE_DELETE': ['DeleteFile'], + 'FILE_DELETE_1': ['ZwDeleteFile'], + 'FILE_MOVE': ['MoveFile'], + 'FILE_MOVE_1': ['MoveFileEx'], + + 'DIR_DELETE': ['RemoveDirectory'], + 'DIR_SYS': ['GetSystemDirectory'], + 'DIR_SYSWIN': ['GetSystemWindowsDirectory'], + 'DIR_WIN': ['GetWindowsDirectory'], + + # Malware activity + 'DRIVES_ITER_1': ['GetLogicalDriveStrings'], + 'DRIVES_ITER_2': ['GetDriveType'], + 'FILE_ITER': ['FindFirstFile', 'FindNextFile'], + 'WINDOW': ['CreateWindow', 'RegisterClass', 'DispatchMessage'], + + 'SCREENSHOT': ['CreateCompatibleDC', 'GetDeviceCaps', 'CreateCompatibleBitmap', 'BitBlt'], + + # encryption and compression + 'CRYPT_ENCRYPT': ['CryptEncrypt'], + 'CRYPT_DECRYPT': ['CryptDecrypt'], + 'CRYPT_HASH': ['CryptCreateHash', 'CryptDestroyHash', 'CryptGetHashParam', 'CryptHashData', 'CryptSetHashParam', 'CheckSumMappedFile'], + + 'ENCODE': ['RtlEncodePointer'], + 'DECODE': ['RtlDecodePointer'], + 'COMPRESS': ['RtlCompressBuffer'], + 'DECOMPRESS': ['RtlDecompressBuffer'], + + 'VOLUME_ENUM': ['FindFirstVolume', 'FindNextVolume'], + + # Network activity + 'WSASEND': ['gethostbyname', 'send'], + 'LISTEN': ['listen'], + 'RECV': ['recv'], + 'WSARECV': ['WSARecv'], + 'SEND': ['send'], + 'WASSEND' : ['WSASend'], + 'SEND_TO': ['sendto'], + 'WSASEND_TO': ['WSASendTo'], + 'RECV_FROM': ['recvfrom'], + 'WSARECV_FROM': ['WSARecvFrom'], + + 'DOWNLOAD_FILE_CACHE': ['URLDownloadToCacheFile'], + 'DOWNLOAD_FILE': ['URLDownloadToFile'], + + 'ICMP6_MGMT': ['Icmp6CreateFile', 'Icmp6SendEcho2'], + 'ICMP_MGMT': ['IcmpCreateFile', 'IcmpSendEcho'], + 'ICMP_MGMT_1': ['IcmpCreateFile', 'IcmpSendEcho2'], + + 'DOWNLOADER': ['URLDownloadToCacheFile'], + 'DOWNLOADER_1': ['URLDownloadToFile', 'WinExec'], + 'DOWNLOADER_2': ['URLDownloadToFile', 'ShellExecute'], + 'DOWNLOADER_3': ['URLDownloadToFile', 'CreateProcess'], + + 'INET_DOWNLOAD': ['InternetOpen', 'InternetReadFile'], + 'INET_UPLOAD': ['InternetOpen', 'InternetWriteFile'], + + 'FTP_GET': ['FtpOpenFile', 'FtpGetFile'], + 'FTP_PUT': ['FtpOpenFile', 'FtpPutFile'], + + 'CACHE_ENUM': ['FindFirstUrlCacheEntry', 'FindNextUrlCacheEntry'], + 'CACHE_INFO': ['GetUrlCacheEntryInfo'], + + 'NET_USER_ADD': ['NetUserAdd'], + 'NET_USER_ENUM': ['NetUserEnum'], + 'NET_SHARE': ['NetShareEnum', 'NetShareAdd'], + 'WNET_SHARE': ['WNetAddConnection2'], + + # Host information + 'HOST_INFO_1': ['gethostbyname'], + 'HOST_INFO_2': ['gethostname'], + 'HOST_INFO_3': ['getnameinfo'], + 'HOST_INFO_4': ['GetNameInfo'], + 'DISK_INFO_1': ['GetDriveType'], + 'DISK_INFO_2': ['GetDiskFreeSpace'], + 'DISK_INFO_3': ['GetLogicalDrives'], + 'DISK_INFO_4': ['GetLogicalDriveStrings'], + 'DISK_INFO_5': ['ZwQueryDirectoryFile'], + 'DISK_INFO_6': ['DriveSpace'], + 'DESKTOP_ENUM': [ 'OpenWindowStation', 'EnumDesktops', 'EnumWindowStations', 'EnumDesktopWindows'], + 'OS_INFO_1': ['GetVersion'], + 'OS_INFO_2': ['GetVersionEx'], + 'OS_INFO_3': ['RtlGetVersion'], + 'SYSTEM_INFO': ['GetSystemInfo'], + 'SYSTEM_INFO_1': ['ZwQuerySystemInformation'], + 'SYSTEM_INFO_2': ['SystemParametersInfo'], + 'SYSTEM_INFO_LOCALE': ['GetLocaleInfo'], + + # misc + 'DRIVER_CTRL': ['DeviceIoControl'], + 'DRIVER_CTRL_1': ['ZwDeviceIoControlFile'], + 'SERVICE_HANDLER': ['RegisterServiceCtrlHandler'], + + 'COM_OBJECT': ['CoCreateInstance', 'CoGetClassObject'], + 'COM_OBJECT_1': ['CoInitialize'], + 'LDAP': ['ldap_first_attribute'], + 'LDAP_1': ['ldap_first_entry'], + 'RANDOM_GEN_1': ['rand'], + 'RANDOM_GEN_2': ['srand'], + 'RANDOM_GEN_3': ['RtlRandom'], + 'SLEEP_1': ['Sleep'], + 'SLEEP_2': ['ZwDelayExecution'], + + # multimedia + 'AUDIO_IN': ['waveInOpen', 'waveInStart'], + 'AUDIO_OUT': ['waveOutOpen', 'waveOutWrite'], + + # keyboard + 'KEYBOARD_INFO': ['GetKeyboardLayout'], + 'KEYBOARD_INPUT_1': ['BlockInput'], + 'KEYBOARD_INPUT_2': ['GetAsyncKeyState'], + 'KEYBOARD_INPUT_3': ['GetKeyState'], + 'KEYBOARD_INPUT_4': ['GetRawInputData'], + 'KEYBOARD_INPUT_5': ['RegisterRawInputDevices'], + 'KEYBOARD_INPUT_6': ['SendInput'], + 'KEYBOARD_INPUT_7': ['VkKeyScan'], + 'MOUSE': ['TrackMouseEvent'], + 'MOUSE_1': ['_TrackMouseEvent'], + + # printer + 'PRINTER': ['EnumPrinters', 'OpenPrinter', 'GetDefaultPrinter'], + +} + +# TODO extend on those, and add more: +# spawn a process +# move file, delete, create dir - +# regenumkey +# createmutex +# fopen, fread, fwrite +# clipboard +# screen capture etc. + diff --git a/utils/graphity/graphityOps.py b/utils/graphity/graphityOps.py new file mode 100644 index 0000000..4cab2f5 --- /dev/null +++ b/utils/graphity/graphityOps.py @@ -0,0 +1,148 @@ +import copy +import os + +import networkx as nx + + +### SCANNING ### + +# searching nodes and nearby nodes a pattern defined by graphityFunc.py +def patternScan(graphity, pattern): + + # search is performed by defining "anchor" node, where initial pattern is found + # search then moved from there 1 level up to search surrounding nodes (number of levels could be increased) + # pattern lists for now are kept rather small + # TODO determine distance between found patterns to see which functionalities lie close to each other + patternNum = len(pattern) + anchorList = [] + + allCalls = nx.get_node_attributes(graphity, 'calls') + #print("AllCalls") + #print(allCalls) + for function in allCalls: + #print("check:" + function) + # TODO make this prettier! + for call in allCalls[function]: + api = call[1] + anchorpat = pattern[0] + # print(anchorpat, call[1]) + if anchorpat in api: + #print("anchor: " + anchorpat) + if not list(filter(lambda daAnchor: daAnchor['address'] == function, anchorList)): + # maintain a dict of patterns per anchor to keep track of found patterns + patternCheck = {} + for item in pattern: + patternCheck[item] = False + patternCheck[anchorpat] = function + #print(patternCheck) + anchorList.append({'address':function, 'patterns':patternCheck}) + # anchor nodes found and more than one pattern searched for + if patternNum > 1 and len(anchorList) > 0: + for anchor in anchorList: + + functionalityScanForApi(graphity, anchor, anchor['address'], patternNum) + if False in anchor['patterns'].values(): + + anchorNeighbors = nx.all_neighbors(graphity, anchor['address']) + for neighbor in anchorNeighbors: + functionalityScanForApi(graphity, anchor, neighbor, patternNum) + + return anchorList + + +# Search for a specific pattern within a node, orient by anchor pattern +def functionalityScanForApi(graphity, anchor, seNode, patternNum): + + for patt in anchor['patterns']: + + # anchor has a dict that saves which patterns were found already + for call in graphity.node[seNode]['calls']: + api = call[1] + + # found a pattern in an api call, that hasnt been found before + if patt in api and anchor['patterns'][patt] == False: + anchor['patterns'][patt] = seNode + + if not False in anchor['patterns'].values(): + # all patterns found - done + break + +# Graph plotting with pydotplus from within NetworkX, format is dot +def graphvizPlot(graphity, allAtts, function_list, out_dir): + graphity_new = copy.deepcopy(graphity) + for aNode in graphity_new.nodes(data=True): + if aNode[0] not in function_list: + graphity_new.remove_node(aNode[0]) + pydotMe = nx.drawing.nx_pydot.to_pydot(graphity_new) + + for node in pydotMe.get_nodes(): + #continue + # get node address to be able to fetch node directly from graphity to preserve data types of attributes + nodeaddr = node.to_string().split()[0].replace('\"', '') + finalString = '' + + if str(nodeaddr) not in function_list: + print("Still Inside") + continue + # print("Entered:"+str(nodeaddr)) + if node.get('calls') != '[]' or node.get('strings') != '[]': + + finalList = [] + + # fetching string and call lists directly from graphity + callList = graphity.node[nodeaddr]['calls'] + stringList = graphity.node[nodeaddr]['strings'] + + for item in callList: + finalList.append(str(item[0]) + ": [C] " + str(item[1])) + for otem in stringList: + finalList.append(str(otem[0]) + ": [S] " + str(otem[1])) + + finalList.sort() + finalString = '\n'.join(finalList) + name = "" + if str(nodeaddr) in function_list: + name = str(function_list[str(nodeaddr)]) + if node.get('functiontype') == 'Export': + label = "Export " + nodeaddr + node.get('alias') + label = name+ '\n' + label + "\n" + finalString + node.set_fillcolor('yellow') + node.set_style('filled,setlinewidth(3.0)') + node.set_label(label) + + elif node.get('functiontype') == 'Callback': + label = name+ '\n'+ "Callback " + nodeaddr + "\n" + finalString + node.set_fillcolor('skyblue') + node.set_style('filled,setlinewidth(3.0)') + node.set_label(label) + + elif node.get('functiontype').startswith('Indirect'): + label = name + '\n'+ "IndirectRef " + nodeaddr + "\n" + finalString + node.set_fillcolor('red') + node.set_style('filled,setlinewidth(3.0)') + node.set_label(label) + + elif finalString != '': + finalString = name+ '\n'+ nodeaddr + "\n" + finalString + node.set_fillcolor('orange') + node.set_style('filled,setlinewidth(3.0)') + node.set_label(finalString) + + + #print(finalString) + graphinfo = "SAMPLE " + allAtts['filename'] + "\nType: " + allAtts['filetype'] + \ + "\nSize: " + str(allAtts['filesize']) + "\nMD5: " + allAtts['md5'] + "\nImphash:\t\t" +\ + allAtts['imphash'] + "\nCompilation time:\t" + allAtts['compilationts'] + "\nEntrypoint section:\t" + \ + allAtts['sectionep'] + + + graphname = allAtts['filename'] + ".png" + print(graphname) + try: + # TODO pydotplus throws an error sometimes (Error: /tmp/tmp6XgKth: syntax error in line 92 near '[') look into pdp code to see why + out_filename = os.path.join(os.path.abspath(out_dir), graphname) + print(out_filename) + pydotMe.write_png(out_filename) + except Exception as e: + print("ERROR drawing graph") + print(str(e)) \ No newline at end of file diff --git a/utils/graphity/graphityUtils.py b/utils/graphity/graphityUtils.py new file mode 100644 index 0000000..701b8d7 --- /dev/null +++ b/utils/graphity/graphityUtils.py @@ -0,0 +1,280 @@ +import math +import time +import pefile +import struct +from io import open +from hashlib import sha1, md5 +from collections import Counter +from os.path import basename, getsize + + + +# receives a string, containing a symbol a la radare2 +# returns the sole API name + +def gimmeDatApiName(wholeString): + separators = ['.dll_', '.sys_', '.exe_', '.sym_'] + + for sep in separators: + + if sep in wholeString: + apiName = wholeString.split(sep)[1].replace(']', '') + return apiName + + elif sep.upper() in wholeString: + apiName = wholeString.split(sep.upper())[1].replace(']', '') + return apiName + + return wholeString + + +# checks whether a string is pure ascii + +def is_ascii(myString): + try: + myString.decode('ascii') + return True + except UnicodeDecodeError: + return False + + + + + +def stringCharVariance(seString): + charFrequs = Counter(seString) + total = 0 + for letter in charFrequs: + if charFrequs[letter] < 4: + total += (charFrequs[letter] - 1) + elif charFrequs[letter] < 5: + total += (charFrequs[letter] - 0.75) + elif charFrequs[letter] < 6: + total += (charFrequs[letter] - 0.5) + elif charFrequs[letter] < 7: + total += (charFrequs[letter] - 0.25) + else: + total += charFrequs[letter] + + # print (seString, total) + + return total / float(len(seString) * 2) + + +# Check for PE header, return false if not a PE +def check_pe_header(filepath): + try: + with open(filepath, 'rb') as fp: + if (fp.read(2) == b'MZ'): + fp.read(58) + peoff = struct.unpack('i', fp.read(4)) + advance = peoff[0] - 64 + fp.read(advance) + if (fp.read(2) == b'PE'): + return True + return False + + except(Exception) as e: + print("LOG - PE Parsing Error, sure this is a PE file?") + return False + return False + + +# SAMPLE ATTRIBUTE GETTERS + +# MD5 +# filename +# filetype +# ssdeep +# imphash +# size +# compilationTS +# address of EP +# EP section +# number of section +# original filename +# number TLS sections + +def sha1hash(path): + with open(path, 'rb') as f: + return sha1(f.read()).hexdigest() + + +def md5hash(path): + with open(path, 'rb') as f: + return md5(f.read()).hexdigest() + + +def getFilename(path): + return basename(path) + + +def getFiletype(path): + return "" + + +# return magic.from_file(path) + +def getFilesize(path): + return getsize(path) + + +def getPeSubsystem(path): + pass + + +def getSsdeep(path): + return "" # pydeep.hash_file(path) + + +def getImphash(pe): + return pe.get_imphash() + + +def getCompilationTS(pe): + return time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime(pe.FILE_HEADER.TimeDateStamp)) + + +def getEPAddress(pe): + return pe.OPTIONAL_HEADER.AddressOfEntryPoint + + +def getSectionCount(pe): + return pe.FILE_HEADER.NumberOfSections + + +def getOriginalFilename(pe): + oriFilename = "" + if hasattr(pe, 'VS_VERSIONINFO'): + if hasattr(pe, 'FileInfo'): + for entry in pe.FileInfo: + if hasattr(entry, 'StringTable'): + for st_entry in entry.StringTable: + ofn = st_entry.entries.get(b'OriginalFilename') + if ofn: + if isinstance(ofn, bytes): + oriFilename = ofn.decode() + else: + oriFilename = ofn + return oriFilename + + +def getEPSection(pe): + name = '' + if hasattr(pe, 'OPTIONAL_HEADER'): + ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint + else: + return False + pos = 0 + for sec in pe.sections: + if (ep >= sec.VirtualAddress) and (ep < (sec.VirtualAddress + sec.Misc_VirtualSize)): + name = sec.Name.replace(b'\x00', b'') + break + else: + pos += 1 + if name: + return (name.decode('utf-8', 'ignore') + "|" + pos.__str__()) + return '' + + +def getTLSSectionCount(pe): + idx = 0 + if (hasattr(pe, 'DIRECTORY_ENTRY_TLS') and pe.DIRECTORY_ENTRY_TLS and pe.DIRECTORY_ENTRY_TLS.struct + and pe.DIRECTORY_ENTRY_TLS.struct.AddressOfCallBacks): + callback_array_rva = pe.DIRECTORY_ENTRY_TLS.struct.AddressOfCallBacks - pe.OPTIONAL_HEADER.ImageBase + + while True: + func = pe.get_dword_from_data(pe.get_data(callback_array_rva + 4 * idx, 4), 0) + if func == 0: + break + idx += 1 + return idx + + +# Returns Entropy value for given data chunk +def Hvalue(data): + if not data: + return 0.0 + + occurences = Counter(bytearray(data)) + + entropy = 0 + for x in occurences.values(): + p_x = float(x) / len(data) + if p_x > 0: + entropy += - p_x * math.log(p_x, 2) + + return entropy + + +def getCodeSectionSize(pe): + for section in pe.sections: + print(section) + + +def getSectionInfo(pe): + # Section info: names, sizes, entropy vals + sects = [] + vadd = [] + ent = [] + secnumber = getSectionCount(pe) + + for i in range(12): + + if (i + 1 > secnumber): + strip = "" + strap = "" + entropy = "" + + else: + stuff = pe.sections[i] + strip = stuff.Name.replace(b'\x00', b'') + strap = stuff.SizeOfRawData + + entropy = Hvalue(stuff.get_data()) + + section_name = "" + try: + if strip != "": + section_name = strip.decode() + except: + section_name = "PARSINGERR" + + sects.append(section_name) + ent.append(entropy) + vadd.append(strap) + + secinfo = sects + vadd + ent + return secinfo + + +# ATTRIBUTES: md5, sha1, filename, filetype, ssdeep, filesize, imphash, compilationts, addressep, sectionep, +# sectioncount, sectioninfo, tlssections, originalfilename + +def getAllAttributes(path): + allAtts = {'md5': md5hash(path), 'sha1': sha1hash(path), 'filename': getFilename(path), + 'filetype': getFiletype(path), 'ssdeep': getSsdeep(path), 'filesize': getFilesize(path)} + + try: + pe = pefile.PE(path) + if (pe.DOS_HEADER.e_magic == int(0x5a4d) and pe.NT_HEADERS.Signature == int(0x4550)): + allAtts['imphash'] = getImphash(pe) + allAtts['compilationts'] = getCompilationTS(pe) + allAtts['addressep'] = getEPAddress(pe) + allAtts['sectionep'] = getEPSection(pe) + allAtts['sectioncount'] = getSectionCount(pe) + allAtts['sectioninfo'] = getSectionInfo(pe) + allAtts['tlssections'] = getTLSSectionCount(pe) + allAtts['originalfilename'] = getOriginalFilename(pe) + + except (pefile.PEFormatError): + allAtts['imphash'] = '' + allAtts['compilationts'] = '' + allAtts['addressep'] = '' + allAtts['sectionep'] = '' + allAtts['sectioncount'] = '' + allAtts['sectioninfo'] = '' + allAtts['tlssections'] = '' + allAtts['originalfilename'] = '' + + return allAtts diff --git a/utils/hachi.db b/utils/hachi.db new file mode 100644 index 0000000..4724f37 Binary files /dev/null and b/utils/hachi.db differ diff --git a/utils/mitre.json b/utils/mitre.json new file mode 100644 index 0000000..6f7863d --- /dev/null +++ b/utils/mitre.json @@ -0,0 +1,1325 @@ +{ + "Initial Access": { + "T1189": { + "name": "Drive-by Compromise", + "description": "A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation." + }, + + "T1190": { + "name": "Exploit Public-Facing Application", + "description": "The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL) , standard services (like SMB or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion." + }, + + "T1133": { + "name": "External Remote Services", + "description": "Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally." + }, + + "T1200": { + "name": "Hardware Additions", + "description": "Computer accessories, computers, or networking hardware may be introduced into a system as a vector to gain execution. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping , man-in-the middle encryption breaking , keystroke injection , kernel memory reading via DMA , adding new wireless access to an existing network , and others." + }, + + "T1091": { + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself." + }, + + "T1193": { + "name": "Spearphishing Attachment", + "description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution." + }, + + "T1192": { + "name": "Spearphishing Link", + "description": "Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments." + }, + + "T1194": { + "name": "Spearphishing via Service", + "description": "Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels." + }, + + "T1195": { + "name": "Supply Chain Compromise", + "description": "Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise." + }, + + "T1199": { + "name": "Trusted Relationship", + "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network." + }, + + "T1078": { + "name": "Valid Accounts", + "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access." + } + }, + "Execution": { + "T1155": { + "name": "AppleScript", + "description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program." + }, + + "T1191": { + "name": "CMSTP", + "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections." + }, + + "T1059": { + "name": "Command-Line Interface", + "description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task)." + }, + + "T1223": { + "name": "Compiled HTML File", + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe)." + }, + + "T1196": { + "name": "Control Panel Items", + "description": "Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file." + }, + + "T1173": { + "name": "Dynamic Data Exchange", + "description": "Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution." + }, + + "T1106": { + "name": "Execution through API", + "description": "Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters." + }, + + "T1129": { + "name": "Execution through Module Load", + "description": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API." + }, + + "T1203": { + "name": "Exploitation for Client Execution", + "description": "Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility." + }, + + "T1061": { + "name": "Graphical User Interface", + "description": "The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system's GUI during an operation, commonly through a remote interactive session such as Remote Desktop Protocol, instead of through a Command-Line Interface, to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions." + }, + + "T1118": { + "name": "InstallUtil", + "description": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. InstallUtil.exe is digitally signed by Microsoft." + }, + + "T1152": { + "name": "Launchctl", + "description": "Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made . Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute \"arg\" \"arg\" \"arg\". Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges." + }, + + "T1168": { + "name": "Local Job Scheduling", + "description": "On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, at, and launchd. Unlike Scheduled Task on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH)." + }, + + "T1177": { + "name": "LSASS Driver", + "description": "The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process." + }, + + "T1170": { + "name": "Mshta", + "description": "Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser." + }, + + "T1086": { + "name": "PowerShell", + "description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer." + }, + + "T1121": { + "name": "Regsvcs/Regasm", + "description": "Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft." + }, + + "T1117": { + "name": "Regsvr32", + "description": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries." + }, + + "T1085": { + "name": "Rundll32", + "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations." + }, + + "T1053": { + "name": "Scheduled Task", + "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system." + }, + + "T1064": { + "name": "Scripting", + "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts." + }, + + "T1035": { + "name": "Service Execution", + "description": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation." + }, + + "T1218": { + "name": "Signed Binary Proxy Execution", + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques." + }, + + "T1216": { + "name": "Signed Script Proxy Execution", + "description": "Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts." + }, + + "T1153": { + "name": "Source", + "description": "The source command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways source /path/to/filename [arguments] or . /path/to/filename [arguments]. Take note of the space after the \".\". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell's environment." + }, + + "T1151": { + "name": "Space after Filename", + "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to \"evil.txt \" (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed ." + }, + + "T1072": { + "name": "Third-party Software", + "description": "Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code." + }, + + "T1154": { + "name": "Trap", + "description": "The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received." + }, + + "T1127": { + "name": "Trusted Developer Utilities", + "description": "There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions." + }, + + "T1204": { + "name": "User Execution", + "description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it." + }, + + "T1047": { + "name": "Windows Management Instrumentation", + "description": "Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135." + }, + + "T1028": { + "name": "Windows Remote Management", + "description": "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell." + }, + + "T1220": { + "name": "XSL Script Processing", + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages." + } + }, + "Persistence": { + "T1156": { + "name": ".bash_profile and .bashrc", + "description": "~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, ~/.bashrc is executed. This allows users more fine grained control over when they want certain commands executed." + }, + "T1015": { + "name": "Accessibility Features", + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system." + }, + "T1098": { + "name": "Account Manipulation", + "description": "Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain." + }, + "T1182": { + "name": "AppCert DLLs", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec." + }, + "T1103": { + "name": "AppInit DLLs", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Similar to Process Injection, these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer." + }, + "T1138": { + "name": "Application Shimming", + "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses Hooking to redirect the code as necessary in order to communicate with the OS." + }, + "T1131": { + "name": "Authentication Package", + "description": "Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system." + }, + "T1197": { + "name": "BITS Jobs", + "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations." + }, + "T1067": { + "name": "Bootkit", + "description": "A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR)." + }, + "T1176": { + "name": "Browser Extensions", + "description": "Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access." + }, + "T1042": { + "name": "Change Default File Association", + "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened." + }, + "T1109": { + "name": "Component Firmware", + "description": "Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks." + }, + "T1122": { + "name": "Component Object Model Hijacking", + "description": "The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection." + }, + "T1136": { + "name": "Create Account", + "description": "Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system." + }, + "T1038": { + "name": "DLL Search Order Hijacking", + "description": "Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence." + }, + "T1157": { + "name": "Dylib Hijacking", + "description": "macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence." + }, + "T1133": { + "name": "External Remote Services", + "description": "Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally." + }, + "T1044": { + "name": "File System Permissions Weakness", + "description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM." + }, + "T1158": { + "name": "Hidden Files and Directories", + "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS)." + }, + "T1179": { + "name": "Hooking", + "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions." + }, + "T1062": { + "name": "Hypervisor", + "description": "A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. A malicious hypervisor of this nature could be used to persist on systems through interruption." + }, + "T1183": { + "name": "Image File Execution Options Injection", + "description": "Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\\dbg\\ntsd.exe -g notepad.exe”)." + }, + "T1215": { + "name": "Kernel Modules and Extensions", + "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0). Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects." + }, + "T1159": { + "name": "Launch Agent", + "description": "Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents . These launch agents have property list files which point to the executables that will be launched ." + }, + "T1160": { + "name": "Launch Daemon", + "description": "Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons . These LaunchDaemons have property list files which point to the executables that will be launched ." + }, + "T1152": { + "name": "Launchctl", + "description": "Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made . Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute arg arg arg. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges." + }, + "T1161": { + "name": "LC_LOAD_DYLIB Addition", + "description": "Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies . There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time ." + }, + "T1168": { + "name": "Local Job Scheduling", + "description": "On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, at, and launchd. Unlike Scheduled Task on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH)." + }, + "T1162": { + "name": "Login Item", + "description": "MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them . Users have direct control over login items installed using a shared file list which are also visible in System Preferences . These login items are stored in the user's ~/Library/Preferences/ directory in a plist file called com.apple.loginitems.plist . Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in . The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well ." + }, + "T1037": { + "name": "Logon Scripts", + "description": "Windows allows logon scripts to be run whenever a specific user or group of users log into a system. The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server." + }, + "T1177": { + "name": "LSASS Driver", + "description": "The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process." + }, + "T1031": { + "name": "Modify Existing Service", + "description": "Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg." + }, + "T1128": { + "name": "Netsh Helper DLL", + "description": "Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh." + }, + "T1050": { + "name": "New Service", + "description": "When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry." + }, + "T1137": { + "name": "Office Application Startup", + "description": "Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started." + }, + "T1034": { + "name": "Path Interception", + "description": "Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function." + }, + "T1150": { + "name": "Plist Modification", + "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges)." + }, + "T1205": { + "name": "Port Knocking", + "description": "Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports, but can involve unusual flags, specific strings or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software." + }, + "T1013": { + "name": "Port Monitors", + "description": "A port monitor can be set through the API call to set a DLL to be loaded at startup. This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors." + }, + "T1163": { + "name": "Rc.common", + "description": "During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts . In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used." + }, + "T1164": { + "name": "Re-opened Applications", + "description": "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist." + }, + "T1108": { + "name": "Redundant Access", + "description": "Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network." + }, + "T1060": { + "name": "Registry Run Keys / Startup Folder", + "description": "Adding an entry to the \"run keys \" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level." + }, + "T1053": { + "name": "Scheduled Task", + "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system." + }, + "T1180": { + "name": "Screensaver", + "description": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations." + }, + "T1101": { + "name": "Security Support Provider", + "description": "Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called." + }, + "T1058": { + "name": "Service Registry Permissions Weakness", + "description": "Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions." + }, + "T1166": { + "name": "Setuid and Setgid", + "description": "When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively . Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x \" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]." + }, + "T1023": { + "name": "Shortcut Modification", + "description": "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program." + }, + "T1198": { + "name": "SIP and Trust Provider Hijacking", + "description": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature." + }, + "T1165": { + "name": "Startup Items", + "description": "Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items . This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory." + }, + "T1019": { + "name": "System Firmware", + "description": "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer." + }, + "T1501": { + "name": "Systemd Service", + "description": "Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems." + }, + "T1209": { + "name": "Time Providers", + "description": "The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients." + }, + "T1154": { + "name": "Trap", + "description": "The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received." + }, + "T1078": { + "name": "Valid Accounts", + "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access." + }, + "T1100": { + "name": "Web Shell", + "description": "A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client)." + }, + "T1084": { + "name": "Windows Management Instrumentation Event Subscription", + "description": "Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts. Examples of events that may be subscribed to are the wall clock time or the computer's uptime. Several threat groups have reportedly used this technique to maintain persistence." + }, + "T1004": { + "name": "Winlogon Helper DLL", + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon." + } + }, + "Privilege Escalation": { + "T1134": { + "name": "Access Token Manipulation", + "description": "Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas." + }, + "T1015": { + "name": "Accessibility Features", + "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system." + }, + "T1182": { + "name": "AppCert DLLs", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec." + }, + "T1103": { + "name": "AppInit DLLs", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Similar to Process Injection, these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer." + }, + "T1138": { + "name": "Application Shimming", + "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses Hooking to redirect the code as necessary in order to communicate with the OS." + }, + "T1088": { + "name": "Bypass User Account Control", + "description": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action." + }, + "T1038": { + "name": "DLL Search Order Hijacking", + "description": "Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence." + }, + "T1157": { + "name": "Dylib Hijacking", + "description": "macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence." + }, + "T1068": { + "name": "Exploitation for Privilege Escalation", + "description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform Privilege Escalation to include use of software exploitation to circumvent those restrictions." + }, + "T1181": { + "name": "Extra Window Memory Injection", + "description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value." + }, + "T1044": { + "name": "File System Permissions Weakness", + "description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM." + }, + "T1179": { + "name": "Hooking", + "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions." + }, + "T1183": { + "name": "Image File Execution Options Injection", + "description": "Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\\dbg\\ntsd.exe -g notepad.exe”)." + }, + "T1160": { + "name": "Launch Daemon", + "description": "Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons . These LaunchDaemons have property list files which point to the executables that will be launched ." + }, + "T1050": { + "name": "New Service", + "description": "When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry." + }, + "T1034": { + "name": "Path Interception", + "description": "Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function." + }, + "T1150": { + "name": "Plist Modification", + "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges)." + }, + "T1013": { + "name": "Port Monitors", + "description": "A port monitor can be set through the API call to set a DLL to be loaded at startup. This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors." + }, + "T1055": { + "name": "Process Injection", + "description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process." + }, + "T1053": { + "name": "Scheduled Task", + "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system." + }, + "T1058": { + "name": "Service Registry Permissions Weakness", + "description": "Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions." + }, + "T1166": { + "name": "Setuid and Setgid", + "description": "When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively . Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 \\[file\\] or via shorthand naming, chmod u+s \\[file\\]." + }, + "T1178": { + "name": "SID-History Injection", + "description": "The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens)." + }, + "T1165": { + "name": "Startup Items", + "description": "Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items . This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory." + }, + "T1169": { + "name": "Sudo", + "description": "The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL ." + }, + "T1206": { + "name": "Sudo Caching", + "description": "The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\" Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout that is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again)." + }, + "T1078": { + "name": "Valid Accounts", + "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access." + }, + "T1100": { + "name": "Web Shell", + "description": "A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client)." + } + }, + "Defense Evasion": { + "T1134": { + "name": "Access Token Manipulation", + "description": "Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas." + }, + "T1009": { + "name": "Binary Padding", + "description": "Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists." + }, + "T1197": { + "name": "BITS Jobs", + "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations." + }, + "T1088": { + "name": "Bypass User Account Control", + "description": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action." + }, + "T1146": { + "name": "Clear Command History", + "description": "macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as unset HISTFILE, export HISTFILESIZE=0, history -c, rm ~/.bash_history." + }, + "T1191": { + "name": "CMSTP", + "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections." + }, + "T1116": { + "name": "Code Signing", + "description": "Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries . The certificates used during an operation may be created, forged, or stolen by the adversary." + }, + "T1500": { + "name": "Compile After Delivery", + "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to Obfuscated Files or Information, text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW." + }, + "T1223": { + "name": "Compiled HTML File", + "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe)." + }, + "T1109": { + "name": "Component Firmware", + "description": "Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks." + }, + "T1122": { + "name": "Component Object Model Hijacking", + "description": "The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection." + }, + "T1196": { + "name": "Control Panel Items", + "description": "Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file." + }, + "T1207": { + "name": "DCShadow", + "description": "DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys." + }, + "T1140": { + "name": "Deobfuscate/Decode Files or Information", + "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system." + }, + "T1089": { + "name": "Disabling Security Tools", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting." + }, + "T1038": { + "name": "DLL Search Order Hijacking", + "description": "Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence." + }, + "T1073": { + "name": "DLL Side-Loading", + "description": "Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL." + }, + "T1480": { + "name": "Execution Guardrails", + "description": "Execution guardrails constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target." + }, + "T1211": { + "name": "Exploitation for Defense Evasion", + "description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them." + }, + "T1181": { + "name": "Extra Window Memory Injection", + "description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value." + }, + "T1107": { + "name": "File Deletion", + "description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process." + }, + "T1222": { + "name": "File Permissions Modification", + "description": "File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.)." + }, + "T1006": { + "name": "File System Logical Offsets", + "description": "Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools." + }, + "T1144": { + "name": "Gatekeeper Bypass", + "description": "In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution." + }, + "T1484": { + "name": "Group Policy Modification", + "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain." + }, + "T1158": { + "name": "Hidden Files and Directories", + "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS)." + }, + "T1147": { + "name": "Hidden Users", + "description": "Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. By using the Create Account technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: sudo dscl . -create /Users/username UniqueID 401 ." + }, + "T1143": { + "name": "Hidden Window", + "description": "The configurations for how applications run on macOS and OS X are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window ." + }, + "T1148": { + "name": "HISTCONTROL", + "description": "The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands." + }, + "T1183": { + "name": "Image File Execution Options Injection", + "description": "Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger." + }, + "T1054": { + "name": "Indicator Blocking", + "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include modifying sensor settings stored in configuration files and/or Registry keys to disable or maliciously redirect event telemetry." + }, + "T1066": { + "name": "Indicator Removal from Tools", + "description": "If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems." + }, + "T1070": { + "name": "Indicator Removal on Host", + "description": "Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/* ." + }, + "T1202": { + "name": "Indirect Command Execution", + "description": "Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts." + }, + "T1130": { + "name": "Install Root Certificate", + "description": "Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website." + }, + "T1118": { + "name": "InstallUtil", + "description": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. InstallUtil.exe is digitally signed by Microsoft." + }, + "T1152": { + "name": "Launchctl", + "description": "Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made . Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute \"arg\" \"arg\" \"arg\". Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges." + }, + "T1149": { + "name": "LC_MAIN Hijacking", + "description": "As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD . The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different . By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same." + }, + "T1036": { + "name": "Masquerading", + "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed." + }, + "T1112": { + "name": "Modify Registry", + "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution." + }, + "T1170": { + "name": "Mshta", + "description": "Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser." + }, + "T1126": { + "name": "Network Share Connection Removal", + "description": "Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\\share /delete command." + }, + "T1096": { + "name": "NTFS File Attributes", + "description": "Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition." + }, + "T1027": { + "name": "Obfuscated Files or Information", + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses." + }, + "T1150": { + "name": "Plist Modification", + "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges)." + }, + "T1205": { + "name": "Port Knocking", + "description": "Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports, but can involve unusual flags, specific strings or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software." + }, + "T1186": { + "name": "Process Doppelgänging", + "description": "Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction." + }, + "T1093": { + "name": "Process Hollowing", + "description": "Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis." + }, + "T1055": { + "name": "Process Injection", + "description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process." + }, + "T1108": { + "name": "Redundant Access", + "description": "Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network." + }, + "T1121": { + "name": "Regsvcs/Regasm", + "description": "Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft." + }, + "T1117": { + "name": "Regsvr32", + "description": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries." + }, + "T1014": { + "name": "Rootkit", + "description": "Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware." + }, + "T1085": { + "name": "Rundll32", + "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations." + }, + "T1064": { + "name": "Scripting", + "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts." + }, + "T1218": { + "name": "Signed Binary Proxy Execution", + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques." + }, + "T1216": { + "name": "Signed Script Proxy Execution", + "description": "Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts." + }, + "T1198": { + "name": "SIP and Trust Provider Hijacking", + "description": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature." + }, + "T1045": { + "name": "Software Packing", + "description": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory." + }, + "T1151": { + "name": "Space after Filename", + "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to \"evil.txt \" (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed ." + }, + "T1221": { + "name": "Template Injection", + "description": "Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered." + }, + "T1099": { + "name": "Timestomp", + "description": "Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools." + }, + "T1127": { + "name": "Trusted Developer Utilities", + "description": "There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions." + }, + "T1078": { + "name": "Valid Accounts", + "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access." + }, + "T1497": { + "name": "Virtualization/Sandbox Evasion", + "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads." + }, + "T1102": { + "name": "Web Service", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system." + }, + "T1220": { + "name": "XSL Script Processing", + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages." + } + }, + "Credential Access": { + "T1098": { + "name": "Account Manipulation", + "description": "Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain." + }, + "T1139": { + "name": "Bash History", + "description": "Bash keeps track of the commands users type on the command-line with the \"history \" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials." + }, + "T1110": { + "name": "Brute Force", + "description": "Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained." + }, + "T1003": { + "name": "Credential Dumping", + "description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information." + }, + "T1081": { + "name": "Credentials in Files", + "description": "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords." + }, + "T1214": { + "name": "Credentials in Registry", + "description": "The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons." + }, + "T1212": { + "name": "Exploitation for Credential Access", + "description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained." + }, + "T1187": { + "name": "Forced Authentication", + "description": "The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources. Web Distributed Authoring and Versioning (WebDAV) is typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443." + }, + "T1179": { + "name": "Hooking", + "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions." + }, + "T1056": { + "name": "Input Capture", + "description": "Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception." + }, + "T1141": { + "name": "Input Prompt", + "description": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control)." + }, + "T1208": { + "name": "Kerberoasting", + "description": "Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service )." + }, + "T1142": { + "name": "Keychain", + "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials." + }, + "T1171": { + "name": "LLMNR/NBT-NS Poisoning and Relay", + "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name." + }, + "T1040": { + "name": "Network Sniffing", + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data." + }, + "T1174": { + "name": "Password Filter DLL", + "description": "Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts." + }, + "T1145": { + "name": "Private Keys", + "description": "Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures." + }, + "T1167": { + "name": "Securityd Memory", + "description": "In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password." + }, + "T1111": { + "name": "Two-Factor Authentication Interception", + "description": "Use of two- or multifactor authentication is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. Adversaries may target authentication mechanisms, such as smart cards, to gain access to systems, services, and network resources." + } + }, + + "Discovery": { + "T1087": { + "name": "Account Discovery", + "description": "Adversaries may attempt to get a listing of local system or domain accounts." + }, + "T1010": { + "name": "Application Window Discovery", + "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger." + }, + "T1217": { + "name": "Browser Bookmark Discovery", + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure." + }, + "T1482": { + "name": "Domain Trust Discovery", + "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify Lateral Movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts." + }, + "T1083": { + "name": "File and Directory Discovery", + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system." + }, + "T1046": { + "name": "Network Service Scanning", + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system." + }, + "T1135": { + "name": "Network Share Discovery", + "description": "Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network." + }, + "T1040": { + "name": "Network Sniffing", + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data." + }, + "T1201": { + "name": "Password Policy Discovery", + "description": "Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts)." + }, + "T1120": { + "name": "Peripheral Device Discovery", + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions." + }, + "T1069": { + "name": "Permission Groups Discovery", + "description": "Adversaries may attempt to find local system or domain-level groups and permissions settings." + }, + "T1057": { + "name": "Process Discovery", + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network." + }, + "T1012": { + "name": "Query Registry", + "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software." + }, + "T1018": { + "name": "Remote System Discovery", + "description": "Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems." + }, + "T1063": { + "name": "Security Software Discovery", + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. These checks may be built into early-stage remote access tools." + }, + "T1082": { + "name": "System Information Discovery", + "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture." + }, + "T1016": { + "name": "System Network Configuration Discovery", + "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route." + }, + "T1049": { + "name": "System Network Connections Discovery", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network." + }, + "T1033": { + "name": "System Owner/User Discovery", + "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs." + }, + "T1007": { + "name": "System Service Discovery", + "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist / svc \" using Tasklist, and \"net start \" using Net, but adversaries may also use other tools as well." + }, + "T1124": { + "name": "System Time Discovery", + "description": "The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network." + }, + "T1497": { + "name": "Virtualization/Sandbox Evasion", + "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads." + } + }, + "Lateral Movement": { + "T1155": { + "name": "AppleScript", + "description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program." + }, + "T1017": { + "name": "Application Deployment Software", + "description": "Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment." + }, + "T1175": { + "name": "Distributed Component Object Model", + "description": "Windows Distributed Component Object Model (DCOM) is transparent middleware that extends the functionality of Component Object Model (COM) beyond a local computer using remote procedure call (RPC) technology. COM is a component of the Windows application programming interface (API) that enables interaction between software objects. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE)." + }, + "T1210": { + "name": "Exploitation of Remote Services", + "description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system." + }, + "T1037": { + "name": "Logon Scripts", + "description": "Windows allows logon scripts to be run whenever a specific user or group of users log into a system. The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server." + }, + "T1075": { + "name": "Pass the Hash", + "description": "Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems." + }, + "T1097": { + "name": "Pass the Ticket", + "description": "Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system." + }, + "T1076": { + "name": "Remote Desktop Protocol", + "description": "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS." + }, + "T1105": { + "name": "Remote File Copy", + "description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp." + }, + "T1021": { + "name": "Remote Services", + "description": "An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user." + }, + "T1091": { + "name": "Replication Through Removable Media", + "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself." + }, + "T1051": { + "name": "Shared Webroot", + "description": "Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured." + }, + "T1184": { + "name": "SSH Hijacking", + "description": "Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair." + }, + "T1080": { + "name": "Taint Shared Content", + "description": "Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally." + }, + "T1072": { + "name": "Third-party Software", + "description": "Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code." + }, + "T1077": { + "name": "Windows Admin Shares", + "description": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$." + }, + "T1028": { + "name": "Windows Remote Management", + "description": "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell." + } + }, + "Collection": { + "T1123": { + "name": "Audio Capture", + "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information." + }, + "T1119": { + "name": "Automated Collection", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of Scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools." + }, + "T1115": { + "name": "Clipboard Data", + "description": "Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications." + }, + "T1213": { + "name": "Data from Information Repositories", + "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information." + }, + "T1005": { + "name": "Data from Local System", + "description": "Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration." + }, + "T1039": { + "name": "Data from Network Shared Drive", + "description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration." + }, + "T1025": { + "name": "Data from Removable Media", + "description": "Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration." + }, + "T1074": { + "name": "Data Staged", + "description": "Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted." + }, + "T1114": { + "name": "Email Collection", + "description": "Adversaries may target user email to collect sensitive information from a target." + }, + "T1056": { + "name": "Input Capture", + "description": "Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception." + }, + "T1185": { + "name": "Man in the Browser", + "description": "Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques." + }, + "T1113": { + "name": "Screen Capture", + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations." + }, + "T1125": { + "name": "Video Capture", + "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files." + } + }, + "Command and Control": { + "T1043": { + "name": "Commonly Used Port", + "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as." + }, + "T1092": { + "name": "Communication Through Removable Media", + "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access." + }, + "T1090": { + "name": "Connection Proxy", + "description": "A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap." + }, + "T1094": { + "name": "Custom Command and Control Protocol", + "description": "Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing Standard Application Layer Protocol. Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack." + }, + "T1024": { + "name": "Custom Cryptographic Protocol", + "description": "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext." + }, + "T1132": { + "name": "Data Encoding", + "description": "Command and control (C2) information is encoded using a standard data encoding system. Use of data encoding may be to adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, UTF-8, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip." + }, + "T1001": { + "name": "Data Obfuscation", + "description": "Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request." + }, + "T1172": { + "name": "Domain Fronting", + "description": "Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. The technique involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored)." + }, + "T1483": { + "name": "Domain Generation Algorithms", + "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions." + }, + "T1008": { + "name": "Fallback Channels", + "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds." + }, + "T1188": { + "name": "Multi-hop Proxy", + "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source." + }, + "T1104": { + "name": "Multi-Stage Channels", + "description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult." + }, + "T1026": { + "name": "Multiband Communication", + "description": "Some adversaries may split communications between different protocols. There could be one protocol for inbound command and control and another for outbound data, allowing it to bypass certain firewall restrictions. The split could also be random to simply avoid data threshold alerts on any one communication." + }, + "T1079": { + "name": "Multilayer Encryption", + "description": "An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS." + }, + "T1205": { + "name": "Port Knocking", + "description": "Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports, but can involve unusual flags, specific strings or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software." + }, + "T1219": { + "name": "Remote Access Tools", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries." + }, + "T1105": { + "name": "Remote File Copy", + "description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp." + }, + "T1071": { + "name": "Standard Application Layer Protocol", + "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server." + }, + "T1032": { + "name": "Standard Cryptographic Protocol", + "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files." + }, + "T1095": { + "name": "Standard Non-Application Layer Protocol", + "description": "Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL)." + }, + "T1065": { + "name": "Uncommonly Used Port", + "description": "Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured." + }, + "T1102": { + "name": "Web Service", + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system." + } + }, + "Exfiltration": { + "T1020": { + "name": "Automated Exfiltration", + "description": "Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Collection." + }, + "T1002": { + "name": "Data Compressed", + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib." + }, + "T1022": { + "name": "Data Encrypted", + "description": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip." + }, + "T1030": { + "name": "Data Transfer Size Limits", + "description": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts." + }, + "T1048": { + "name": "Exfiltration Over Alternative Protocol", + "description": "Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage." + }, + "T1041": { + "name": "Exfiltration Over Command and Control Channel", + "description": "Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications." + }, + "T1011": { + "name": "Exfiltration Over Other Network Medium", + "description": "Exfiltration could occur over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries could choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network." + }, + "T1052": { + "name": "Exfiltration Over Physical Medium", + "description": "In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems." + }, + "T1029": { + "name": "Scheduled Transfer", + "description": "Data exfiltration may be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability." + } + }, + "Impact": { + "T1485": { + "name": "Data Destruction", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure." + }, + "T1486": { + "name": "Data Encrypted for Impact", + "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR." + }, + "T1491": { + "name": "Defacement", + "description": "Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion." + }, + "T1488": { + "name": "Disk Content Wipe", + "description": "Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources." + }, + "T1487": { + "name": "Disk Structure Wipe", + "description": "Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources." + }, + "T1499": { + "name": "Endpoint Denial of Service", + "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion." + }, + "T1495": { + "name": "Firmware Corruption", + "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards." + }, + "T1490": { + "name": "Inhibit System Recovery", + "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact." + }, + "T1498": { + "name": "Network Denial of Service", + "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion." + }, + "T1496": { + "name": "Resource Hijacking", + "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability." + }, + "T1494": { + "name": "Runtime Data Manipulation", + "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making." + }, + "T1489": { + "name": "Service Stop", + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment." + }, + "T1492": { + "name": "Stored Data Manipulation", + "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making." + }, + "T1493": { + "name": "Transmitted Data Manipulation", + "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making." + } + } +} \ No newline at end of file diff --git a/utils/mitre_table.py b/utils/mitre_table.py new file mode 100644 index 0000000..a267301 --- /dev/null +++ b/utils/mitre_table.py @@ -0,0 +1,57 @@ +def table_creation(sig_json, mitre_json): + mitre_table_json = [ + {"Initial Access": {}}, + {"Execution": {}}, + {"Persistence": {}}, + {"Privilege Escalation": {}}, + {"Defense Evasion": {}}, + {"Credential Access": {}}, + {"Discovery": {}}, + {"Lateral Movement": {}}, + {"Collection": {}}, + {"Command and Control": {}}, + {"Exfiltration": {}}, + {"Impact": {}} + ] + + keys = list() + total_table_entry = 0 + for matched_tid in sig_json: + for tactic in mitre_json: + if matched_tid in mitre_json[tactic]: + for i in range(0, len(mitre_table_json)): + if tactic in mitre_table_json[i]: + mitre_table_json[i][tactic][matched_tid] = mitre_json[tactic][matched_tid] + total_table_entry = total_table_entry + 1 + + tid_len = [] + for i in range(0, len(mitre_table_json)): + for tactic in mitre_table_json[i]: + tid_len.append(len(mitre_table_json[i][tactic])) + + table_code = [] + for i in range(0, len(mitre_table_json)): + for key in mitre_table_json[i]: + keys.append(key) + table_code.append(keys) + added_count = 0 + for i in range(0, len(sig_json.keys())): + row = [] + for j in range(0, len(mitre_table_json)): + if tid_len[j] != 0: + for key in mitre_table_json[j]: + counter = 0 + for tid in mitre_table_json[j][key]: + if i == counter: + row.append({"name": mitre_table_json[j][key][tid]["name"], "id": tid}) + added_count = added_count + 1 + tid_len[j] = tid_len[j] - 1 + break + else: + counter = counter + 1 + else: + row.append("") + table_code.append(row) + if added_count == total_table_entry: + break + return table_code diff --git a/utils/peparser.py b/utils/peparser.py new file mode 100644 index 0000000..a7fafd5 --- /dev/null +++ b/utils/peparser.py @@ -0,0 +1,152 @@ +#!/usr/bin/env python +import os +import time +import zlib +import string +import pefile +import hashlib + +Win32 = False +Win64 = False +isDll = False +Highlights = list() + + +def hashes(data, algo="sha256"): + if not data: + return None + algo = algo.lower() + if algo == "crc32": + return int("%d" % (zlib.crc32(data) & 0xffffffff)) + elif algo == "adler32": + return "%d" % (zlib.adler32(data) & 0xffffffff) + elif algo == "md5": + hasher = hashlib.md5() + elif algo == "sha128": + hasher = hashlib.sha1() + elif algo == "sha224": + hasher = hashlib.sha224() + elif algo == "sha256": + hasher = hashlib.sha256() + elif algo == "sha384": + hasher = hashlib.sha384() + elif algo == "sha512": + hasher = hashlib.sha512() + else: + return None + + hasher.update(data) + return hasher.hexdigest() + + +def get_metadata(filename, pe): + metadata = dict() + metadata["size"] = os.path.getsize(filename) + metadata["imphash"] = pe.get_imphash() + with open(filename, "rb") as f: + filedata = f.read() + metadata["crc32"] = hashes(data=filedata, algo="crc32") + metadata["md5"] = hashes(data=filedata, algo="md5") + metadata["sha128"] = hashes(data=filedata, algo="sha128") + metadata["sha256"] = hashes(data=filedata, algo="sha256") + metadata["ssdeep"] = hashes(data=filedata, algo="ssdeep") + return metadata + + +def get_imagefileheader(pe): + global Win32, Win64, isDll + imagefileheader = dict() + imagefileheader["Machine"] = hex(pe.FILE_HEADER.Machine if pe and hasattr(pe, "FILE_HEADER") and pe.FILE_HEADER and + hasattr(pe.FILE_HEADER, "Machine") and pe.FILE_HEADER.Machine else 0) + imagefileheader["NumberOfSections"] = hex(pe.FILE_HEADER.NumberOfSections if pe and hasattr(pe, "FILE_HEADER") and + pe.FILE_HEADER and + hasattr(pe.FILE_HEADER, "NumberOfSections") and pe.FILE_HEADER.NumberOfSections else 0) + imagefileheader["TimeDateStamp"] = pe.FILE_HEADER.TimeDateStamp if pe and hasattr(pe, "FILE_HEADER") and pe.FILE_HEADER and hasattr(pe.FILE_HEADER, "TimeDateStamp") and pe.FILE_HEADER.TimeDateStamp else 0 + if imagefileheader["TimeDateStamp"] != 0: + pe_year = int(time.ctime(imagefileheader["TimeDateStamp"]).split()[-1]) + this_year = int(time.gmtime(time.time())[0]) + if pe_year > this_year or pe_year < 2000: + Highlights.append("TimeDateStamp of the file is Suspicious.") + imagefileheader["TimeDateStamp"] = time.ctime(imagefileheader["TimeDateStamp"]) + else: + Highlights.append("TimeDateStamp of the file is zero.") + imagefileheader["Characteristics"] = pe.FILE_HEADER.Characteristics if pe and hasattr(pe, "FILE_HEADER") and pe.FILE_HEADER and hasattr(pe.FILE_HEADER, "Characteristics") and pe.FILE_HEADER.Characteristics else 0 + if (imagefileheader["Characteristics"] & 0x0100) == 0x0100: + Win32 = True + elif (imagefileheader["Characteristics"] & 0x0020) == 0x0020: + Win64 = True + if (imagefileheader["Characteristics"] & 0x2000) == 0x2000: + isDll = True + imagefileheader["Characteristics"] = hex(imagefileheader["Characteristics"]) + return imagefileheader + + +def get_imageoptionalheader(pe): + global Win32, Win64, isDll + imageoptionalheader = dict() + imageoptionalheader["Magic"] = hex(pe.OPTIONAL_HEADER.Magic if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "Magic") and pe.OPTIONAL_HEADER.Magic else 0) + imageoptionalheader["AddressOfEntryPoint"] = hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "AddressOfEntryPoint") else 0) + if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "CheckSum"): + if pe.OPTIONAL_HEADER.CheckSum == 0: + imageoptionalheader["CheckSum"] = pe.OPTIONAL_HEADER.CheckSum + else: + imageoptionalheader["CheckSum"] = hex(pe.OPTIONAL_HEADER.CheckSum) + else: + imageoptionalheader["CheckSum"] = None + imageoptionalheader["Subsystem"] = pe.OPTIONAL_HEADER.Subsystem if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "Subsystem") and pe.OPTIONAL_HEADER.Subsystem else None + bitVal = None + if Win32: + bitVal = "Win32" + elif Win64: + bitVal = "Win64" + if isDll: + file_type = "DLL" + else: + file_type = "EXE" + if imageoptionalheader["Subsystem"] == 0x03: + Highlights.append("The file being analysed is a Portable executable file! More sepecifically, it is a "+bitVal+" "+file_type+" file for the Windows Console Subsystem.") + elif imageoptionalheader["Subsystem"] == 0x02: + Highlights.append("The file being analysed is a Portable executable file! More sepecifically, it is a "+bitVal+" "+file_type+" file for the Windows GUI Subsystem.") + elif imageoptionalheader["Subsystem"] == 0x01: + Highlights.append("The file being analysed is a Portable executable file! More sepecifically, it is a "+bitVal+" "+file_type+" file for the Windows Native Subsystem.") + + imageoptionalheader["DllCharacteristics"] = hex(pe.OPTIONAL_HEADER.DllCharacteristics if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "DllCharacteristics") and pe.OPTIONAL_HEADER.DllCharacteristics else 0) + return imageoptionalheader + + +def get_imagesections(pe): + if len(pe.sections): + imagesections = list() + for section in pe.sections: + if section and hasattr(section, "Characteristics") and section.Characteristics: + perms = list() + perms += "R" if section.Characteristics & 0x40000000 else "-" + perms += "W" if section.Characteristics & 0x80000000 else "-" + perms += "X" if section.Characteristics & 0x20000000 else "-" + perms = "".join(perms) + else: + perms = None + imagesections.append({ + "Name": "".join([c for c in section.Name if c in string.printable]), + "VirtualSize": hex(section.Misc_VirtualSize if section and hasattr(section, "Misc_VirtualSize") and + section.Misc_VirtualSize else 0), + "SizeOfRawData": hex(section.SizeOfRawData if section and hasattr(section, "SizeOfRawData") and + section.SizeOfRawData else 0), + "entropy": section.get_entropy(), + "permissions": perms, + }) + else: + imagesections = None + return imagesections + + +def parse(filename): + peparsed = dict() + pe = pefile.PE(filename) + peparsed["metadata"] = get_metadata(filename, pe) + peparsed["IMAGE_FILE_HEADER"] = get_imagefileheader(pe) + peparsed["IMAGE_OPTIONAL_HEADER"] = get_imageoptionalheader(pe) + peparsed["IMAGE_SECTIONS"] = get_imagesections(pe) + return peparsed + + diff --git a/utils/playbookSig.py b/utils/playbookSig.py new file mode 100644 index 0000000..335ff97 --- /dev/null +++ b/utils/playbookSig.py @@ -0,0 +1,38 @@ +import json + + +def playbooksig(playbook_json, matched_sig_file, outputfile_campaign): + with open(matched_sig_file) as fp: + matched_json = json.load(fp) + with open(playbook_json) as fs: + playbook_sig = json.load(fs) + max = 0 + matched_campaign_name = "Not Matched" + max_campaign_per = 0 + for campaign in playbook_sig.keys(): + matched_tid_count = 0 + for tid_name in playbook_sig[campaign]: + if tid_name in matched_json.keys(): + matched_tid_count = matched_tid_count + 1 + if matched_tid_count > max: + matched_campaign_name = campaign + max_campaign_per = matched_tid_count * 100 / len(playbook_sig[campaign]) + else: + if matched_tid_count == max: + macthed_wrt_campaign = max * 100 / len(playbook_sig[campaign]) + if macthed_wrt_campaign > max_campaign_per: + max_campaign_per = macthed_wrt_campaign + matched_campaign_name = campaign + max = matched_tid_count if matched_tid_count > max else max + json_data = {"Matched campaign": "Not Matched"} + if matched_campaign_name != "Not Matched": + json_data["Matched campaign"] = matched_campaign_name + macthed_wrt_campaign = max * 100 / len(playbook_sig[matched_campaign_name]) + matched_wrt_sample = max * 100 / len(matched_json.keys()) + json_data["Activity matching percent with campaign"] = str(macthed_wrt_campaign) + json_data["Activity matching percent with Sample"] = str(matched_wrt_sample) + + with open(outputfile_campaign, 'w') as fw: + json_report = json.dumps(json_data, sort_keys=True, indent=4) + fw.write(json_report.encode('utf-8')) + diff --git a/utils/sigcheck64.exe b/utils/sigcheck64.exe new file mode 100644 index 0000000..9079033 Binary files /dev/null and b/utils/sigcheck64.exe differ diff --git a/utils/yarascan.py b/utils/yarascan.py new file mode 100644 index 0000000..601992b --- /dev/null +++ b/utils/yarascan.py @@ -0,0 +1,41 @@ +import yara + + +class YaraScan: + def __init__(self): + self.yara_sig_matched = {} + self.yara_idsig_matched = {} + + def yara_callback_desc(self, data): + # print data + if data['matches']: + tag = "" + if len(data['tags']) > 0: + tag = data['tags'][0] + if tag not in self.yara_sig_matched.keys(): + self.yara_sig_matched[tag] = {} + if data['rule'] not in self.yara_sig_matched[tag].keys(): + self.yara_sig_matched[tag][data['rule']] = {} + if 'description' in data['meta']: + self.yara_sig_matched[tag][data['rule']]['description'] = data['meta']['description'] + self.yara_sig_matched[tag][data['rule']]['indicators_matched'] = [] + for string in data['strings']: + try: + if string[2].decode('windows-1252') \ + not in self.yara_sig_matched[tag][data['rule']]['indicators_matched']: + self.yara_sig_matched[tag][data['rule']]['indicators_matched'].\ + append(string[2].decode('windows-1252')) + except: + continue + yara.CALLBACK_CONTINUE + + def yara_callback(self, data): + if data['matches']: + tag = "" + if len(data['tags']) > 0: + tag = data['tags'][0] + if tag not in self.yara_idsig_matched.keys(): + self.yara_idsig_matched[tag] = [] + if data['rule'] not in self.yara_idsig_matched[tag]: + self.yara_idsig_matched[tag].append(data['rule']) + yara.CALLBACK_CONTINUE \ No newline at end of file diff --git a/yara_sigs/file/compiler.yar b/yara_sigs/file/compiler.yar new file mode 100644 index 0000000..58253fd --- /dev/null +++ b/yara_sigs/file/compiler.yar @@ -0,0 +1,603 @@ +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. +*/ + +import "pe" +import "math" + +rule IsPE32 : PECheck +{ + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint16(uint32(0x3C)+0x18) == 0x010B +} + +rule IsPE64 : PECheck +{ + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint16(uint32(0x3C)+0x18) == 0x020B +} + +rule IsNET_EXE : PECheck +{ + condition: + pe.imports ("mscoree.dll","_CorExeMain") +} + +rule IsNET_DLL : PECheck +{ + condition: + pe.imports ("mscoree.dll","_CorDllMain") +} + +rule IsDLL : PECheck +{ + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + (uint16(uint32(0x3C)+0x16) & 0x2000) == 0x2000 + +} + +rule IsConsole : PECheck +{ + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint16(uint32(0x3C)+0x5C) == 0x0003 +} + +rule IsWindowsGUI : PECheck +{ + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint16(uint32(0x3C)+0x5C) == 0x0002 +} + +rule IsPacked : PECheck +{ + meta: + description = "Entropy Check" + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + math.entropy(0, filesize) >= 7.0 +} + + +rule HasOverlay : PECheck +{ + meta: + author="_pusher_" + description = "Overlay Check" + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + //stupid check if last section is 0 + //not (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x0 and + + (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) < filesize + +} + +rule HasTaggantSignature : PECheck +{ + meta: + author="_pusher_" + description = "TaggantSignature Check" + date="2016-07" + strings: + $a0 = { 54 41 47 47 ?? ?? ?? ?? ?? ?? 00 00 ?? 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 09 30 07 06 05 2B 0E 03 02 1A 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 01 A0 82 ?? ?? 04 82 ?? ?? ?? 00 01 00 ?? ?? } + //$c0 = { 06 09 2A 86 } + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + //TAGG+4E==packerid + //(uint32be(@a0+0x4E) == 0x0B51D132) and + //(uint32be(@a0+0x12) == 0x006092a86) and + //(uint32be(@a0+0x12)) == uint32be(@c0) and + + //uint32be(@a0+0x04) < (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) and + $a0 +} + + +rule HasDigitalSignature : PECheck +{ + meta: + author="_pusher_" + description = "DigitalSignature Check" + date="2016-07" + strings: + //size check is wildcarded + $a0 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0B 30 09 06 05 2B 0E 03 02 1A 05 00 30 68 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 5A 30 58 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 } + $a1 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0B 30 09 06 05 2B 0E 03 02 1A 05 00 30 ?? 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 ?? 30 ?? 30 ?? 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 ?? 03 01 00 A0 ?? A2 ?? 80 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 } + $a2 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0E 30 ?? 06 ?? ?? 86 48 86 F7 0D 02 05 05 00 30 67 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 59 30 57 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 } + $a3 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0F 30 ?? 06 ?? ?? 86 48 01 65 03 04 02 01 05 00 30 78 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 6A 30 68 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 31 30 0D 06 09 60 86 48 01 65 03 04 02 01 05 00 04 } + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + (for any of ($a*) : ($ in ( (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)..filesize)) ) + //its not always like this: + //and uint32(@a0) == (filesize-(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)) +} + +rule HasDebugData : PECheck +{ + meta: + author = "_pusher_" + description = "DebugData Check" + date="2016-07" + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + //orginal + //((uint32(uint32(0x3C)+0xA8) >0x0) and (uint32be(uint32(0x3C)+0xAC) >0x0)) + //((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) x64/x32 + (IsPE32 or IsPE64) and + ((uint32(uint32(0x3C)+0xA8+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)) >0x0) and (uint32be(uint32(0x3C)+0xAC+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)) >0x0)) +} + +rule IsBeyondImageSize : PECheck +{ + meta: + author = "_pusher_" + date = "2016-07" + description = "Data Beyond ImageSize Check" + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + for any i in (0..pe.number_of_sections-1): + ( + (pe.sections[i].virtual_address+pe.sections[i].virtual_size) > (uint32(uint32(0x3C)+0x50)) or + (pe.sections[i].raw_data_offset+pe.sections[i].raw_data_size) > filesize + ) +} + +rule ImportTableIsBad : PECheck +{ + meta: + author = "_pusher_ & mrexodia" + date = "2016-07" + description = "ImportTable Check" + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + (IsPE32 or IsPE64) and + ( //Import_Table_RVA+Import_Data_Size .. cannot be outside imagesize + ((uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x84+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) > (uint32(uint32(0x3C)+0x50)) + or + (((uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x84+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) == 0x0) + //or + + //doest work + //pe.imports("", "") + + //need to check if this is ok.. 15:06 2016-08-12 + //uint32( uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+uint32(uint32(0x3C)+0x34)) == 0x408000 + //this works.. + //uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+uint32(uint32(0x3C)+0x34) == 0x408000 + + //uint32be(uint32be(0x409000)) == 0x005A + //pe.image_base + //correct: + + //uint32(uint32(0x3C)+0x80)+pe.image_base == 0x408000 + + //this works (file offset): + //$a0 at 0x4000 + //this does not work rva: + //$a0 at uint32(0x0408000) + + //(uint32(uint32(uint32(0x3C)+0x80)+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+pe.image_base) == 0x0) + + or + //tiny PE files.. + (uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) > filesize) + + //or + //uint32(uint32(0x3C)+0x80) == 0x21000 + //uint32(uint32(uint32(0x3C)+0x80)) == 0x0 + //pe.imports("", "") + ) +} + +rule ExportTableIsBad : PECheck +{ + meta: + author = "_pusher_ & mrexodia" + date = "2016-07" + description = "ExportTable Check" + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + (IsPE32 or IsPE64) and + ( //Export_Table_RVA+Export_Data_Size .. cannot be outside imagesize + ((uint32(uint32(0x3C)+0x78+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x7C+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) > (uint32(uint32(0x3C)+0x50)) + ) +} + + +rule HasModified_DOS_Message : PECheck +{ + meta: + author = "_pusher_" + description = "DOS Message Check" + date="2016-07" + strings: + $a0 = "This program must be run under Win32" wide ascii nocase + $a1 = "This program cannot be run in DOS mode" wide ascii nocase + //UniLink + $a2 = "This program requires Win32" wide ascii nocase + $a3 = "This program must be run under Win64" wide ascii nocase + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and not + (for any of ($a*) : ($ in (0x0..uint32(0x3c) ))) +} + +rule HasRichSignature : PECheck +{ + meta: + author = "_pusher_" + description = "Rich Signature Check" + date="2016-07" + strings: + $a0 = "Rich" ascii + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + uint32(uint32(0x3C)) == 0x00004550 and + (for any of ($a*) : ($ in (0x0..uint32(0x3c) ))) +} + +rule IsSuspicious +{ + meta: + author="_pusher_" + date = "2016-07" + description="Might be PE Virus" + condition: + uint32(0x20) == 0x20202020 +} + +rule IsGoLink +{ + meta: + author="_pusher_" + date = "2016-08" + description="www.GoDevTool.com" + strings: + $a0 = { 47 6F 4C 69 6E 6B } + condition: + // MZ signature at offset 0 and ... + uint16(0) == 0x5A4D and + // ... PE signature at offset stored in MZ header at 0x3C + $a0 at 0x40 + +} + + +rule borland_cpp { + meta: + author = "_pusher_" + description = "Borland C++" + date = "2015-08" + version = "0.1" + strings: + $c0 = { 59 5F 6A 00 E8 ?? ?? ?? ?? 59 68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 } + $c1 = { A1 ?? ?? ?? ?? C1 E0 02 A3 ?? ?? ?? ?? 52 6A 00 E8 ?? ?? ?? ?? 8B D0 E8 ?? ?? ?? ?? 5A E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 59 68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 } + $c2 = { 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 } + condition: + ( + //linker 2.25 and 5.00 + ((pe.linker_version.major == 2) and (pe.linker_version.minor == 25 )) or + ((pe.linker_version.major == 5) and (pe.linker_version.minor == 0 )) + ) and + any of them +} + +rule borland_delphi { + meta: + author = "_pusher_" + description = "Borland Delphi 2.0 - 7.0 / 2005 - 2007" + date = "2016-03" + version = "0.2" + strings: + $c0 = { 53 8B D8 33 C0 A3 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? FF A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 33 C0 A3 } + $c1 = { 53 8B D8 33 C0 A3 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 8D 43 08 A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 } + //some x64 version of delphi + $c2 = { 53 48 83 EC 20 48 89 CB C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 48 33 C9 E8 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 43 10 48 89 05 ?? ?? ?? ?? 48 8D 05 ?? FC FF FF 48 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 D9 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 } + //unusual delphi version unknown version (unpackme- FSG 1.31 - dulek) + $c3 = { 50 6A 00 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 C7 42 08 00 00 00 00 C7 42 0C 00 00 00 00 E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 } + //delphi2 + $c4 = { E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0A ?? ?? ?? B8 ?? ?? ?? ?? C3 } + //delphi3 + $c5 = { 50 6A 00 E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 55 8B EC 33 C0 } + //delphi5 + $c6 = { 50 6A ?? E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 C7 42 08 ?? ?? ?? ?? C7 42 0C ?? ?? ?? ?? E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 } + condition: + any of them + and + ( + //if its not linker 2.25 its been modified (unpacked usually) + //unknown x64 build of delphi + ((pe.linker_version.major == 2) and (pe.linker_version.minor == 25 )) or ((pe.linker_version.major == 8) and (pe.linker_version.minor == 0 )) + //unpacked files usually have this linker: + or ((pe.linker_version.major == 0) and (pe.linker_version.minor == 0 )) ) + //could check for dvclal.. maybe too much +} + +rule free_pascal { + meta: + author = "_pusher_" + description = "Free Pascal" + date = "2015-08" + version = "0.1" + strings: + $c0 = { 55 89 E5 83 ?? ?? 89 5D FC B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? A0 ?? ?? ?? ?? 84 C0 75 0C 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 } + $c1 = { 55 89 E5 53 B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? 00 75 0C 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 } + $c2 = { 55 89 E5 83 EC 04 89 5D FC B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A0 ?? ?? ?? ?? 84 C0 75 05 E8 ?? ?? ?? ?? C7 05 } + condition: + any of them +} + +rule borland_delphi_dll { + meta: + author = "_pusher_" + description = "Borland Delphi DLL" + date = "2015-08" + version = "0.1" + info = "one is at entrypoint" + strings: + $c0 = { BA ?? ?? ?? ?? 83 7D 0C 01 75 ?? 50 52 C6 05 ?? ?? ?? ?? ?? 8B 4D 08 89 0D ?? ?? ?? ?? 89 4A 04 } + $c1 = { 55 8B EC 83 C4 ?? B8 ?? ?? ?? ?? E8 ?? ?? FF FF E8 ?? ?? FF FF 8D 40 00 } + condition: + any of them +} + +rule borland_component { + meta: + author = "_pusher_" + description = "Borland Component" + date = "2015-08" + version = "0.1" + strings: + $c0 = { E9 ?? ?? ?? FF 8D 40 00 } + condition: + $c0 at pe.entry_point +} + +rule PureBasic : Neil Hodgson +{ + meta: + author="_pusher_" + date="2016-07" + strings: + //make check for msvrt.dll + $c0 = { 55 8B EC 6A 00 68 00 10 00 00 6A ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 00 00 00 C7 05 ?? ?? ?? ?? 10 00 00 00 A1 ?? ?? ?? ?? 50 6A ?? 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC } + $c1 = { 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3 } + $aa0 = "\x00MSVCRT.dll\x00" ascii + $aa1 = "\x00CRTDLL.dll\x00" ascii + condition: + (for any of ($c0,$c1) : ( $ at pe.entry_point )) and + (any of ($aa*) ) and + ((pe.linker_version.major == 2) and (pe.linker_version.minor == 50 )) +} + +rule PureBasicDLL : Neil Hodgson +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8 } + +condition: + $a0 at pe.entry_point +} + +rule PureBasic4xDLL : Neil Hodgson +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3 } + +condition: + $a0 at pe.entry_point +} + +rule SkDUndetectabler : SkDrat { + meta: + author = "_pusher_" + condition: + ( + borland_delphi or //check All FSG or + ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 )) + ) + and + (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size < filesize) and + //is overlay at offset 2A00,1A00,C00,745,739 + //pe.overlay & pe.overlay_size would have been prettier + ( + (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000739) or + (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000745) or + //Uncompressed + (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000C00) or + (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00002A00) or + (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00001A00) + ) + and + //is xored MZ ? + ( + uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 or + uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x4057 + ) +} + +/* usefull ? 18:53 2016-08-12 +rule MicrosoftVisualCV80 +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 } + +condition: + $a0 at pe.entry_point +} +*/ + +rule Cygwin : Red Hat +{ + meta: + author = "_pusher_" + date = "2016-07" + strings: + $a0 = "cygwin1.dll" ascii nocase + $aa1 = "cygwin_internal" + $aa2 = "cygwin_detach_dll" + condition: + ( + (pe.linker_version.major == 2) and (pe.linker_version.minor == 56 ) or + (pe.linker_version.major == 2) and (pe.linker_version.minor == 24 ) or + (pe.linker_version.major == 2) and (pe.linker_version.minor == 25 ) + ) + and + ($a0 and (any of ($aa*) )) +} + +rule MinGW_1 +{ + meta: + author = "_pusher_" + date = "2016-07" + strings: + $a0 = "msvcrt.dll" ascii nocase + $aa1 = "Mingw-w64 runtime failure:" + $aa2 = "-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32" wide ascii nocase + $aa3 = "_mingw32_init_mainargs" + //too wild ? + $aa4 = "mingw32" + $aa5 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32" wide ascii nocase + $aa6 = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32" wide ascii nocase + $aa7 = "Mingw runtime failure:" + condition: + ( + (pe.linker_version.major == 2) and (pe.linker_version.minor == 56 ) or + (pe.linker_version.major == 2) and ((pe.linker_version.minor >= 21) and (pe.linker_version.minor <= 25)) + ) + and + ($a0 and (any of ($aa*) )) +} + +rule FASM : flat assembler { +//abit weak, needs more targets & testing + meta: + author = "_pusher_" + date = "2016-01" + description = "http://flatassembler.net" + //strings: + //$c0 = { 55 89 E5 83 EC 1C 8D 45 E4 6A 1C 50 FF 75 08 FF 15 ?? ?? ?? ?? 8B 45 E8 C9 C2 04 00 } + condition: + ( + //linker 1.60..1.79 + (pe.linker_version.major == 1) and ((pe.linker_version.minor >= 60) and (pe.linker_version.minor < 80)) + ) + //and $c0 +} + +rule AutoIt +{ + meta: + author = "_pusher_" + date = "2016-07" + description = "www.autoitscript.com/site/autoit/" + strings: + $aa0 = "AutoIt has detected the stack has become corrupt.\n\nStack corruption typically occurs when either the wrong calling convention is used or when the function is called with the wrong number of arguments.\n\nAutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention." wide ascii nocase + $aa1 = "AutoIt Error" wide ascii nocase + $aa2 = "Missing right bracket ')' in expression." wide ascii nocase + $aa3 = "Missing operator in expression." wide ascii nocase + $aa4 = "Unbalanced brackets in expression." wide ascii nocase + $aa5 = "Error parsing function call." wide ascii nocase + + $aa6 = ">>>AUTOIT NO CMDEXECUTE<<<" wide ascii nocase + $aa7 = "#requireadmin" wide ascii nocase + $aa8 = "#OnAutoItStartRegister" wide ascii nocase + $aa9 = "#notrayicon" wide ascii nocase + $aa10 = "Cannot parse #include" wide ascii nocase + condition: + 5 of ($aa*) +} + + +rule PellesC : Pelle Orinius +{ + meta: + author = "_pusher_" + date = "2016-08" + description = "www.smorgasbordet.com/pellesc" + strings: + $aa0 = " -- terminating\x0D\x0A\x00 -- terminating\x0A\x00CRT: \x00unexpected error\x00" wide ascii nocase + $aa1 = "unhandled exception (main)\x00unhandled exception in thread\x00unable to create thread\x00unable to destroy semaphore\x00" wide ascii nocase + $aa2 = "unable to wait on semaphore\x00unable to post semaphore\x00unable to init semaphore\x00unable to unlock mutex\x00unable to lock mutex\x00unable to init mutex\x00" wide ascii nocase + $aa3 = "invalid stream lock number\x00corrupt per-thread data\x00out of memory\x00unable to init threads\x00unable to init HEAP" wide ascii nocase + condition: + 3 of ($aa*) and + (pe.linker_version.major == 2) and (pe.linker_version.minor == 50 ) +} + +rule QtFrameWork +{ + meta: + author="_pusher_" + date="2016-08" + strings: + $aa0 = "\x00Qt5Core.dll\x00" ascii + $aa1 = "\x00QtCore4.dll\x00" ascii + condition: + (any of ($aa*) ) +} + +/* usefull ? 18:32 2016-08-10 +rule masm32_tasm32 +{ + meta: + author = "PEiD" + description = "MASM32 / TASM32" + group = "20" + function = "0" + strings: + $a0 = { 6A ?? E8 ?? ?? ?? ?? A3 } + condition: + $a0 +} +*/ diff --git a/yara_sigs/file/crypto.yar b/yara_sigs/file/crypto.yar new file mode 100644 index 0000000..6bc732e --- /dev/null +++ b/yara_sigs/file/crypto.yar @@ -0,0 +1,1434 @@ +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. +*/ + +rule Big_Numbers0 : Crypto_Algorithms +{ + meta: + author = "_pusher_" + description = "Looks for big numbers 20:sized" + date = "2016-07" + strings: + $c0 = /[0-9a-fA-F]{20}/ fullword ascii + condition: + $c0 +} + +rule Big_Numbers1 : Crypto_Algorithms +{ + meta: + author = "_pusher_" + description = "Looks for big numbers 32:sized" + date = "2016-07" + strings: + $c0 = /[0-9a-fA-F]{32}/ fullword wide ascii + condition: + $c0 +} + +rule Big_Numbers2 : Crypto_Algorithms +{ + meta: + author = "_pusher_" + description = "Looks for big numbers 48:sized" + date = "2016-07" + strings: + $c0 = /[0-9a-fA-F]{48}/ fullword wide ascii + condition: + $c0 +} + +rule Big_Numbers3 : Crypto_Algorithms +{ + meta: + author = "_pusher_" + description = "Looks for big numbers 64:sized" + date = "2016-07" + strings: + $c0 = /[0-9a-fA-F]{64}/ fullword wide ascii + condition: + $c0 +} + +rule Big_Numbers4 : Crypto_Algorithms +{ + meta: + author = "_pusher_" + description = "Looks for big numbers 128:sized" + date = "2016-08" + strings: + $c0 = /[0-9a-fA-F]{128}/ fullword wide ascii + condition: + $c0 +} + +rule Big_Numbers5 : Crypto_Algorithms +{ + meta: + author = "_pusher_" + description = "Looks for big numbers 256:sized" + date = "2016-08" + strings: + $c0 = /[0-9a-fA-F]{256}/ fullword wide ascii + condition: + $c0 +} + +rule Prime_Constants_char : Crypto_Algorithms { + meta: + author = "_pusher_" + description = "List of primes [char]" + date = "2016-07" + strings: + $c0 = { 03 05 07 0B 0D 11 13 17 1D 1F 25 29 2B 2F 35 3B 3D 43 47 49 4F 53 59 61 65 67 6B 6D 71 7F 83 89 8B 95 97 9D A3 A7 AD B3 B5 BF C1 C5 C7 D3 DF E3 E5 E9 EF F1 FB } + condition: + $c0 +} + +rule Prime_Constants_long : Crypto_Algorithms { + meta: + author = "_pusher_" + description = "List of primes [long]" + date = "2016-07" + strings: + $c0 = { 03 00 00 00 05 00 00 00 07 00 00 00 0B 00 00 00 0D 00 00 00 11 00 00 00 13 00 00 00 17 00 00 00 1D 00 00 00 1F 00 00 00 25 00 00 00 29 00 00 00 2B 00 00 00 2F 00 00 00 35 00 00 00 3B 00 00 00 3D 00 00 00 43 00 00 00 47 00 00 00 49 00 00 00 4F 00 00 00 53 00 00 00 59 00 00 00 61 00 00 00 65 00 00 00 67 00 00 00 6B 00 00 00 6D 00 00 00 71 00 00 00 7F 00 00 00 83 00 00 00 89 00 00 00 8B 00 00 00 95 00 00 00 97 00 00 00 9D 00 00 00 A3 00 00 00 A7 00 00 00 AD 00 00 00 B3 00 00 00 B5 00 00 00 BF 00 00 00 C1 00 00 00 C5 00 00 00 C7 00 00 00 D3 00 00 00 DF 00 00 00 E3 00 00 00 E5 00 00 00 E9 00 00 00 EF 00 00 00 F1 00 00 00 FB 00 00 00 } + condition: + $c0 +} + + +rule Advapi_Hash_API : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Looks for advapi API functions" + date = "2016-07" + strings: + $advapi32 = "advapi32.dll" wide ascii nocase + $CryptCreateHash = "CryptCreateHash" wide ascii + $CryptHashData = "CryptHashData" wide ascii + $CryptAcquireContext = "CryptAcquireContext" wide ascii + condition: + $advapi32 and ($CryptCreateHash and $CryptHashData and $CryptAcquireContext) +} + +rule Crypt32_CryptBinaryToString_API : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Looks for crypt32 CryptBinaryToStringA function" + date = "2016-08" + strings: + $crypt32 = "crypt32.dll" wide ascii nocase + $CryptBinaryToStringA = "CryptBinaryToStringA" wide ascii + condition: + $crypt32 and ($CryptBinaryToStringA) +} + +rule CRC32c_poly_Constant : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for CRC32c (Castagnoli) [poly]" + date = "2016-08" + strings: + $c0 = { 783BF682 } + condition: + $c0 +} + +rule CRC32_poly_Constant : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for CRC32 [poly]" + date = "2015-05" + version = "0.1" + strings: + $c0 = { 2083B8ED } + condition: + $c0 +} + +rule CRC32_table : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for CRC32 table" + date = "2015-05" + version = "0.1" + strings: + $c0 = { 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 } + condition: + $c0 +} + +rule CRC32_table_lookup : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "CRC32 table lookup" + date = "2015-06" + version = "0.1" + strings: + $c0 = { 8B 54 24 08 85 D2 7F 03 33 C0 C3 83 C8 FF 33 C9 85 D2 7E 29 56 8B 74 24 08 57 8D 9B 00 00 00 00 0F B6 3C 31 33 F8 81 E7 FF 00 00 00 C1 E8 08 33 04 BD ?? ?? ?? ?? 41 3B CA 7C E5 5F 5E F7 D0 C3 } + condition: + $c0 +} + +rule CRC32b_poly_Constant : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for CRC32b [poly]" + date = "2016-04" + version = "0.1" + strings: + $c0 = { B71DC104 } + condition: + $c0 +} + + +rule CRC16_table : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for CRC16 table" + date = "2016-04" + version = "0.1" + strings: + $c0 = { 00 00 21 10 42 20 63 30 84 40 A5 50 C6 60 E7 70 08 81 29 91 4A A1 6B B1 8C C1 AD D1 CE E1 EF F1 31 12 10 02 73 32 52 22 B5 52 94 42 F7 72 D6 62 39 93 18 83 7B B3 5A A3 BD D3 9C C3 FF F3 DE E3 } + condition: + $c0 +} + + +rule FlyUtilsCnDES_ECB_Encrypt : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for FlyUtils.CnDES Encrypt ECB function" + date = "2016-07" + strings: + $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B D9 89 55 F8 89 45 FC 8B 7D 08 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 80 7D 18 00 74 1A 0F B6 55 18 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 80 7D 1C 00 74 1A 0F B6 55 1C 8D 4D E8 8B 45 FC E8 ?? ?? ?? ?? 8B 55 E8 8D 45 FC E8 ?? ?? ?? ?? 85 DB 75 07 E8 ?? ?? ?? ?? 8B D8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 53 6A 00 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 8B 45 F4 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 } + condition: + $c0 +} + +rule FlyUtilsCnDES_ECB_Decrypt : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for FlyUtils.CnDES Decrypt ECB function" + date = "2016-07" + strings: + $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B F9 89 55 F8 89 45 FC 8B 5D 18 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 84 DB 74 18 8B D3 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 85 FF 75 07 E8 ?? ?? ?? ?? 8B F8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 57 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 FF 75 14 FF 75 10 8B 45 0C 50 8B 4D F8 8B 55 F0 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 6A 00 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 08 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB 12 E9 ?? ?? ?? ?? 8B 45 08 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F0 33 D2 89 55 F0 E8 ?? ?? ?? ?? C3 } + condition: + $c0 +} + +rule Elf_Hash : Crypto_Algorithms { + meta: + author = "_pusher_" + description = "Look for ElfHash" + date = "2015-06" + version = "0.3" + strings: + $c0 = { 53 56 33 C9 8B DA 4B 85 DB 7C 25 43 C1 E1 04 33 D2 8A 10 03 CA 8B D1 81 E2 00 00 00 F0 85 D2 74 07 8B F2 C1 EE 18 33 CE F7 D2 23 CA 40 4B 75 DC 8B C1 5E 5B C3 } + $c1 = { 53 33 D2 85 C0 74 2B EB 23 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 D7 8B C2 5B C3 } + $c2 = { 53 56 33 C9 8B D8 85 D2 76 23 C1 E1 04 33 C0 8A 03 03 C8 8B C1 25 00 00 00 F0 85 C0 74 07 8B F0 C1 EE 18 33 CE F7 D0 23 C8 43 4A 75 DD 8B C1 5E 5B C3 } + $c3 = { 53 56 57 8B F2 8B D8 8B FB 53 E8 ?? ?? ?? ?? 6B C0 02 71 05 E8 ?? ?? ?? ?? 8B D7 33 C9 8B D8 83 EB 01 71 05 E8 ?? ?? ?? ?? 85 DB 7C 2C 43 C1 E1 04 0F B6 02 03 C8 71 05 E8 ?? ?? ?? ?? 83 C2 01 B8 00 00 00 F0 23 C1 85 C0 74 07 8B F8 C1 EF 18 33 CF F7 D0 23 C8 4B 75 D5 8B C1 99 F7 FE 8B C2 85 C0 7D 09 03 C6 71 05 E8 ?? ?? ?? ?? 5F 5E 5B C3 } + $c4 = { 53 33 D2 EB 2C 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CE 8B C2 5B C3 } + $c5 = { 89 C2 31 C0 85 D2 74 30 2B 42 FC 74 2B 89 C1 29 C2 31 C0 53 0F B6 1C 11 01 C3 8D 04 1B C1 EB 14 8D 04 C5 00 00 00 00 81 E3 00 0F 00 00 31 D8 83 C1 01 75 E0 C1 E8 04 5B C3 } + $c6 = { 53 33 D2 85 C0 74 38 EB 30 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CA 8B C2 5B C3 } + condition: + any of them +} + +rule BLOWFISH_Constants : Crypto_Algorithms{ + meta: + author = "phoul (@phoul)" + description = "Look for Blowfish constants" + date = "2014-01" + version = "0.1" + strings: + $c0 = { D1310BA6 } + $c1 = { A60B31D1 } + $c2 = { 98DFB5AC } + $c3 = { ACB5DF98 } + $c4 = { 2FFD72DB } + $c5 = { DB72FD2F } + $c6 = { D01ADFB7 } + $c7 = { B7DF1AD0 } + $c8 = { 4B7A70E9 } + $c9 = { E9707A4B } + $c10 = { F64C261C } + $c11 = { 1C264CF6 } + condition: + 6 of them +} + +rule MD5_Constants : Crypto_Algorithms{ + meta: + author = "phoul (@phoul)" + description = "Look for MD5 constants" + date = "2014-01" + version = "0.2" + strings: + // Init constants + $c0 = { 67452301 } + $c1 = { efcdab89 } + $c2 = { 98badcfe } + $c3 = { 10325476 } + $c4 = { 01234567 } + $c5 = { 89ABCDEF } + $c6 = { FEDCBA98 } + $c7 = { 76543210 } + // Round 2 + $c8 = { F4D50d87 } + $c9 = { 78A46AD7 } + condition: + 5 of them +} + +rule MD5_API : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Looks for MD5 API" + date = "2016-07" + strings: + $advapi32 = "advapi32.dll" wide ascii nocase + $cryptdll = "cryptdll.dll" wide ascii nocase + $MD5Init = "MD5Init" wide ascii + $MD5Update = "MD5Update" wide ascii + $MD5Final = "MD5Final" wide ascii + condition: + ($advapi32 or $cryptdll) and ($MD5Init and $MD5Update and $MD5Final) +} + +rule RC6_Constants : Crypto_Algorithms{ + meta: + author = "chort (@chort0)" + description = "Look for RC6 magic constants in binary" + reference = "https://twitter.com/mikko/status/417620511397400576" + reference2 = "https://twitter.com/dyngnosis/status/418105168517804033" + date = "2013-12" + version = "0.2" + strings: + $c1 = { B7E15163 } + $c2 = { 9E3779B9 } + $c3 = { 6351E1B7 } + $c4 = { B979379E } + condition: + 2 of them +} + +rule RIPEMD160_Constants : Crypto_Algorithms{ + meta: + author = "phoul (@phoul)" + description = "Look for RIPEMD-160 constants" + date = "2014-01" + version = "0.1" + strings: + $c0 = { 67452301 } + $c1 = { EFCDAB89 } + $c2 = { 98BADCFE } + $c3 = { 10325476 } + $c4 = { C3D2E1F0 } + $c5 = { 01234567 } + $c6 = { 89ABCDEF } + $c7 = { FEDCBA98 } + $c8 = { 76543210 } + $c9 = { F0E1D2C3 } + condition: + 5 of them +} + +rule SHA1_Constants : Crypto_Algorithms{ + meta: + author = "phoul (@phoul)" + description = "Look for SHA1 constants" + date = "2014-01" + version = "0.1" + strings: + $c0 = { 67452301 } + $c1 = { EFCDAB89 } + $c2 = { 98BADCFE } + $c3 = { 10325476 } + $c4 = { C3D2E1F0 } + $c5 = { 01234567 } + $c6 = { 89ABCDEF } + $c7 = { FEDCBA98 } + $c8 = { 76543210 } + $c9 = { F0E1D2C3 } + //added by _pusher_ 2016-07 - last round + $c10 = { D6C162CA } + condition: + 5 of them +} + +rule SHA512_Constants : Crypto_Algorithms{ + meta: + author = "phoul (@phoul)" + description = "Look for SHA384/SHA512 constants" + date = "2014-01" + version = "0.1" + strings: + $c0 = { 428a2f98 } + $c1 = { 982F8A42 } + $c2 = { 71374491 } + $c3 = { 91443771 } + $c4 = { B5C0FBCF } + $c5 = { CFFBC0B5 } + $c6 = { E9B5DBA5 } + $c7 = { A5DBB5E9 } + $c8 = { D728AE22 } + $c9 = { 22AE28D7 } + condition: + 5 of them +} + +rule TEAN : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for TEA Encryption" + date = "2016-08" + strings: + $c0 = { 2037EFC6 } + condition: + $c0 +} + +rule WHIRLPOOL_Constants : Crypto_Algorithms{ + meta: + author = "phoul (@phoul)" + description = "Look for WhirlPool constants" + date = "2014-02" + version = "0.1" + strings: + $c0 = { 18186018c07830d8 } + $c1 = { d83078c018601818 } + $c2 = { 23238c2305af4626 } + $c3 = { 2646af05238c2323 } + condition: + 2 of them +} + +rule DarkEYEv3_Cryptor : Crypto_Algorithms{ + meta: + description = "Rule to detect DarkEYEv3 encrypted executables (often malware)" + author = "Florian Roth" + reference = "http://darkeyev3.blogspot.fi/" + date = "2015-05-24" + hash0 = "6b854b967397f7de0da2326bdd5d39e710e2bb12" + hash1 = "d53149968eca654fc0e803f925e7526fdac2786c" + hash2 = "7e3a8940d446c57504d6a7edb6445681cca31c65" + hash3 = "d3dd665dd77b02d7024ac16eb0949f4f598299e7" + hash4 = "a907a7b74a096f024efe57953c85464e87275ba3" + hash5 = "b1c422155f76f992048377ee50c79fe164b22293" + hash6 = "29f5322ce5e9147f09e0a86cc23a7c8dc88721b9" + hash7 = "a0382d7c12895489cb37efef74c5f666ea750b05" + hash8 = "f3d5b71b7aeeb6cc917d5bb67e2165cf8a2fbe61" + score = 55 + strings: + $s0 = "\\DarkEYEV3-" + condition: + uint16(0) == 0x5a4d and $s0 +} + +rule Miracl_powmod : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "Miracl powmod" + strings: + $c0 = { 53 55 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 0F 85 EC 01 00 00 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 12 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 06 8B 4E 10 3B C1 74 2E 8B 7C 24 1C 57 E8 ?? ?? ?? ?? 83 C4 04 83 F8 02 7C 33 8B 57 04 8B 0E 51 8B 02 50 E8 ?? ?? ?? ?? 83 C4 08 83 F8 01 0F 84 58 01 00 00 EB 17 8B 7C 24 1C 6A 02 57 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 3F 01 00 00 8B 8E C4 01 00 00 8B 54 24 18 51 52 E8 ?? ?? ?? ?? 8B 86 CC } + condition: + $c0 +} + +rule Miracl_crt : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "Miracl crt" + strings: + $c0 = { 51 56 57 E8 ?? ?? ?? ?? 8B 74 24 10 8B F8 89 7C 24 08 83 7E 0C 02 0F 8C 99 01 00 00 8B 87 18 02 00 00 85 C0 0F 85 8B 01 00 00 8B 57 1C 42 8B C2 89 57 1C 83 F8 18 7D 17 C7 44 87 20 4A 00 00 00 8B 87 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 46 04 8B 54 24 14 53 55 8B 08 8B 02 51 50 E8 ?? ?? ?? ?? 8B 4E 0C B8 01 00 00 00 83 C4 08 33 ED 3B C8 89 44 24 18 0F 8E C5 00 00 00 BF 04 00 00 00 8B 46 04 8B 0C 07 8B 10 8B 44 24 1C 51 52 8B 0C 07 51 E8 ?? ?? ?? ?? 8B 56 04 8B 4E 08 8B 04 } + condition: + $c0 +} + +rule CryptoPP_a_exp_b_mod_c : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "CryptoPP a_exp_b_mod_c" + strings: + $c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC ?? 00 00 00 56 8B B4 24 B0 00 00 00 57 6A 00 8B CE C7 44 24 0C 00 00 00 00 E8 ?? ?? ?? ?? 84 C0 0F 85 16 01 00 00 8D 4C 24 24 E8 ?? ?? ?? ?? BF 01 00 00 00 56 8D 4C 24 34 89 BC 24 A4 00 00 00 E8 ?? ?? ?? ?? 8B 06 8D 4C 24 3C 50 6A 00 C6 84 24 A8 00 00 00 02 E8 ?? ?? ?? ?? 8D 4C 24 48 C6 84 24 A0 00 00 00 03 E8 ?? ?? ?? ?? C7 44 24 24 ?? ?? ?? ?? 8B 8C 24 AC 00 00 00 8D 54 24 0C 51 52 8D 4C 24 2C C7 84 24 A8 } + $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 4C 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 70 8D 4C 24 18 56 89 7C 24 60 E8 ?? ?? ?? ?? 8B 76 08 8D 4C 24 2C 56 57 C6 44 24 64 01 E8 ?? ?? ?? ?? 8D 4C 24 40 C6 44 24 5C 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 4C 24 6C 8B 54 24 68 8B 74 24 64 51 52 56 8D 4C 24 18 C7 44 24 68 03 00 00 00 E8 ?? ?? ?? ?? 8B 7C 24 4C 8B 4C 24 48 8B D7 33 C0 F3 } + $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 34 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 58 8D 4C 24 18 56 89 7C 24 48 E8 ?? ?? ?? ?? 8B 0E C6 44 24 44 01 51 57 8D 4C 24 2C E8 ?? ?? ?? ?? 8D 4C 24 30 C6 44 24 44 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 54 24 54 8B 44 24 50 8B 74 24 4C 52 50 56 8D 4C 24 18 C7 44 24 50 03 00 00 00 E8 ?? ?? ?? ?? 8B 4C 24 30 8B 7C 24 34 33 C0 F3 AB 8B 4C } + condition: + any of them +} + +rule CryptoPP_modulo : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "CryptoPP modulo" + strings: + $c0 = { 83 EC 20 53 55 8B 6C 24 2C 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 04 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 04 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 04 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 34 33 C9 53 0B CA 55 } + $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 2C 56 57 8B F1 33 FF 8D 4C 24 20 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 0C 89 7C 24 3C E8 ?? ?? ?? ?? 8B 44 24 48 8D 4C 24 0C 50 56 8D 54 24 28 51 52 C6 44 24 4C 01 E8 ?? ?? ?? ?? 8B 74 24 54 83 C4 10 8D 44 24 20 8B CE 50 E8 ?? ?? ?? ?? 8B 7C 24 18 8B 4C 24 14 8B D7 33 C0 F3 AB 52 E8 ?? ?? ?? ?? 8B 7C 24 30 8B 4C 24 2C 8B D7 33 C0 C7 44 24 10 ?? ?? ?? ?? 52 F3 AB E8 ?? ?? ?? ?? 8B 4C 24 3C 83 C4 08 8B C6 64 89 } + $c2 = { 83 EC 24 53 55 8B 6C 24 30 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 0C 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 0C 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 0C 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 38 33 C9 53 0B CA 55 } + $c3 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 1C 56 57 8B F1 33 FF 8D 4C 24 0C 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 18 89 7C 24 2C E8 ?? ?? ?? ?? 8B 44 24 38 8D 4C 24 18 50 56 8D 54 24 14 51 52 C6 44 24 3C 01 E8 ?? ?? ?? ?? 8B 74 24 44 83 C4 10 8D 44 24 0C 8B CE 50 E8 ?? ?? ?? ?? 8B 4C 24 18 8B 7C 24 1C 33 C0 F3 AB 8B 4C 24 1C 51 E8 ?? ?? ?? ?? 8B 4C 24 10 8B 7C 24 14 33 C0 F3 AB 8B 54 24 14 52 E8 ?? ?? ?? ?? 8B 4C 24 2C 83 C4 08 8B C6 64 89 0D 00 00 00 } + condition: + any of them +} + +rule FGint_MontgomeryModExp : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-06" + version = "0.2" + description = "FGint MontgomeryModExp" + strings: + $c0 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 } + $c1 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 } + $c2 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 ?? E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 } + $c3 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 D0 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 47 4C 47 00 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 D0 E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 02 02 00 00 } + condition: + any of them +} + +rule FGint_FGIntModExp : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "FGint FGIntModExp" + strings: + $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D ?? 8B F1 89 55 ?? 8B D8 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 46 04 8B 40 04 83 E0 01 83 F8 01 75 0F 57 8B CE 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? EB ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 F4 8B C3 E8 ?? ?? ?? ?? 8B 45 } + condition: + $c0 +} + +rule FGint_MulByInt : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "FGint MulByInt" + strings: + $c0 = { 53 56 57 55 83 C4 E8 89 4C 24 04 8B EA 89 04 24 8B 04 24 8B 40 04 8B 00 89 44 24 08 8B 44 24 08 83 C0 02 50 8D 45 04 B9 01 00 00 00 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 04 33 F6 8B 7C 24 08 85 FF 76 6D BB 01 00 00 00 8B 04 24 8B 40 04 8B 04 98 33 D2 89 44 24 10 89 54 24 14 8B 44 24 04 33 D2 52 50 8B 44 24 18 8B 54 24 1C ?? ?? ?? ?? ?? 89 44 24 10 89 54 24 14 8B C6 33 D2 03 44 24 10 13 54 24 14 89 44 24 10 89 54 24 14 8B 44 24 10 25 FF FF FF 7F 8B 55 04 89 04 9A 8B 44 24 10 8B 54 24 14 0F AC D0 1F C1 EA 1F 8B F0 43 4F 75 98 } + condition: + $c0 +} + +rule FGint_DivMod : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "FGint FGIntDivMod" + strings: + $c0 = { 55 8B EC 83 C4 BC 53 56 57 8B F1 89 55 F8 89 45 FC 8B 5D 08 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 FC 8A 00 88 45 D7 8B 45 F8 8A 00 88 45 D6 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B D3 8B 45 FC E8 ?? ?? ?? ?? 8D 55 E0 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 F8 8B 45 FC } + condition: + $c0 +} + +rule FGint_FGIntDestroy : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "FGint FGIntDestroy" + strings: + $c0 = { 53 8B D8 8D 43 04 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B C3 } + condition: + $c0 +} + +rule FGint_Base10StringToGInt : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-06" + version = "0.2" + description = "FGint Base10StringToGInt" + strings: + $c0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 8B DA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC ?? ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC ?? ?? ?? ?? ?? 8B 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? EB 18 C6 45 EB 01 EB 12 8D 45 FC } + $c1 = { 55 8B EC 83 C4 D8 53 56 57 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D E4 89 4D EC 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 0F 42 45 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E4 BA 28 42 45 00 E8 ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 EB 01 } + $c2 = { 55 8B EC 83 C4 D8 53 56 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D F8 89 4D F4 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 A6 32 47 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 0F B6 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D3 8D 45 E0 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E0 BA BC 32 47 00 E8 ?? ?? ?? ?? 75 18 C6 45 E9 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 E9 01 } + + condition: + any of them +} + +rule FGint_ConvertBase256to64 : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "FGint ConvertBase256to64" + strings: + $c0 = { 55 8B EC 81 C4 EC FB FF FF 53 56 57 33 C9 89 8D EC FB FF FF 89 8D F0 FB FF FF 89 4D F8 8B FA 89 45 FC B9 00 01 00 00 8D 85 F4 FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 F4 FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 7E 2F BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F4 FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E5 EB } + condition: + $c0 +} + +rule FGint_ConvertHexStringToBase256String : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-06" + version = "0.2" + description = "FGint ConvertHexStringToBase256String" + strings: + $c0 = { 55 8B EC 83 C4 F0 53 56 33 C9 89 4D F0 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? D1 F8 79 03 83 D0 00 85 C0 7E 5F 89 45 F4 BE 01 00 00 00 8B C6 03 C0 8B 55 FC 8A 54 02 FF 8B 4D FC 8A 44 01 FE 3C 3A 73 0A 8B D8 80 EB 30 C1 E3 04 EB 08 8B D8 80 EB 37 C1 E3 04 80 FA 3A 73 07 80 EA 30 0A DA EB 05 80 EA 37 0A DA 8D 45 F0 8B D3 } + condition: + $c0 +} + +rule FGint_Base256StringToGInt : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "FGint Base256StringToGInt" + strings: + $c0 = { 55 8B EC 81 C4 F8 FB FF FF 53 56 57 33 C9 89 4D F8 8B FA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? B9 00 01 00 00 8D 85 F8 FB FF FF 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F8 ?? ?? ?? ?? ?? 8D 85 F8 FB FF FF BA FF 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC ?? ?? ?? ?? ?? 8B D8 85 DB 7E 34 BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F8 FB FF FF ?? ?? ?? ?? ?? 46 4B 75 E5 EB 12 8D 45 F8 B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 F8 80 38 30 75 0F } + condition: + $c0 +} + +rule FGint_FGIntToBase256String : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-06" + version = "0.2" + description = "FGint FGIntToBase256String" + strings: + $c0 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4B 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 8A 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 4B 75 B5 } + $c1 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4C 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 0F B6 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 } + condition: + any of them +} + +rule FGint_ConvertBase256StringToHexString : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "FGint ConvertBase256StringToHexString" + strings: + $c0 = { 55 8B EC 33 C9 51 51 51 51 51 51 53 56 57 8B F2 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B C6 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B F8 85 FF 0F 8E AB 00 00 00 C7 45 F8 01 00 00 00 8B 45 FC 8B 55 F8 8A 5C 10 FF 33 C0 8A C3 C1 E8 04 83 F8 0A 73 1E 8D 45 F4 33 D2 8A D3 C1 EA 04 83 C2 30 E8 ?? ?? ?? ?? 8B 55 F4 8B C6 E8 ?? ?? ?? ?? EB 1C 8D 45 F0 33 D2 8A D3 C1 EA 04 83 C2 37 E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8B C3 24 0F 3C 0A 73 22 8D 45 EC 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 30 E8 ?? ?? ?? ?? 8B 55 EC 8B C6 E8 ?? ?? ?? ?? EB 20 8D 45 E8 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 37 } + condition: + $c0 +} + + +rule FGint_PGPConvertBase256to64 : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2016-08" + description = "FGint PGPConvertBase256to64" + strings: + $c0 = { 55 8B EC 81 C4 E8 FB FF FF 53 56 57 33 C9 89 8D E8 FB FF FF 89 4D F8 89 4D F4 89 4D F0 8B FA 89 45 FC B9 00 01 00 00 8D 85 EC FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 EC FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC 8B 00 E8 ?? ?? ?? ?? 8B D8 85 DB 7E 22 BE 01 00 00 00 8D 45 F8 8B 55 FC 8B 12 0F B6 54 32 FF 8B 94 95 EC FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E3 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 85 D2 75 0A 8D 45 F0 E8 ?? ?? ?? ?? EB 4B 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 83 FA 04 75 1C 8D 45 F8 BA 4C 33 40 00 E8 ?? ?? ?? ?? 8D 45 F0 BA 58 33 40 00 E8 ?? ?? ?? ?? EB 1A 8D 45 F8 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B D8 85 DB 7E 57 8D 45 F4 50 B9 06 00 00 00 BA 01 00 00 00 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 EC 8B 55 F4 E8 ?? ?? ?? ?? 8D 85 E8 FB FF FF 8B 55 EC 8A 92 ?? ?? ?? ?? E8 } + condition: + $c0 +} + + +rule FGint_RSAEncrypt : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "FGint RSAEncrypt" + strings: + $c0 = { 55 8B EC 83 C4 D0 53 56 57 33 DB 89 5D D0 89 5D DC 89 5D D8 89 5D D4 8B F9 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 DC 8B C7 E8 ?? ?? ?? ?? 8B 45 DC E8 ?? ?? ?? ?? 8B D8 8D 55 DC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 DC 8B 4D DC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F3 4E EB 10 } + condition: + $c0 +} + +rule FGint_RsaDecrypt : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "FGint RsaDecrypt" + strings: + $c0 = { 55 8B EC 83 C4 A0 53 56 57 33 DB 89 5D A0 89 5D A4 89 5D A8 89 5D B4 89 5D B0 89 5D AC 89 4D F8 8B FA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 } + condition: + $c0 +} + +rule FGint_RSAVerify : Crypto_Algorithms +{ meta: + author = "_pusher_" + description = "FGint RSAVerify" + strings: + $c0 = { 55 8B EC 83 C4 E0 53 56 8B F1 89 55 F8 89 45 FC 8B 5D 0C 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E8 8B 45 F8 E8 ?? ?? ?? ?? 8D 55 F0 8B 45 FC E8 ?? ?? ?? ?? 8D 4D E0 8B D3 8D 45 F0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 50 8B CB 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E8 E8 ?? ?? ?? ?? 3C 02 8B 45 08 0F 94 00 8D 45 E8 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 03 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 BA 02 00 00 00 E8 ?? ?? ?? ?? C3 } + condition: + $c0 +} + +rule FGint_FindPrimeGoodCurveAndPoint : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-06" + description = "FGint FindPrimeGoodCurveAndPoint" + version = "0.1" + strings: + $c0 = { 55 8B EC 83 C4 F4 53 56 57 33 DB 89 5D F4 89 4D FC 8B FA 8B F0 33 C0 55 } + condition: + $c0 +} + +rule FGint_ECElGamalEncrypt : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2016-08" + description = "FGint ECElGamalEncrypt" + version = "0.1" + strings: + $c0 = { 55 8B EC 81 C4 3C FF FF FF 53 56 57 33 DB 89 5D D8 89 5D D4 89 5D D0 8B 75 10 8D 7D 8C A5 A5 A5 A5 A5 8B 75 14 8D 7D A0 A5 A5 A5 A5 A5 8B 75 18 8D 7D DC A5 A5 8B 75 1C 8D 7D E4 A5 A5 8B F1 8D 7D EC A5 A5 8B F2 8D 7D F4 A5 A5 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 8C 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 78 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 64 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 50 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 3C FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 7D CF } + $c1 = { 55 8B EC 83 C4 A8 53 56 57 33 DB 89 5D A8 89 5D AC 89 5D BC 89 5D B8 89 5D B4 89 4D F4 89 55 F8 89 45 FC 8B 75 0C 8B 45 FC E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 71 14 41 00 64 FF 30 64 89 20 8D 55 BC 8B C6 E8 ?? ?? ?? ?? 8B 45 BC E8 ?? ?? ?? ?? 8B D8 8D 55 BC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 8B 4D BC BA 8C 14 41 00 E8 ?? ?? ?? ?? 8B FB 4F EB 10 8D 45 BC 8B 4D BC BA 98 14 41 00 E8 ?? ?? ?? ?? 8B 45 BC } + condition: + $c0 or $c1 +} + +rule FGint_ECAddPoints : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-06" + description = "FGint ECAddPoints" + version = "0.1" + strings: + $c0 = { 55 8B EC 83 C4 A8 53 56 57 8B 75 0C 8D 7D F0 A5 A5 8B F1 8D 7D F8 A5 A5 8B F2 8D 7D A8 A5 A5 A5 A5 A5 8B F0 8D 7D BC A5 A5 A5 A5 A5 8B 5D 08 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 } + condition: + $c0 +} + +rule FGint_ECPointKMultiple : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-06" + description = "FGint ECPointKMultiple" + version = "0.1" + strings: + $c0 = { 55 8B EC 83 C4 BC 53 56 57 33 DB 89 5D E4 8B 75 0C 8D 7D E8 A5 A5 8B F1 8D 7D F0 A5 A5 8B F2 8D 7D F8 A5 A5 8B F0 8D 7D D0 A5 A5 A5 A5 A5 8B 5D 08 8D 45 D0 8B 15 ?? ?? ?? 00 E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 } + condition: + $c0 +} + +rule FGint_ECPointDestroy : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-06" + description = "FGint ECPointDestroy" + version = "0.1" + strings: + $c0 = { 53 8B D8 8B C3 E8 ?? ?? ?? ?? 8D 43 08 E8 ?? ?? ?? ?? 5B C3 } + condition: + $c0 +} + +rule FGint_DSAPrimeSearch : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2016-08" + description = "FGint DSAPrimeSearch" + version = "0.1" + strings: + $c0 = { 55 8B EC 83 C4 DC 53 56 8B DA 8B F0 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 4D F8 8B D6 8B C6 E8 ?? ?? ?? ?? 8D 4D E8 8B D6 8B C3 E8 ?? ?? ?? ?? 8D 55 F0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D E0 8D 55 E8 8B C3 E8 ?? ?? ?? ?? 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D E8 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 8B 45 EC 8B 40 04 83 E0 01 85 C0 75 18 8D 4D E0 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? C6 45 DF 00 EB 26 8D 4D E8 8D 55 F8 8B C3 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D DF 8B C3 BA 05 00 00 00 E8 ?? ?? ?? ?? 80 7D DF 00 74 D4 8D 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 04 00 00 00 E8 ?? ?? ?? ?? C3 } + condition: + $c0 +} + +rule FGint_DSASign : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2016-08" + description = "FGint DSASign" + version = "0.1" + strings: + $c0 = { 55 8B EC 83 C4 CC 53 56 57 89 4D FC 8B DA 8B F8 8B 75 14 8B 45 10 E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F4 50 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 4D D4 8B D3 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8B C6 E8 ?? ?? ?? ?? 8D 55 EC 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 D4 8B 45 18 E8 ?? ?? ?? ?? 8D 4D DC 8D 55 E4 8D 45 EC E8 ?? ?? ?? ?? 8D 45 EC E8 ?? ?? ?? ?? 8D 45 E4 E8 ?? ?? ?? ?? 8D 45 CC 50 8B CB 8D 55 DC 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 DC E8 ?? ?? ?? ?? 8B 55 0C 8D 45 D4 E8 ?? ?? ?? ?? 8B 55 08 8D 45 CC E8 ?? ?? ?? ?? 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 CC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? B9 06 00 00 00 E8 } + condition: + $c0 +} + +rule FGint_DSAVerify : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2016-08" + description = "FGint DSAVerify" + version = "0.1" + strings: + $c0 = { 55 8B EC 83 C4 B4 53 56 57 89 4D FC 8B DA 8B F0 8B 7D 08 8B 45 14 E8 ?? ?? ?? ?? 8B 45 10 E8 ?? ?? ?? ?? 8B 45 0C E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 CC 8B 45 0C E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8D 45 CC E8 ?? ?? ?? ?? 8D 55 C4 8B 45 14 E8 ?? ?? ?? ?? 8D 45 EC 50 8B CB 8D 55 F4 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 ?? ?? ?? ?? 8D 55 D4 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 F4 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 C4 50 8B CE 8D 55 EC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 50 8B CE 8D 55 E4 8B 45 18 E8 ?? ?? ?? ?? 8D 45 B4 50 8B CE 8D 55 BC 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 } + condition: + $c0 +} + + +rule DES_Long : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "DES [long]" + strings: + $c0 = { 10 80 10 40 00 00 00 00 00 80 10 00 00 00 10 40 10 00 00 40 10 80 00 00 00 80 00 40 00 80 10 00 00 80 00 00 10 00 10 40 10 00 00 00 00 80 00 40 10 00 10 00 00 80 10 40 00 00 10 40 10 00 00 00 } + condition: + $c0 +} + +rule DES_sbox : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "DES [sbox]" + strings: + $c0 = { 00 04 01 01 00 00 00 00 00 00 01 00 04 04 01 01 04 00 01 01 04 04 01 00 04 00 00 00 00 00 01 00 00 04 00 00 00 04 01 01 04 04 01 01 00 04 00 00 04 04 00 01 04 00 01 01 00 00 00 01 04 00 00 00 } + condition: + $c0 +} + +rule DES_pbox_long : Crypto_Algorithms +{ meta: + author = "_pusher_" + date = "2015-05" + description = "DES [pbox] [long]" + strings: + $c0 = { 0F 00 00 00 06 00 00 00 13 00 00 00 14 00 00 00 1C 00 00 00 0B 00 00 00 1B 00 00 00 10 00 00 00 00 00 00 00 0E 00 00 00 16 00 00 00 19 00 00 00 04 00 00 00 11 00 00 00 1E 00 00 00 09 00 00 00 01 00 00 00 07 00 00 00 17 00 00 00 0D 00 00 00 1F 00 00 00 1A 00 00 00 02 00 00 00 08 00 00 00 12 00 00 00 0C 00 00 00 1D 00 00 00 05 00 00 00 } + condition: + $c0 +} + +rule OpenSSL_BN_mod_exp2_mont : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "OpenSSL BN_mod_exp2_mont" + strings: + $c0 = { B8 30 05 00 00 E8 ?? ?? ?? ?? 8B 84 24 48 05 00 00 53 33 DB 56 8B 08 57 89 5C 24 24 89 5C 24 30 8A 01 89 5C 24 28 A8 01 89 5C 24 0C 75 24 68 89 00 00 00 68 ?? ?? ?? ?? 6A 66 6A 76 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 30 05 00 00 C3 8B 94 24 48 05 00 00 52 E8 ?? ?? ?? ?? 8B F0 8B 84 24 54 05 00 00 50 E8 ?? ?? ?? ?? 83 C4 08 3B F3 8B F8 75 20 3B FB 75 1C 8B 8C 24 40 05 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 30 05 00 00 C3 3B F7 89 74 24 18 7F 04 89 } + condition: + $c0 +} + +rule OpenSSL_BN_mod_exp_mont : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "OpenSSL BN_mod_exp_mont" + strings: + $c0 = { B8 A0 02 00 00 E8 ?? ?? ?? ?? 53 56 57 8B BC 24 BC 02 00 00 33 F6 8B 07 89 74 24 24 89 74 24 20 89 74 24 0C F6 00 01 75 24 68 72 01 00 00 68 ?? ?? ?? ?? 6A 66 6A 6D 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 A0 02 00 00 C3 8B 8C 24 B8 02 00 00 51 E8 ?? ?? ?? ?? 8B D8 83 C4 04 3B DE 89 5C 24 18 75 1C 8B 94 24 B0 02 00 00 6A 01 52 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 A0 02 00 00 C3 55 8B AC 24 C4 02 00 00 55 E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 8B F0 55 89 74 24 24 E8 } + condition: + $c0 +} + +rule OpenSSL_BN_mod_exp_recp : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "OpenSSL BN_mod_exp_recp" + strings: + $c0 = { B8 C8 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 D4 02 00 00 55 56 33 F6 50 89 74 24 1C 89 74 24 18 E8 ?? ?? ?? ?? 8B E8 83 C4 04 3B EE 89 6C 24 0C 75 1B 8B 8C 24 D4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 C8 02 00 00 C3 53 57 8B BC 24 EC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DE 0F 84 E7 02 00 00 8D 54 24 24 52 E8 ?? ?? ?? ?? 8B B4 24 EC 02 00 00 83 C4 04 8B 46 0C 85 C0 74 32 56 53 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 BA 02 00 00 57 8D 44 24 28 53 } + condition: + $c0 +} + +rule OpenSSL_BN_mod_exp_simple : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "OpenSSL BN_mod_exp_simple" + strings: + $c0 = { B8 98 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 A4 02 00 00 55 56 33 ED 50 89 6C 24 1C 89 6C 24 18 E8 ?? ?? ?? ?? 8B F0 83 C4 04 3B F5 89 74 24 0C 75 1B 8B 8C 24 A4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 98 02 00 00 C3 53 57 8B BC 24 BC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DD 0F 84 71 02 00 00 8D 54 24 28 52 E8 ?? ?? ?? ?? 8B AC 24 BC 02 00 00 8B 84 24 B4 02 00 00 57 55 8D 4C 24 34 50 51 C7 44 24 30 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F } + condition: + $c0 +} + +rule OpenSSL_BN_mod_exp_inverse : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "OpenSSL BN_mod_exp_inverse" + strings: + $c0 = { B8 18 00 00 00 E8 ?? ?? ?? ?? 53 55 56 57 8B 7C 24 38 33 C0 57 89 44 24 20 89 44 24 24 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 57 89 44 24 1C E8 ?? ?? ?? ?? 57 8B F0 E8 ?? ?? ?? ?? 57 89 44 24 28 E8 ?? ?? ?? ?? 57 8B E8 E8 ?? ?? ?? ?? 57 8B D8 E8 ?? ?? ?? ?? 8B F8 8B 44 24 54 50 89 7C 24 38 E8 ?? ?? ?? ?? 83 C4 20 89 44 24 24 85 C0 8B 44 24 2C 0F 84 78 05 00 00 85 C0 75 05 E8 ?? ?? ?? ?? 85 C0 89 44 24 1C 0F 84 63 05 00 00 8B 4C 24 14 6A 01 51 E8 ?? ?? ?? ?? 6A 00 57 E8 } + condition: + $c0 +} + +rule OpenSSL_DSA : Crypto_Algorithms +{ + meta: + author="_pusher_" + date="2016-08" + strings: + $a0 = "bignum_data" wide ascii nocase + $a1 = "DSA_METHOD" wide ascii nocase + $a2 = "PDSA" wide ascii nocase + $a3 = "dsa_mod_exp" wide ascii nocase + $a4 = "bn_mod_exp" wide ascii nocase + $a5 = "dsa_do_verify" wide ascii nocase + $a6 = "dsa_sign_setup" wide ascii nocase + $a7 = "dsa_do_sign" wide ascii nocase + $a8 = "dsa_paramgen" wide ascii nocase + $a9 = "BN_MONT_CTX" wide ascii nocase + condition: + 7 of ($a*) +} + +rule FGint_RsaSign : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "FGint RsaSign" + strings: + $c0 = { 55 8B EC 83 C4 B8 53 56 57 89 4D F8 8B FA 89 45 FC 8B 75 0C 8B 5D 10 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 F0 } + condition: + $c0 +} + + +rule LockBox_RsaEncryptFile : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "LockBox RsaEncryptFile" + strings: + $c0 = { 55 8B EC 83 C4 F8 53 56 8B F1 8B DA 6A 20 8B C8 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 FC 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 68 FF FF 00 00 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8A 45 08 50 8B CE 8B 55 F8 8B 45 FC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? C3 } + condition: + $c0 +} + +rule LockBox_DecryptRsaEx : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "LockBox DecryptRsaEx" + strings: + $c0 = { 55 8B EC 83 C4 F4 53 56 57 89 4D F8 89 55 FC 8B D8 33 C0 8A 43 04 0F B7 34 45 ?? ?? ?? ?? 0F B7 3C 45 ?? ?? ?? ?? 8B CE B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 FC 8B CE 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 B1 02 8B D3 8B 45 F4 E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B C7 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 8B C8 8B 55 F8 8B 45 F4 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 } + condition: + $c0 +} + +rule LockBox_EncryptRsaEx : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "LockBox EncryptRsaEx" + strings: + $c0 = { 55 8B EC 83 C4 F8 53 56 57 89 4D FC 8B FA 8B F0 33 C0 8A 46 04 0F B7 1C 45 ?? ?? ?? ?? 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B D7 8B 4D 08 8B 45 F8 E8 ?? ?? ?? ?? 6A 01 B1 02 8B D6 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 3B C3 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B C8 8B 55 FC 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 } + condition: + $c0 +} + +rule LockBox_TlbRsaKey : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "LockBox TlbRsaKey" + strings: + $c0 = { 53 56 84 D2 74 08 83 C4 F0 E8 ?? ?? ?? ?? 8B DA 8B F0 33 D2 8B C6 E8 ?? ?? ?? ?? 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 0C 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 10 8B C6 84 DB 74 0F E8 ?? ?? ?? ?? 64 8F 05 00 00 00 00 83 C4 0C 8B C6 5E 5B C3 } + condition: + $c0 +} + +rule BigDig_bpInit : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "BigDig bpInit" + strings: + $c0 = { 56 8B 74 24 0C 6A 04 56 E8 ?? ?? ?? ?? 8B C8 8B 44 24 10 83 C4 08 85 C9 89 08 75 04 33 C0 5E C3 89 70 08 C7 40 04 00 00 00 00 5E C3 } + condition: + $c0 +} + +rule BigDig_mpModExp : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "BigDig mpModExp" + strings: + $c0 = { 56 8B 74 24 18 85 F6 75 05 83 C8 FF 5E C3 53 55 8B 6C 24 18 57 56 55 E8 ?? ?? ?? ?? 8B D8 83 C4 08 BF 00 00 00 80 8B 44 9D FC 85 C7 75 04 D1 EF 75 F8 83 FF 01 75 08 BF 00 00 00 80 4B EB 02 D1 EF 8B 44 24 18 56 8B 74 24 18 50 56 E8 ?? ?? ?? ?? 83 C4 0C 85 DB 74 4F 8D 6C 9D FC 8B 4C 24 24 8B 54 24 20 51 52 56 56 56 E8 ?? ?? ?? ?? 8B 45 00 83 C4 14 85 C7 74 19 8B 44 24 24 8B 4C 24 20 8B 54 24 18 50 51 52 56 56 E8 ?? ?? ?? ?? 83 C4 14 83 FF 01 75 0B 4B BF 00 00 00 80 83 ED 04 EB } + condition: + $c0 +} + +rule BigDig_mpModInv : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "BigDig mpModInv" + strings: + $c0 = { 81 EC 2C 07 00 00 8D 84 24 CC 00 00 00 53 56 8B B4 24 44 07 00 00 57 56 6A 01 50 E8 ?? ?? ?? ?? 8B 8C 24 4C 07 00 00 56 8D 94 24 80 02 00 00 51 52 E8 ?? ?? ?? ?? 8D 84 24 BC 01 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 64 07 00 00 56 8D 4C 24 30 53 51 E8 ?? ?? ?? ?? 8D 54 24 38 56 52 BF 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 34 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 78 02 00 00 56 8D 94 24 48 03 00 00 51 8D 84 24 18 04 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 BC 01 00 00 56 8D 94 } + condition: + $c0 +} + +rule BigDig_mpModMult : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "BigDig mpModMult" + strings: + $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 98 01 00 00 8D 54 24 00 56 8B B4 24 B0 01 00 00 57 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 C0 01 00 00 8B 94 24 B4 01 00 00 8D 3C 36 56 50 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 57 50 E8 ?? ?? ?? ?? 83 C4 2C 33 C0 5F 5E 81 C4 98 01 00 00 C3 } + condition: + $c0 +} + +rule BigDig_mpModulo : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "BigDig mpModulo" + strings: + $c0 = { 8B 44 24 10 81 EC 30 03 00 00 8B 8C 24 38 03 00 00 8D 54 24 00 56 8B B4 24 40 03 00 00 57 8B BC 24 4C 03 00 00 57 50 56 51 8D 84 24 B0 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 94 24 54 03 00 00 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 CC 01 00 00 56 51 E8 ?? ?? ?? ?? 83 C4 34 33 C0 5F 5E 81 C4 30 03 00 00 C3 } + condition: + $c0 +} + +rule BigDig_spModExpB : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "BigDig spModExpB" + strings: + $c0 = { 53 8B 5C 24 10 55 56 BE 00 00 00 80 85 F3 75 04 D1 EE 75 F8 8B 6C 24 14 8B C5 D1 EE 89 44 24 18 74 48 57 8B 7C 24 20 EB 04 8B 44 24 1C 57 50 50 8D 44 24 28 50 E8 ?? ?? ?? ?? 83 C4 10 85 F3 74 14 8B 4C 24 1C 57 55 8D 54 24 24 51 52 E8 ?? ?? ?? ?? 83 C4 10 D1 EE 75 D0 8B 44 24 14 8B 4C 24 1C 5F 5E 89 08 5D 33 C0 5B C3 8B 54 24 10 5E 5D 5B 89 02 33 C0 C3 } + condition: + $c0 +} + +rule BigDig_spModInv : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "BigDig spModInv" + strings: + $c0 = { 51 8B 4C 24 10 55 56 BD 01 00 00 00 33 F6 57 8B 7C 24 18 89 6C 24 0C 85 C9 74 42 53 8B C7 33 D2 F7 F1 8B C7 8B F9 8B DA 33 D2 F7 F1 8B CB 0F AF C6 03 C5 8B EE 8B F0 8B 44 24 10 F7 D8 85 DB 89 44 24 10 75 D7 85 C0 5B 7D 13 8B 44 24 1C 8B 4C 24 14 2B C5 5F 89 01 5E 33 C0 5D 59 C3 8B 54 24 14 5F 5E 33 C0 89 2A 5D 59 C3 } + condition: + $c0 +} + +rule BigDig_spModMult : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "BigDig spModMult" + strings: + $c0 = { 8B 44 24 0C 8B 4C 24 08 83 EC 08 8D 54 24 00 50 51 52 E8 ?? ?? ?? ?? 8B 44 24 24 6A 02 8D 4C 24 10 50 51 E8 ?? ?? ?? ?? 8B 54 24 24 89 02 33 C0 83 C4 20 C3 } + condition: + $c0 +} + +rule CryptoPP_ApplyFunction : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "CryptoPP ApplyFunction" + strings: + $c0 = { 51 8D 41 E4 56 8B 74 24 0C 83 C1 F0 50 51 8B 4C 24 18 C7 44 24 0C 00 00 00 00 51 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5E 59 C2 08 00 } + $c1 = { 51 53 56 8B F1 57 6A 00 C7 44 24 10 00 00 00 00 8B 46 04 8B 48 04 8B 5C 31 04 8D 7C 31 04 E8 ?? ?? ?? ?? 50 8B CF FF 53 10 8B 44 24 18 8D 56 08 83 C6 1C 52 56 8B 74 24 1C 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5F 5E 5B 59 C2 08 00 } + condition: + any of them +} + +rule CryptoPP_RsaFunction : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "CryptoPP RsaFunction" + strings: + $c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC 9C 00 00 00 8B 84 24 B0 00 00 00 53 55 56 33 ED 8B F1 57 3B C5 89 B4 24 A8 00 00 00 89 6C 24 10 BF 01 00 00 00 74 18 C7 06 ?? ?? ?? ?? C7 46 20 ?? ?? ?? ?? 89 7C 24 10 89 AC 24 B4 00 00 00 8D 4E 04 E8 ?? ?? ?? ?? 8D 4E 10 89 BC 24 B4 00 00 00 E8 ?? ?? ?? ?? 8B 06 BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 48 04 C7 04 31 ?? ?? ?? ?? 8B 16 8B 42 04 8B 54 24 10 83 CA 02 8D 48 E0 89 54 24 10 89 4C 30 FC 89 5C 24 18 89 7C } + $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 1C 53 8B 5C 24 1C 56 8B F1 57 33 C9 89 74 24 10 3B C1 89 4C 24 0C 74 7B C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 3B D9 75 06 89 4C 24 28 EB 0E 8B 43 04 8B 50 0C 8D 44 1A 04 89 44 24 28 8B 56 3C C7 44 24 0C 07 00 00 00 8B 42 04 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C C7 46 38 ?? ?? ?? ?? 8B 42 04 C7 44 30 3C } + $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 18 56 8B F1 57 85 C0 89 74 24 0C C7 44 24 08 00 00 00 00 74 63 C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 8B 46 3C C7 44 24 08 07 00 00 00 8B 48 04 C7 44 31 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 4E 3C C7 46 38 ?? ?? ?? ?? 8B 51 04 C7 44 32 3C ?? ?? ?? ?? 8B 46 3C 8B 48 08 C7 44 31 3C ?? ?? ?? ?? C7 06 ?? ?? ?? ?? 8D 7E 04 6A 00 8B CF } + condition: + any of them +} + +rule CryptoPP_Integer_constructor : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "CryptoPP Integer constructor" + strings: + $c0 = { 8B 44 24 08 56 83 F8 08 8B F1 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 4C 24 0C 89 46 04 C7 46 08 00 00 00 00 89 08 8B 0E 8B 46 04 83 C4 04 49 74 0F 57 8D 78 04 33 C0 F3 AB 8B C6 5F 5E C2 08 00 8B C6 5E C2 08 00 } + $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 89 74 24 04 C7 06 ?? ?? ?? ?? 6A 08 C7 44 24 14 00 00 00 00 C7 46 08 02 00 00 00 E8 ?? ?? ?? ?? 89 46 0C C7 46 10 00 00 00 00 C7 06 ?? ?? ?? ?? 8B 46 0C 83 C4 04 C7 40 04 00 00 00 00 8B 4E 0C 8B C6 5E C7 01 00 00 00 00 8B 4C 24 04 64 89 0D 00 00 00 00 83 C4 10 C3 } + $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 57 89 74 24 08 C7 06 ?? ?? ?? ?? 8B 7C 24 1C C7 44 24 14 00 00 00 00 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 85 D2 89 56 08 76 12 8D 04 95 00 00 00 00 50 E8 ?? ?? ?? ?? 83 C4 04 EB 02 33 C0 89 46 0C 8B 4F 10 89 4E 10 } + $c3 = { 56 57 8B 7C 24 0C 8B F1 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 16 89 46 04 8B 4F 08 83 C4 04 89 4E 08 8B 4F 04 85 D2 76 0D 2B C8 8B 3C 01 89 38 83 C0 04 4A 75 F5 8B C6 5F 5E C2 04 00 } + condition: + any of them +} + +rule RijnDael_AES : Crypto_Algorithms +{ meta: + author = "_pusher_" + description = "RijnDael AES" + date = "2016-06" + strings: + $c0 = { A5 63 63 C6 84 7C 7C F8 } + condition: + $c0 +} + +rule RijnDael_AES_CHAR : Crypto_Algorithms +{ meta: + author = "_pusher_" + description = "RijnDael AES (check2) [char]" + date = "2016-06" + strings: + $c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 } + condition: + $c0 +} + +rule RijnDael_AES_CHAR_inv : Crypto_Algorithms +{ meta: + author = "_pusher_" + description = "RijnDael AES S-inv [char]" + //needs improvement + date = "2016-07" + strings: + $c0 = { 48 38 47 00 88 17 33 D2 8A 56 0D 8A 92 48 38 47 00 88 57 01 33 D2 8A 56 0A 8A 92 48 38 47 00 88 57 02 33 D2 8A 56 07 8A 92 48 38 47 00 88 57 03 33 D2 8A 56 04 8A 92 } + condition: + $c0 +} + +rule RijnDael_AES_LONG : Crypto_Algorithms +{ meta: + author = "_pusher_" + description = "RijnDael AES" + date = "2016-06" + strings: + $c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 } + condition: + $c0 +} + +rule RsaRef2_NN_modExp : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaRef2 NN_modExp" + strings: + $c0 = { 81 EC 1C 02 00 00 53 55 56 8B B4 24 30 02 00 00 57 8B BC 24 44 02 00 00 57 8D 84 24 A4 00 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 4C 02 00 00 57 53 8D 8C 24 B4 00 00 00 56 8D 94 24 3C 01 00 00 51 52 E8 ?? ?? ?? ?? 57 53 8D 84 24 4C 01 00 00 56 8D 8C 24 D4 01 00 00 50 51 E8 ?? ?? ?? ?? 8D 54 24 50 57 52 E8 ?? ?? ?? ?? 8B 84 24 78 02 00 00 8B B4 24 74 02 00 00 50 56 C7 44 24 60 01 00 00 00 E8 ?? ?? ?? ?? 8D 48 FF 83 C4 44 8B E9 89 4C 24 18 85 ED 0F 8C AF 00 00 00 8D 34 AE 89 74 24 } + condition: + any of them +} + +rule RsaRef2_NN_modInv : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaRef2 NN_modInv" + strings: + $c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 84 24 ?? 00 00 00 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 BC 24 A0 00 00 00 E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 4C 24 2C 53 51 E8 ?? ?? ?? ?? 8D 54 24 34 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 2C 01 } + condition: + $c0 +} + +rule RsaRef2_NN_modMult : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaRef2 NN_modMult" + strings: + $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 68 08 01 00 00 8D 4C 24 2C 6A 00 51 E8 ?? ?? ?? ?? 83 C4 30 5E 81 C4 08 01 00 00 C3 } + condition: + $c0 +} + +rule RsaRef2_RsaPrivateDecrypt : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaRef2 RsaPrivateDecrypt" + strings: + $c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8B 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6B 8A 4C 24 09 B8 02 00 00 00 3A C8 75 5E 8D 4E FF 3B C8 76 0D 8A 54 04 08 84 D2 74 05 40 3B C1 72 F3 40 3B C6 73 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A 8D 51 0B } + condition: + $c0 +} + +rule RsaRef2_RsaPrivateEncrypt : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaRef2 RsaPrivateEncrypt" + strings: + $c0 = { 8B 44 24 14 8B 54 24 10 81 EC 80 00 00 00 8D 4A 0B 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 80 00 00 00 C3 8B CE B8 02 00 00 00 2B CA C6 44 24 04 00 49 C6 44 24 05 01 3B C8 76 23 53 55 8D 69 FE 57 8B CD 83 C8 FF 8B D9 8D 7C 24 12 C1 E9 02 F3 AB 8B CB 83 E1 03 F3 AA 8D 45 02 5F 5D 5B 52 8B 94 24 94 00 00 00 C6 44 04 08 00 8D 44 04 09 52 50 E8 ?? ?? ?? ?? 8B 8C 24 A4 00 00 00 8B 84 24 98 00 00 00 51 8B 8C 24 98 00 00 00 8D 54 24 14 56 52 50 51 E8 } + condition: + $c0 +} + +rule RsaRef2_RsaPublicDecrypt : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaRef2 RsaPublicDecrypt" + strings: + $c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8E 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6E 80 7C 24 09 01 75 67 B8 02 00 00 00 8D 4E FF 3B C8 76 0D B2 FF 38 54 04 08 75 05 40 3B C1 72 F5 8A 4C 04 08 40 84 C9 75 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A } + condition: + $c0 +} + +rule RsaRef2_RsaPublicEncrypt : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaRef2 RsaPublicEncrypt" + strings: + $c0 = { 8B 44 24 14 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 57 8B 38 83 C7 07 8D 4B 0B C1 EF 03 3B CF 76 0E 5F B8 06 04 00 00 5B 81 C4 84 00 00 00 C3 8B D7 55 2B D3 56 BE 02 00 00 00 C6 44 24 14 00 8D 6A FF C6 44 24 15 02 3B EE 76 28 8B 84 24 AC 00 00 00 8D 4C 24 13 50 6A 01 51 E8 ?? ?? ?? ?? 8A 44 24 1F 83 C4 0C 84 C0 74 E1 88 44 34 14 46 3B F5 72 D8 8B 94 24 A0 00 00 00 53 8D 44 34 19 52 50 C6 44 34 20 00 E8 ?? ?? ?? ?? 8B 8C 24 B4 00 00 00 8B 84 24 A8 00 00 00 51 8B 8C 24 A8 00 } + condition: + $c0 +} + +rule RsaEuro_NN_modInv : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaEuro NN_modInv" + strings: + $c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 44 24 0C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 7C 24 1C E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 8C 24 B0 00 00 00 53 51 E8 ?? ?? ?? ?? 8D 94 24 B8 00 00 00 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 F8 00 00 00 8D 84 24 ?? 00 00 00 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C } + condition: + $c0 +} + +rule RsaEuro_NN_modMult : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "RsaEuro NN_modMult" + strings: + $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 83 C4 24 5E 81 C4 08 01 00 00 C3 } + condition: + $c0 +} + +rule Miracl_Big_constructor : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "Miracl Big constructor" + strings: + $c0 = { 56 8B F1 6A 00 E8 ?? ?? ?? ?? 83 C4 04 89 06 8B C6 5E C3 } + condition: + $c0 +} + +rule Miracl_mirvar : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "Miracl mirvar" + strings: + $c0 = { 56 E8 ?? ?? ?? ?? 8B 88 18 02 00 00 85 C9 74 04 33 C0 5E C3 8B 88 8C 00 00 00 85 C9 75 0E 6A 12 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5E C3 8B 80 38 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F0 83 C4 08 85 F6 75 02 5E C3 8D 46 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 08 85 C0 74 0A 56 50 E8 ?? ?? ?? ?? 83 C4 08 8B C6 5E C3 } + $c1 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 2C 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 40 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 46 18 6A 01 8D 0C 85 0C 00 00 00 51 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B D0 8B C8 83 E2 03 2B CA 83 C1 08 89 08 8B 44 24 0C 85 C0 74 0A 57 50 E8 } + $c2 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 86 A4 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 0C 85 C0 74 0A 57 50 E8 } + condition: + any of them +} + +rule Miracl_mirsys_init : Crypto_Algorithms +{ meta: + author = "Maxx" + description = "Miracl mirsys init" + strings: + $c0 = { 53 55 57 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 DB A3 ?? ?? ?? ?? 3B C3 75 06 5F 5D 33 C0 5B C3 89 58 1C A1 ?? ?? ?? ?? BD 01 00 00 00 89 58 20 A1 ?? ?? ?? ?? 8B 50 1C 42 89 50 1C A1 ?? ?? ?? ?? 8B 48 1C C7 44 88 20 1D 00 00 00 8B 15 ?? ?? ?? ?? 89 9A 14 02 00 00 A1 ?? ?? ?? ?? 89 98 70 01 00 00 8B 0D ?? ?? ?? ?? 89 99 78 01 00 00 8B 15 ?? ?? ?? ?? 89 9A 98 01 00 00 A1 ?? ?? ?? ?? 89 58 14 8B 44 24 14 3B C5 0F 84 6C 05 00 00 3D 00 00 00 80 0F 87 61 05 00 00 50 E8 } + condition: + $c0 +} + +/* //gives many false positives sorry Storm Shadow +rule x509_public_key_infrastructure_cert : Crypto_Algorithms +{ meta: + desc = "X.509 PKI Certificate" + ext = "crt" + strings: + $c0 = { 30 82 ?? ?? 30 82 ?? ?? } + condition: + $c0 +} + +rule pkcs8_private_key_information_syntax_standard : Crypto_Algorithms +{ meta: + desc = "Found PKCS #8: Private-Key" + ext = "key" + strings: + $c0 = { 30 82 ?? ?? 02 01 00 } + condition: + $c0 +} +*/ + +rule BASE64_table : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for Base64 table" + date = "2015-07" + version = "0.1" + strings: + $c0 = { 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F } + condition: + $c0 +} + +rule Delphi_Random : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for Random function" + date = "2015-08" + version = "0.1" + strings: + $c0 = { 53 31 DB 69 93 ?? ?? ?? ?? 05 84 08 08 42 89 93 ?? ?? ?? ?? F7 E2 89 D0 5B C3 } + //x64 rad + $c1 = { 8B 05 ?? ?? ?? ?? 69 C0 05 84 08 08 83 C0 01 89 05 ?? ?? ?? ?? 8B C9 8B C0 48 0F AF C8 48 C1 E9 20 89 C8 C3 } + condition: + any of them +} + +rule Delphi_RandomRange : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for RandomRange function" + date = "2016-06" + version = "0.1" + strings: + $c0 = { 56 8B F2 8B D8 3B F3 7D 0E 8B C3 2B C6 E8 ?? ?? ?? ?? 03 C6 5E 5B C3 8B C6 2B C3 E8 ?? ?? ?? ?? 03 C3 5E 5B C3 } + condition: + $c0 +} + +rule Delphi_FormShow : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for Form.Show function" + date = "2016-06" + version = "0.1" + strings: + $c0 = { 53 8B D8 B2 01 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 } + //x64 rad + $c1 = { 53 48 83 EC 20 48 89 CB 48 89 D9 B2 01 E8 ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 } + condition: + any of them +} + +rule Delphi_CompareCall : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for Compare string function" + date = "2016-07" + strings: + $c0 = { 53 56 57 89 C6 89 D7 39 D0 0F 84 8F 00 00 00 85 F6 74 68 85 FF 74 6B 8B 46 FC 8B 57 FC 29 D0 77 02 01 C2 52 C1 EA 02 74 26 8B 0E 8B 1F 39 D9 75 58 4A 74 15 8B 4E 04 8B 5F 04 39 D9 75 4B 83 C6 08 83 C7 08 4A 75 E2 EB 06 83 C6 04 83 C7 04 5A 83 E2 03 74 22 8B 0E 8B 1F 38 D9 75 41 4A 74 17 38 FD 75 3A 4A 74 10 81 E3 00 00 FF 00 81 E1 00 00 FF 00 39 D9 75 27 01 C0 EB 23 8B 57 FC 29 D0 EB 1C 8B 46 FC 29 D0 EB 15 5A 38 D9 75 10 38 FD 75 0C C1 E9 10 C1 EB 10 38 D9 75 02 38 FD 5F 5E 5B C3 } + //newer delphi + $c1 = { 39 D0 74 30 85 D0 74 22 8B 48 FC 3B 4A FC 75 24 01 C9 01 C8 01 CA F7 D9 53 8B 1C 01 3B 1C 11 75 07 83 C1 04 78 F3 31 C0 5B C3} + //x64 + $c2 = { 41 56 41 55 57 56 53 48 83 EC 20 48 89 D3 48 3B CB 75 05 48 33 C0 EB 74 48 85 C9 75 07 8B 43 FC F7 D8 EB 68 48 85 DB 75 05 8B 41 FC EB 5E 8B 79 FC 44 8B 6B FC 89 FE 41 3B F5 7E 03 44 89 EE E8 ?? ?? ?? ?? 49 89 C6 48 89 D9 E8 ?? ?? ?? ?? 48 89 C1 85 F6 7E 30 41 0F B7 06 0F B7 11 2B C2 85 C0 75 29 83 FE 01 74 1E 41 0F B7 46 02 0F B7 51 02 2B C2 85 C0 75 15 49 83 C6 04 48 83 C1 04 83 EE 02 85 F6 7F D0 90 8B C7 41 2B C5 48 83 C4 20 5B 5E 5F 41 5D 41 5E C3 } + condition: + any of them +} + +rule Delphi_Copy : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for Copy function" + date = "2016-06" + version = "0.1" + strings: + $c0 = { 53 85 C0 74 2D 8B 58 FC 85 DB 74 26 4A 7C 1B 39 DA 7D 1F 29 D3 85 C9 7C 19 39 D9 7F 11 01 C2 8B 44 24 08 E8 ?? ?? ?? ?? EB 11 31 D2 EB E5 89 D9 EB EB 8B 44 24 08 E8 ?? ?? ?? ?? 5B C2 04 00 } + //x64 rad + $c1 = { 53 48 83 EC 20 48 89 CB 44 89 C0 48 33 C9 48 85 D2 74 03 8B 4A FC 83 F8 01 7D 05 48 33 C0 EB 09 83 E8 01 3B C1 7E 02 89 C8 45 85 C9 7D 05 48 33 C9 EB 0A 2B C8 41 3B C9 7E 03 44 89 C9 49 89 D8 48 63 C0 48 8D 14 42 89 C8 4C 89 C1 41 89 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 } + condition: + any of them +} + +rule Delphi_IntToStr : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for IntToStr function" + date = "2016-04" + version = "0.1" + strings: + $c0 = { 55 8B EC 81 C4 00 FF FF FF 53 56 8B F2 8B D8 FF 75 0C FF 75 08 8D 85 00 FF FF FF E8 ?? ?? ?? ?? 8D 95 00 FF FF FF 8B C6 E8 ?? ?? ?? ?? EB 0E 8B 0E 8B C6 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 06 E8 ?? ?? ?? ?? 33 D2 8A D3 3B C2 72 E3 5E 5B 8B E5 5D C2 08 00 } + //x64 rad + $c1 = { 53 48 83 EC 20 48 89 CB 48 85 D2 7D 10 48 89 D9 48 F7 DA 41 B0 01 E8 ?? ?? ?? ?? EB 0B 48 89 D9 4D 33 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 } + condition: + any of them +} + + +rule Delphi_StrToInt : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for StrToInt function" + date = "2016-06" + version = "0.1" + strings: + $c0 = { 53 56 83 C4 F4 8B D8 8B D4 8B C3 E8 ?? ?? ?? ?? 8B F0 83 3C 24 00 74 19 89 5C 24 04 C6 44 24 08 0B 8D 54 24 04 A1 ?? ?? ?? ?? 33 C9 E8 ?? ?? ?? ?? 8B C6 83 C4 0C 5E 5B C3 } + //x64 rad + $c1 = { 55 56 53 48 83 EC 40 48 8B EC 48 89 CB 48 89 D9 48 8D 55 3C E8 ?? ?? ?? ?? 89 C6 83 7D 3C 00 74 1B 48 89 5D 20 C6 45 28 11 48 8B 0D ?? ?? ?? ?? 48 8D 55 20 4D 33 C0 E8 ?? ?? ?? ?? 89 F0 48 8D 65 40 5B 5E 5D C3 } + condition: + any of them +} + +rule Delphi_DecodeDate : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for DecodeDate (DecodeDateFully) function" + date = "2016-06" + version = "0.1" + strings: + $c0 = { 55 8B EC 83 C4 E8 53 56 89 4D F4 89 55 F8 89 45 FC 8B 5D 08 FF 75 10 FF 75 0C 8D 45 E8 E8 ?? ?? ?? ?? 8B 4D EC 85 C9 7F 24 8B 45 FC 66 C7 00 00 00 8B 45 F8 66 C7 00 00 00 8B 45 F4 66 C7 00 00 00 66 C7 03 00 00 33 D2 E9 F2 00 00 00 8B C1 BE 07 00 00 00 99 F7 FE 42 66 89 13 49 66 BB 01 00 81 F9 B1 3A 02 00 7C 13 81 E9 B1 3A 02 00 66 81 C3 90 01 81 F9 B1 3A 02 00 7D ED 8D 45 F2 50 8D 45 F0 66 BA AC 8E 91 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 AC 8E 66 6B 45 F0 64 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA B5 05 E8 ?? ?? ?? ?? 66 8B 45 F0 C1 E0 02 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA 6D 01 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 6D 01 66 03 5D F0 8B C3 E8 ?? ?? ?? ?? 8B D0 33 C0 8A C2 8D 04 40 8D 34 C5 ?? ?? ?? ?? 66 B8 01 00 0F B7 C8 66 8B 4C 4E FE 66 89 4D F0 66 8B 4D F2 66 3B 4D F0 72 0B 66 8B 4D F0 66 29 4D F2 40 EB DF 8B 4D FC 66 89 19 8B 4D F8 66 89 01 66 8B 45 F2 40 8B 4D F4 66 89 01 8B C2 5E 5B 8B E5 5D C2 0C 00 } + //x64 + $c1 = { 55 41 55 57 56 53 48 83 EC 30 48 8B EC 48 89 D3 4C 89 C6 4C 89 CF E8 ?? ?? ?? ?? 48 8B C8 48 C1 E9 20 85 C9 7F 23 66 C7 03 00 00 66 C7 06 00 00 66 C7 07 00 00 48 8B 85 80 00 00 00 66 C7 00 00 00 48 33 C0 E9 19 01 00 00 4C 8B 85 80 00 00 00 41 C7 C1 07 00 00 00 8B C1 99 41 F7 F9 66 83 C2 01 66 41 89 10 83 E9 01 66 41 BD 01 00 81 F9 B1 3A 02 00 7C 14 81 E9 B1 3A 02 00 66 41 81 C5 90 01 81 F9 B1 3A 02 00 7D EC 90 66 BA AC 8E 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E AC 8E 66 6B 45 2C 64 66 44 03 E8 0F B7 4D 2E 66 BA B5 05 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 48 0F B7 45 2C 03 C0 03 C0 66 44 03 E8 0F B7 4D 2E 66 BA 6D 01 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E 6D 01 66 44 03 6D 2C 44 89 E9 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 0F B6 D0 48 8D 14 52 48 8D 14 D1 66 B9 01 00 4C 0F B7 C1 4E 0F B7 44 42 FE 66 44 89 45 2C 4C 0F B7 45 2E 66 44 3B 45 2C 72 10 4C 0F B7 45 2C 66 44 29 45 2E 66 } + condition: + any of them +} + + +rule Unknown_Random : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for Random function" + date = "2016-07" + strings: + $c0 = { 55 8B EC 52 8B 45 08 69 15 ?? ?? ?? ?? 05 84 08 08 42 89 15 ?? ?? ?? ?? F7 E2 8B C2 5A C9 C2 04 00 } + condition: + $c0 +} + +rule VC6_Random : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for Random function" + date = "2016-02" + strings: + $c0 = { A1 ?? ?? ?? ?? 69 C0 FD 43 03 00 05 C3 9E 26 00 A3 ?? ?? ?? ?? C1 F8 10 25 FF 7F 00 00 C3 } + condition: + $c0 +} + +rule VC8_Random : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for Random function" + date = "2016-01" + version = "0.1" + strings: + $c0 = { E8 ?? ?? ?? ?? 8B 48 14 69 C9 FD 43 03 00 81 C1 C3 9E 26 00 89 48 14 8B C1 C1 E8 10 25 FF 7F 00 00 C3 } + condition: + $c0 +} + +rule DCP_RIJNDAEL_Init : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for DCP RijnDael Init" + date = "2016-07" + strings: + $c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 ?? ?? ?? ?? 8B D7 8B 4D FC 8B C3 8B 38 FF 57 ?? 85 F6 75 25 8D 43 38 33 C9 BA 10 00 00 00 E8 ?? ?? ?? ?? 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 ?? 8B C3 8B 10 FF 52 ?? EB 16 8D 53 38 8B C6 B9 10 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 ?? 5F 5E 5B 59 5D C2 04 00 } + condition: + $c0 +} + +rule DCP_RIJNDAEL_EncryptECB : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for DCP RijnDael EncryptECB" + date = "2016-07" + strings: + $c0 = { 53 56 57 55 83 C4 B4 89 0C 24 8D 74 24 08 8D 7C 24 28 80 78 30 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 0A 89 0F 8B CA 83 C1 04 8B 09 8D 5F 04 89 0B 8B CA 83 C1 08 8B 09 8D 5F 08 89 0B 83 C2 0C 8B 12 8D 4F 0C 89 11 8B 50 58 83 EA 02 85 D2 0F 82 3B 01 00 00 42 89 54 24 04 33 D2 8B 0F 8B DA C1 E3 02 33 4C D8 5C 89 0E 8D 4F 04 8B 09 33 4C D8 60 8D 6E 04 89 4D 00 8D 4F 08 8B 09 33 4C D8 64 8D 6E 08 89 4D 00 8D 4F 0C 8B 09 33 4C D8 68 8D 5E 0C 89 0B 33 C9 8A 0E 8D 0C 8D } + condition: + $c0 +} + +rule DCP_BLOWFISH_Init : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for DCP Blowfish Init" + date = "2016-07" + strings: + $c0 = { 53 56 57 55 8B F2 8B F8 8B CF B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8B C3 8B 10 FF 52 34 8B C6 E8 ?? ?? ?? ?? 50 8B C6 E8 ?? ?? ?? ?? 8B D0 8B C3 59 8B 30 FF 56 3C 8B 43 3C 85 C0 79 03 83 C0 07 C1 F8 03 E8 ?? ?? ?? ?? 8B F0 8B D6 8B C3 8B 08 FF 51 40 8B 47 40 8B 6B 3C 3B C5 7D 0F 6A 00 8B C8 8B D6 8B C7 8B 38 FF 57 30 EB 0D 6A 00 8B D6 8B CD 8B C7 8B 38 FF 57 30 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 B9 FF 00 00 00 E8 ?? ?? ?? ?? 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5D 5F 5E 5B C3 } + condition: + $c0 +} + + +rule DCP_BLOWFISH_EncryptCBC : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for DCP Blowfish EncryptCBC" + date = "2016-07" + strings: + $c0 = { 55 8B EC 83 C4 F0 53 56 57 89 4D F8 89 55 FC 8B D8 80 7B 34 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7D 08 85 FF 79 03 83 C7 07 C1 FF 03 85 FF 7E 56 BE 01 00 00 00 6A 08 8B 45 FC 8B D6 4A C1 E2 03 03 C2 8D 4D F0 8D 53 54 E8 ?? ?? ?? ?? 8D 4D F0 8D 55 F0 8B C3 E8 ?? ?? ?? ?? 8B 55 F8 8B C6 48 C1 E0 03 03 D0 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 8D 53 54 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 46 4F 75 AF 8B 75 08 81 E6 07 00 00 80 79 05 4E 83 CE F8 46 85 F6 74 26 8D 4D F0 8D 53 54 8B C3 E8 ?? ?? ?? ?? 56 8B 4D F8 03 4D 08 2B CE 8B 55 FC 03 55 08 2B D6 8D 45 F0 E8 ?? ?? ?? ?? 8D 45 F0 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C2 04 00 } + condition: + $c0 +} + +rule DCP_DES_Init : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for DCP Des Init" + date = "2016-02" + strings: + $c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 FE F9 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 5C 85 F6 75 25 8D 43 38 33 C9 BA 08 00 00 00 E8 F3 A9 FA FF 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 6C 8B C3 8B 10 FF 52 48 EB 16 8D 53 38 8B C6 B9 08 00 00 00 E8 6E A7 FA FF 8B C3 8B 10 FF 52 48 5F 5E 5B 59 5D C2 04 00 } + $c1 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 EE D4 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 74 85 F6 75 2B 8D 43 40 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 8D 4B 40 8D 53 40 8B C3 8B 30 FF 96 84 00 00 00 8B C3 8B 10 FF 52 58 EB 16 8D 53 40 8B C6 B9 08 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 58 5F 5E 5B 59 5D C2 04 00 } + condition: + any of them +} + + +rule DCP_DES_EncryptECB : Crypto_Algorithms{ + meta: + author = "_pusher_" + description = "Look for DCP Des EncryptECB" + date = "2016-02" + strings: + $c0 = { 53 80 78 ?? 00 75 16 B9 ?? ?? ?? 00 B2 01 A1 ?? ?? ?? 00 E8 ?? ?? ?? FF E8 ?? ?? ?? FF 8D 58 ?? 53 E8 ?? ?? FF FF 5B C3 } + condition: + any of them +} diff --git a/yara_sigs/file/packer.yar b/yara_sigs/file/packer.yar new file mode 100644 index 0000000..fe3163a --- /dev/null +++ b/yara_sigs/file/packer.yar @@ -0,0 +1,20221 @@ +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. + +*/ + +import "pe" + +rule emotet_packer { + meta: + description = "recent Emotet packer pdb string" + author = "Marc Salinas (@Bondey_m)" + reference = "330fb2954c1457149988cda98ca8401fbc076802ff44bb30894494b1c5531119" + reference = "d08a4dc159b17bde8887fa548b7d265108f5f117532d221adf7591fbad29b457" + reference = "7b5b8aaef86b1a7a8e7f28f0bda0bb7742a8523603452cf38170e5253f7a5c82" + reference = "e6abb24c70a205ab471028aee22c1f32690c02993b77ee0e77504eb360860776" + reference = "5684850a7849ab475227da91ada8ac5741e36f98780d9e3b01ae3085a8ef02fc" + reference = "acefdb67d5c0876412e4d079b38da1a5e67a7fcd936576c99cc712391d3a5ff5" + reference = "14230ba12360a172f9f242ac98121ca76e7c4450bfcb499c2af89aa3a1ef7440" + reference = "4fe9b38d2c32d0ee19d7be3c1a931b9448904aa72e888f40f43196e0b2207039" + reference = "e31028282c38cb13dd4ede7e9c8aa62d45ddae5ebaa0fe3afb3256601dbf5de7" + date = "2017-12-12" + strings: + $pdb1 = "123EErrrtools.pdb" + $pdb2= "gGEW\\F???/.pdb" + + condition: + $pdb1 or $pdb2 +} + +rule silent_banker : banker +{ + meta: + author="malware-lu" + strings: + $a = {6A 40 68 00 30 00 00 6A 14 8D 91} + $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9} + $c = "UVODFRYSIHLNWPEJXQZAKCBGMT" + + condition: + $a or $b or $c +} + +rule zbot : banker +{ + meta: + author="malware-lu" + strings: + $a = "__SYSTEM__" wide + $b = "*tanentry*" + $c = "* 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3 +} + +rule Borland +{ + meta: + author="malware-lu" + strings: + $patternBorland = "Borland" wide ascii + condition: + $patternBorland +} + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule java +{ + meta: + author="malware-lu" + strings: + $patternjava = "java" wide ascii + condition: + $patternjava +} +*/ +rule MSLRHv032afakePCGuard4xxemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 58 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule EnigmaProtector1XSukhovVladimirSergeNMarkin +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 00 00 00 53 79 73 46 72 65 65 53 74 72 69 6E 67 00 00 00 43 72 65 61 74 65 46 6F 6E 74 41 00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 41 00 00 } + +condition: + $a0 +} + + +rule SPLayerv008 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8D 40 00 B9 ?? ?? ?? ?? 6A ?? 58 C0 0C ?? ?? 48 ?? ?? 66 13 F0 91 3B D9 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 } + +condition: + $a0 +} + + +rule DxPackV086Dxd +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 06 10 40 00 2B BD 94 12 40 00 81 EF 06 00 00 00 83 BD 14 13 40 00 01 0F 84 2F 01 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMicrosoftVisualC60 +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 } + $a1 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE } + $a2 = { 91 EB 02 CD 20 BF 50 BC 04 6F 91 BE D0 ?? ?? 6F EB 02 CD 20 2B F7 EB 02 F0 46 8D 1D F4 00 } + $a3 = { C1 CE 10 C1 F6 0F 68 00 ?? ?? 00 2B FA 5B 23 F9 8D 15 80 ?? ?? 00 E8 01 00 00 00 B6 5E 0B } + $a4 = { D1 E9 03 C0 68 80 ?? ?? 00 EB 02 CD 20 5E 40 BB F4 00 00 00 33 CA 2B C7 0F B6 16 EB 01 3E } + $a5 = { E8 01 00 00 00 0E 59 E8 01 00 00 00 58 58 BE 80 ?? ?? 00 EB 02 61 E9 68 F4 00 00 00 C1 C8 } + $a6 = { EB 01 4D 83 F6 4C 68 80 ?? ?? 00 EB 02 CD 20 5B EB 01 23 68 48 1C 2B 3A E8 02 00 00 00 38 } + $a7 = { EB 02 AB 35 EB 02 B5 C6 8D 05 80 ?? ?? 00 C1 C2 11 BE F4 00 00 00 F7 DB F7 DB 0F BE 38 E8 } + $a8 = { EB 02 CD 20 ?? CF ?? ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 } + $a9 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? ?? BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point or $a6 at pe.entry_point or $a7 at pe.entry_point or $a8 at pe.entry_point or $a9 at pe.entry_point +} + + +rule TPPpackclane +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5D 81 ED F5 8F 40 00 60 33 ?? E8 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMicrosoftVisualC6070 +{ + meta: + author="malware-lu" +strings: + $a0 = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? 00 EB 02 CD 20 03 D3 8D 35 F4 00 00 00 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 00 00 00 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27 } + $a1 = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? ?? EB 02 CD 20 03 D3 8D 35 F4 00 } + $a2 = { 87 FE E8 02 00 00 00 98 CC 5F BB 80 ?? ?? 00 EB 02 CD 20 68 F4 00 00 00 E8 01 00 00 00 E3 } + $a3 = { F7 D8 40 49 EB 02 E0 0A 8D 35 80 ?? ?? ?? 0F B6 C2 EB 01 9C 8D 1D F4 00 00 00 EB 01 3C 80 } + $a4 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point +} + + +rule Thinstall24x25xJititSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? BD ?? ?? ?? ?? 03 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule LocklessIntroPack +{ + meta: + author="malware-lu" +strings: + $a0 = { 2C E8 ?? ?? ?? ?? 5D 8B C5 81 ED F6 73 ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 06 89 85 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03faketElock061FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 F3 EB FF E0 83 C0 28 50 E8 00 00 00 00 5E B3 33 8D 46 0E 8D 76 31 28 18 F8 73 00 C3 8B FE B9 3C 02 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeStealth275aWebtoolMaster +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 } + +condition: + $a0 at pe.entry_point +} + + +rule PEArmor046Hying +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 } + $a1 = { E8 AA 00 00 00 2D ?? ?? ?? 00 00 00 00 00 00 00 00 3D } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule eXPressorv13CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 45 78 50 72 2D 76 2E 31 2E 33 2E } + $a1 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 33 2E 2E B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 13 A1 ?? ?? ?? ?? 03 05 ?? ?? ?? ?? 89 ?? ?? E9 ?? ?? 00 00 C7 05 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule Upackv032BetaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 ?? ?? AD 50 ?? ?? AD 91 F3 A5 } + $a1 = { BE 88 01 ?? ?? AD 50 ?? AD 91 ?? F3 A5 } + +condition: + $a0 or $a1 +} + + +rule MSLRHV031emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv184 +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 } + +condition: + $a0 at pe.entry_point +} + + +rule PCGuardforWin32v500SofProBlagojeCeklic +{ + meta: + author="malware-lu" +strings: + $a0 = { FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 ?? ?? ?? 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C } + +condition: + $a0 at pe.entry_point +} + + +rule WiseInstallerStub +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 78 05 00 00 53 56 BE 04 01 00 00 57 8D 85 94 FD FF FF 56 33 DB 50 53 FF 15 34 20 40 00 8D 85 94 FD FF FF 56 50 8D 85 94 FD FF FF 50 FF 15 30 20 40 00 8B 3D 2C 20 40 00 53 53 6A 03 53 6A 01 8D 85 94 FD FF FF 68 00 00 00 80 50 FF D7 83 F8 FF } + $a1 = { 55 8B EC 81 EC ?? 04 00 00 53 56 57 6A ?? ?? ?? ?? ?? ?? ?? FF 15 ?? ?? 40 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? 20 } + $a2 = { 55 8B EC 81 EC ?? ?? 00 00 53 56 57 6A 01 5E 6A 04 89 75 E8 FF 15 ?? 40 40 00 FF 15 ?? 40 40 00 8B F8 89 7D ?? 8A 07 3C 22 0F 85 ?? 00 00 00 8A 47 01 47 89 7D ?? 33 DB 3A C3 74 0D 3C 22 74 09 8A 47 01 47 89 7D ?? EB EF 80 3F 22 75 04 47 89 7D ?? 80 3F 20 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 +} + + +rule AnskyaNTPackerGeneratorAnskya +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 B8 88 1D 00 10 E8 C7 FA FF FF 6A 0A 68 20 1E 00 10 A1 14 31 00 10 50 E8 71 FB FF FF 8B D8 85 DB 74 2F 53 A1 14 31 00 10 50 E8 97 FB FF FF 85 C0 74 1F 53 A1 14 31 00 10 50 E8 5F FB FF FF 85 C0 74 0F 50 E8 5D FB FF FF 85 C0 74 05 E8 70 FC FF FF 5B E8 F2 F6 FF FF 00 00 48 45 41 52 54 } + +condition: + $a0 +} + + +rule ThinstallVirtualizationSuite30493080ThinstallCompany +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 } + $a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 2C 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule NsPack14byNorthStarLiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 } + +condition: + $a0 +} + + +rule FSGv110EngbartxtWatcomCCEXE +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 } + +condition: + $a0 at pe.entry_point +} + + +rule AcidCrypt: Packer +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 B9 ?? ?? ?? 00 BA ?? ?? ?? 00 BE ?? ?? ?? 00 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB } + $a1 = { BE ?? ?? ?? ?? 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule eXPressorv1451CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 } + $a1 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? ?? 05 00 ?? ?? ?? A3 08 ?? ?? ?? A1 08 ?? ?? ?? B9 81 ?? ?? ?? 2B 48 18 89 0D 0C ?? ?? ?? 83 3D 10 ?? ?? ?? 00 74 16 A1 08 ?? ?? ?? 8B 0D 0C ?? ?? ?? 03 48 14 89 4D CC } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule BeRoEXEPackerv100LZMABeRoFarbrausch +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 04 00 00 00 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 } + +condition: + $a0 at pe.entry_point +} + + +rule PackanoidArkanoid +{ + meta: + author="malware-lu" +strings: + $a0 = { BF 00 10 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 } + +condition: + $a0 at pe.entry_point +} + + +rule DAEMONProtectv067 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 60 9C 8C C9 32 C9 E3 0C 52 0F 01 4C 24 FE 5A 83 C2 0C 8B 1A 9D 61 } + +condition: + $a0 at pe.entry_point +} + + +rule EmbedPEV100V124cyclotron +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule VProtectorV10Avcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 8A 8E 40 00 68 C6 8E 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 } + +condition: + $a0 at pe.entry_point +} + + +rule EncryptPE2200481022005314WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 7A } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02JDPack1xJDProtect09Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 } + +condition: + $a0 at pe.entry_point +} + + +rule EmbedPEV1Xcyclotron +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 50 60 68 ?? ?? ?? ?? E8 ?? ?? 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule EncryptPEV220070411WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01MicrosoftVisualBasic60DLLAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 5A 68 90 90 90 90 68 90 90 90 90 52 E9 90 90 FF } + +condition: + $a0 at pe.entry_point +} + + +rule NsPack14Liuxingping +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxTrivial46 +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 4E B1 20 BA ?? ?? CD 21 BA ?? ?? B8 ?? 3D CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule STUDRC410JamieEditionScanTimeUnDetectablebyMarjinZ +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 2C 11 40 00 E8 F0 FF FF FF 00 00 00 00 00 00 30 00 00 00 38 00 00 00 00 00 00 00 37 BB 71 EC A4 E1 98 4C 9B FE 8F 0F FA 6A 07 F6 00 00 00 00 00 00 01 00 00 00 20 20 46 6F 72 20 73 74 75 64 00 20 54 6F 00 00 00 00 06 00 00 00 CC 1A 40 00 07 00 00 00 D4 18 40 00 07 00 00 00 7C 18 40 00 07 00 00 00 2C 18 40 00 07 00 00 00 E0 17 40 00 56 42 35 21 F0 1F 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 7E 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 09 04 00 00 00 00 00 00 E8 13 40 00 F4 13 40 00 00 F0 30 00 00 FF FF FF 08 00 00 00 01 00 00 00 00 00 00 00 E9 00 00 00 04 11 40 00 04 11 40 00 C8 10 40 00 78 00 00 00 7C 00 00 00 81 00 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 61 61 00 53 74 75 64 00 00 73 74 75 64 00 00 01 00 01 00 30 16 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 B4 16 40 00 10 30 40 00 07 00 00 00 24 12 40 00 0E 00 20 00 00 00 00 00 1C 9E 21 00 EC 11 40 00 5C 10 40 00 E4 1A 40 00 2C 34 40 00 68 17 40 00 58 17 40 00 78 17 40 00 8C 17 40 00 8C 10 40 00 62 10 40 00 92 10 40 00 F8 1A 40 00 24 19 40 00 98 10 40 00 9E 10 40 00 77 04 18 FF 04 1C FF 05 00 00 24 01 00 0D 14 00 78 1C 40 00 48 21 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxSonikYouth +{ + meta: + author="malware-lu" +strings: + $a0 = { 8A 16 02 00 8A 07 32 C2 88 07 43 FE C2 81 FB } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXShit006 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule SetupFactoryv6003SetupLauncher +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 90 61 40 00 68 70 3B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 14 61 40 00 33 D2 8A D4 89 15 5C 89 40 00 8B C8 81 E1 FF 00 00 00 89 0D 58 89 40 00 C1 E1 08 03 CA 89 0D 54 89 40 00 C1 E8 10 A3 50 89 } + +condition: + $a0 +} + + +rule CrypKeyV61XDLLCrypKeyCanadaInc +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D ?? ?? ?? ?? 00 75 34 68 ?? ?? ?? ?? E8 } + +condition: + $a0 at pe.entry_point +} + + +rule VcAsmProtectorVcAsm +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompact2xxSlimLoaderBitSumTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ENIGMAProtectorV11V12SukhovVladimir +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasProtectorv10bAshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 ?? E8 03 00 00 00 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule PEDiminisherv01 +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 } + $a1 = { 5D 8B D5 81 ED A2 30 40 ?? 2B 95 91 33 40 ?? 81 EA 0B ?? ?? ?? 89 95 9A 33 40 ?? 80 BD 99 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule SOFTWrapperforWin9xNTEvaluationVersion +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5D 8B C5 2D ?? ?? ?? 00 50 81 ED 05 00 00 00 8B C5 2B 85 03 0F 00 00 89 85 03 0F 00 00 8B F0 03 B5 0B 0F 00 00 8B F8 03 BD 07 0F 00 00 83 7F 0C 00 74 2B 56 57 8B 7F 10 03 F8 8B 76 10 03 F0 83 3F 00 74 0C 8B 1E 89 1F 83 C6 04 83 C7 04 EB EF } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov200 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 00 02 41 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov201 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 08 02 41 00 68 04 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoinerSmallbuild014021024027GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SDProtector1xRandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 } + +condition: + $a0 at pe.entry_point +} + + +rule NSISInstallerNullSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 20 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ?? ?? ?? ?? C6 44 24 14 20 FF 15 30 70 40 00 53 FF 15 80 72 40 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE } + +condition: + $a0 at pe.entry_point +} + + +rule PEXv099 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 ?? ?? ?? ?? 83 C4 04 E8 01 ?? ?? ?? ?? 5D 81 } + +condition: + $a0 at pe.entry_point +} + + +rule IMPPacker10MahdiHezavehiIMPOSTER +{ + meta: + author="malware-lu" +strings: + $a0 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 } + +condition: + $a0 +} + + +rule PEProtectv09 +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 ?? ?? ?? ?? 58 83 C0 07 C6 ?? C3 } + $a1 = { E9 ?? 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 20 28 43 29 6F } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule nbuildv10soft +{ + meta: + author="malware-lu" +strings: + $a0 = { B9 ?? ?? BB ?? ?? C0 ?? ?? 80 ?? ?? 43 E2 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01StelthPE101Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 BA ?? ?? ?? ?? FF E2 BA E0 10 40 00 B8 68 24 1A 40 89 02 83 C2 03 B8 40 00 E8 EE 89 02 83 C2 FD FF E2 2D 3D 5B 20 48 69 64 65 50 45 20 5D 3D 2D 90 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule IProtect10FxSubdllmodebyFuXdas +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 53 75 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED B6 13 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 A8 13 40 00 8D 85 81 13 40 00 50 FF B5 A8 13 40 00 E8 92 00 00 00 0B C0 74 13 89 85 A4 13 40 00 8D 85 8E 13 40 00 50 FF 95 A4 13 40 00 8B 85 AC 13 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 B5 FA FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule MSVisualCv8DLLhsmallsig2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B FF 55 8B EC 53 8B 5D 08 56 8B 75 0C 85 F6 57 8B 7D 10 0F 84 ?? ?? 00 00 83 FE 01 } + +condition: + $a0 at pe.entry_point +} + + +rule MSVisualCv8DLLhsmallsig1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B FF 55 8B EC 83 7D 0C 01 75 05 E8 ?? ?? ?? FF 5D E9 D6 FE FF FF CC CC CC CC CC } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv16xVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? C3 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXv20MarkusLaszloReiser +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 } + +condition: + $a0 +} + + +rule BladeJoinerv15 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 C4 E4 FE FF FF 53 56 57 33 C0 89 45 F0 89 85 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv133Engdulekxt +{ + meta: + author="malware-lu" +strings: + $a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF } + $a1 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule FSGv13 +{ + meta: + author="malware-lu" +strings: + $a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv12 +{ + meta: + author="malware-lu" +strings: + $a0 = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv11 +{ + meta: + author="malware-lu" +strings: + $a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE ?? ?? ?? ?? FC B2 80 8A 06 46 88 07 47 02 D2 75 05 8A 16 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv120EngdulekxtMicrosoftVisualC6070 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA } + +condition: + $a0 at pe.entry_point +} + + +rule SuperDAT: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 40 F3 42 00 68 A4 BF 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 08 F2 42 00 33 D2 8A D4 89 15 60 42 43 00 8B C8 81 E1 FF 00 00 00 89 0D } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv200alpha38 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 80 B8 BF 10 00 10 01 74 7A C6 80 BF 10 00 10 01 9C 55 53 51 57 52 56 8D 98 0F 10 00 10 8B 53 14 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 8B F8 50 8B 33 8B 53 14 03 F2 8B 4B 0C 03 CA 8D 85 B7 10 00 10 FF 73 04 8F } + +condition: + $a0 +} + + +rule RCryptor16cVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point +} + + +rule TheGuardLibrary +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 E8 ?? ?? ?? ?? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3 } + +condition: + $a0 at pe.entry_point +} + + +rule FreeCryptor01build001GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 68 26 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08 } + +condition: + $a0 +} + + +rule PseudoSigner02BJFNT12Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 00 } + +condition: + $a0 at pe.entry_point +} + + +rule DingBoysPElockPhantasmv08 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 0D 39 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Thinstall2736Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 58 BB F3 1C 00 00 2B C3 50 68 00 00 40 00 68 00 26 00 00 68 CC 00 00 00 E8 C1 FE FF FF E9 97 FF FF FF CC CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UnnamedScrambler11Cp0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 E4 53 56 33 C0 89 45 E4 89 45 E8 89 45 EC B8 C0 47 00 10 E8 4F F3 FF FF BE 5C 67 00 10 33 C0 55 68 D2 4A 00 10 64 FF 30 64 89 20 E8 EB DE FF FF E8 C6 F8 FF FF BA E0 4A 00 10 B8 CC 67 00 10 E8 5F F8 FF FF 8B D8 8B D6 8B C3 8B 0D CC 67 00 10 E8 3A DD FF FF 8B 46 50 8B D0 B8 D4 67 00 10 E8 5B EF FF FF B8 D4 67 00 10 E8 09 EF FF FF 8B D0 8D 46 14 8B 4E 50 E8 14 DD FF FF 8B 46 48 8B D0 B8 D8 67 00 ?? ?? ?? ?? ?? FF B8 D8 67 00 10 E8 E3 EE FF FF 8B D0 8B C6 8B 4E 48 E8 EF DC FF FF FF 76 5C FF 76 58 FF 76 64 FF 76 60 B9 D4 67 00 10 8B 15 D8 67 00 10 A1 D4 67 00 10 E8 76 F6 FF FF A1 D4 67 00 10 E8 5C EE FF FF 8B D0 B8 CC 67 00 10 E8 CC F7 FF FF 8B D8 B8 DC 67 00 10 } + +condition: + $a0 +} + + +rule y0dasCrypterv1xModified +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? B9 ?? ?? 00 00 8D BD ?? ?? ?? ?? 8B F7 AC } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov252b2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 B0 ?? ?? ?? 68 60 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 24 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv036betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C } + $a1 = { BE E0 11 ?? ?? FF 36 E9 C3 00 00 00 48 01 ?? ?? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 82 8E FE FF FF 58 8B 4E 40 5F E3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule VxNecropolis +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 FC AD 33 C2 AB 8B D0 E2 F8 } + +condition: + $a0 at pe.entry_point +} + + +rule WinUpackv039finalrelocatedimagebaseByDwingc2005h2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD 03 C3 50 97 AD 91 F3 A5 5E AD 56 91 01 1E AD E2 FB AD 8D 6E 10 01 5D 00 8D 7D 1C B5 ?? F3 AB 5E AD 53 50 51 97 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv1061bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 } + +condition: + $a0 at pe.entry_point +} + + +rule aPackv062 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E 06 8C C8 8E D8 ?? ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B6 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv071 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ED 10 00 00 C3 83 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv070 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 BD 10 00 00 C3 83 E2 00 F9 75 FA 70 } + +condition: + $a0 at pe.entry_point +} + + +rule Ningishzida10CyberDoom +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 96 E8 00 00 00 00 5D 81 ED 03 25 40 00 B9 04 1B 00 00 8D BD 4B 25 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectSKE21xdllAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PAVCryptorPawningAntiVirusCryptormasha_dev +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 56 57 55 BB 2C ?? ?? 70 BE 00 30 00 70 BF 20 ?? ?? 70 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 00 70 00 74 06 FF 15 54 30 00 70 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 1C 30 00 70 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 14 30 00 70 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 8F FA FF FF FF 15 20 30 00 70 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 70 00 74 06 FF 15 10 ?? ?? 70 8B 06 50 E8 A9 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 00 70 E8 26 FF FF FF C3 90 8F 05 04 30 00 70 E9 E9 FF FF FF C3 } + +condition: + $a0 +} + + +rule ExeShieldCryptor13RCTomCommander +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 8C 21 40 00 B9 51 2D 40 00 81 E9 E6 21 40 00 8B D5 81 C2 E6 21 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC } + +condition: + $a0 at pe.entry_point +} + + +rule CrinklerV01V02RuneLHStubbeandAskeSimonChristensen +{ + meta: + author="malware-lu" +strings: + $a0 = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 } + +condition: + $a0 at pe.entry_point +} + + +rule VxGRUNT4Family +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 1C 00 8D 9E 41 01 40 3E 8B 96 14 03 B9 EA 00 87 DB F7 D0 31 17 83 C3 02 E2 F7 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule nPackV112002006BetaNEOxuinC +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 EC 01 00 00 E8 F8 06 00 00 E8 03 06 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule VxEddie1800 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E } + +condition: + $a0 at pe.entry_point +} + + +rule EncryptPEV22006115WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 45 50 45 3A 20 45 6E 63 72 79 70 74 50 45 20 56 32 2E 32 30 30 36 2E 31 2E 31 35 } + +condition: + $a0 +} + + +rule PrincessSandyv10eMiNENCEProcessPatcherPatch +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 27 11 40 00 E8 3C 01 00 00 6A 00 E8 41 01 00 00 A3 00 20 40 00 8B 58 3C 03 D8 0F B7 43 14 0F B7 4B 06 8D 7C 18 18 81 3F 2E 4C 4F 41 74 0B 83 C7 28 49 75 F2 E9 A7 00 00 00 8B 5F 0C 03 1D 00 20 40 00 89 1D 04 20 40 00 8B FB 83 C7 04 68 4C 20 40 00 68 08 } + +condition: + $a0 +} + + +rule aPackv082 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E 06 8C CB BA ?? ?? 03 DA 8D ?? ?? ?? FC 33 F6 33 FF 48 4B 8E C0 8E DB } + +condition: + $a0 at pe.entry_point +} + + +rule NJoiner01AsmVersionNEX +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 00 68 00 14 40 00 68 00 10 40 00 6A 00 E8 14 00 00 00 6A 00 E8 13 00 00 00 CC FF 25 AC 12 40 00 FF 25 B0 12 40 00 FF 25 B4 12 40 00 FF 25 B8 12 40 00 FF 25 BC 12 40 00 FF 25 C0 12 40 00 FF 25 C4 12 40 00 FF 25 C8 12 40 00 FF 25 CC 12 40 00 FF 25 D0 12 40 00 FF 25 D4 12 40 00 FF 25 D8 12 40 00 FF 25 DC 12 40 00 FF 25 E4 12 40 00 FF 25 EC 12 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsiduim1304ObsiduimSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02FSG131Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01CodeSafe20Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01NorthStarPEShrinker13Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule ocBat2Exe10OC +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 58 3C 40 00 E8 6C FA FF FF 33 C0 55 68 8A 3F 40 00 64 FF 30 64 89 20 6A 00 6A 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 81 E9 FF FF 8B 45 EC E8 41 F6 FF FF 50 E8 F3 FA FF FF 8B F8 83 FF FF 0F 84 83 02 00 00 6A 02 6A 00 6A EE 57 E8 FC FA FF FF 6A 00 68 60 99 4F 00 6A 12 68 18 57 40 00 57 E8 E0 FA FF FF 83 3D 60 99 4F 00 12 0F 85 56 02 00 00 8D 45 E4 50 8D 45 E0 BA 18 57 40 00 B9 40 42 0F 00 E8 61 F4 FF FF 8B 45 E0 B9 12 00 00 00 BA 01 00 00 00 E8 3B F6 FF FF 8B 45 E4 8D 55 E8 E8 04 FB ?? ?? ?? ?? E8 B8 58 99 4F 00 E8 67 F3 FF FF 33 C0 A3 60 99 4F 00 8D 45 DC 50 B9 05 00 00 00 BA 01 00 00 00 A1 58 99 4F 00 E8 04 F6 FF FF 8B 45 DC BA A4 3F 40 00 E8 E3 F4 FF FF } + +condition: + $a0 +} + + +rule ASDPack20asd +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8D 49 00 1F 01 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 90 } + $a1 = { 5B 43 83 7B 74 00 0F 84 08 00 00 00 89 43 14 E9 } + $a2 = { 8B 44 24 04 56 57 53 E8 CD 01 00 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 } + +condition: + $a0 or $a1 or $a2 at pe.entry_point +} + + +rule EXECryptor2021protectedIAT +{ + meta: + author="malware-lu" +strings: + $a0 = { A4 ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? 94 ?? ?? ?? D8 ?? ?? ?? 00 00 00 00 FF FF FF FF B8 ?? ?? ?? D4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 } + +condition: + $a0 +} + + +rule ShrinkWrapv14 +{ + meta: + author="malware-lu" +strings: + $a0 = { 58 60 8B E8 55 33 F6 68 48 01 ?? ?? E8 49 01 ?? ?? EB } + +condition: + $a0 at pe.entry_point +} + + +rule UnknownbySMT +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 83 ?? ?? 57 EB } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01VOBProtectCD5Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 36 3E 26 8A C0 60 E8 00 00 00 00 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule SimplePack10Xbagie +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5B 8D 5B FA 6A 00 FF 93 ?? ?? 00 00 89 C5 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 8B 86 88 00 00 00 09 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule ThemidaWinLicenseV18XV19XOreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEjoinerAmok +{ + meta: + author="malware-lu" +strings: + $a0 = { A1 14 A1 40 00 C1 E0 02 A3 18 A1 40 } + +condition: + $a0 at pe.entry_point +} + + +rule EmbedPEv124cyclotron +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 50 60 68 ?? ?? ?? ?? E8 CB FF 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv04xv05x +{ + meta: + author="malware-lu" +strings: + $a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 ?? 8B FE 68 79 01 ?? ?? 59 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov301v305 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F } + +condition: + $a0 at pe.entry_point +} + + +rule DingBoysPElockv007 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 23 35 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule mPack003DeltaAziz +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 33 C0 89 45 F0 B8 A8 76 00 10 E8 67 C4 FF FF 33 C0 55 68 C2 78 00 10 64 FF 30 64 89 20 8D 55 F0 33 C0 E8 93 C8 FF FF 8B 45 F0 E8 87 CB FF FF A3 08 A5 00 10 33 C0 55 68 A5 78 00 10 64 FF 30 64 89 20 A1 08 A5 00 10 E8 FA C9 FF FF 83 F8 FF 75 0A E8 88 B2 FF FF E9 1B 01 00 00 C7 05 14 A5 00 10 32 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 C9 C9 FF FF BA 14 A5 00 10 A1 08 A5 00 10 B9 04 00 00 00 E8 C5 C9 FF FF 83 3D 14 A5 00 10 32 77 0A E8 47 B2 FF FF E9 DA 00 00 00 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 92 C9 FF FF BA 18 A5 } + +condition: + $a0 at pe.entry_point +} + + +rule SixtoFourv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 55 4C 50 83 ?? ?? FC BF ?? ?? BE ?? ?? B5 ?? 57 F3 A5 C3 33 ED } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoinerSmallbuild029GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 32 C4 8A C3 58 E8 DE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ThemidaWinLicenseV1XNoCompressionSecureEngineOreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule WinUpackv030betaByDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 } + $a1 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 } + +condition: + $a0 or $a1 +} + + +rule Armadillov260b2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 90 ?? ?? ?? 68 24 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 60 ?? ?? ?? 33 D2 8A D4 89 15 3C } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov260b1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 50 ?? ?? ?? 68 74 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 FC } + +condition: + $a0 at pe.entry_point +} + + +rule ExeLockerv10IonIce +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 3E 8F 85 6C 00 00 00 3E 8F 85 68 00 00 00 3E 8F 85 64 00 00 00 3E 8F 85 60 00 00 00 3E 8F 85 5C 00 00 00 3E 8F 85 58 00 00 00 3E 8F 85 54 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV10betaap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB } + +condition: + $a0 at pe.entry_point +} + + +rule PellesC300400450EXEX86CRTDLL +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 C7 45 FC ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59 BE ?? ?? ?? ?? EB } + +condition: + $a0 at pe.entry_point +} + + +rule BeRoEXEPackerv100LZBRRBeRoFarbrausch +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov190a +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 64 FF 68 10 F2 40 00 68 14 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4Modified +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule APatchGUIv11 +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 31 C0 E8 FF FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule ExeSafeguardv10simonzh +{ + meta: + author="malware-lu" +strings: + $a0 = { C0 5D EB 4E EB 47 DF 69 4E 58 DF 59 74 F3 EB 01 DF 75 EE 9A 59 9C 81 C1 E2 FF FF FF EB 01 DF 9D FF E1 E8 51 E8 EB FF FF FF DF 22 3F 9A C0 81 ED 19 18 40 00 EB 48 EB 47 DF 69 4E 58 DF 59 79 EE EB 01 DF 78 E9 DF 59 9C 81 C1 E5 FF FF FF 9D FF E1 EB 51 E8 EE } + +condition: + $a0 +} + + +rule PseudoSigner01CDCopsIIAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeVIRUSIWormHybrisFEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 16 A8 54 00 00 47 41 42 4C 4B 43 47 43 00 00 00 00 00 00 52 49 53 00 FC 68 4C 70 40 00 FF 15 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1322ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivateEXEProtector20SetiSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 89 ?? ?? 38 00 00 00 8B ?? 00 00 00 00 81 ?? ?? ?? ?? ?? 89 ?? 00 00 00 00 81 ?? 04 00 00 00 81 ?? 04 00 00 00 81 ?? 00 00 00 00 0F 85 D6 FF FF FF } + +condition: + $a0 +} + + +rule NTkrnlSecureSuite01015DLLNTkrnlSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 8B 44 24 04 05 ?? ?? ?? ?? 50 E8 01 00 00 00 C3 C3 } + +condition: + $a0 +} + + +rule UPXHiTv001DJSiba +{ + meta: + author="malware-lu" +strings: + $a0 = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 } + +condition: + $a0 +} + + +rule Vpackerttui +{ + meta: + author="malware-lu" +strings: + $a0 = { 89 C6 C7 45 E0 01 00 00 00 F7 03 00 00 FF FF 75 18 0F B7 03 50 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 EB 13 53 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 83 C7 04 FF 45 E0 4E 75 C4 8B F3 83 3E 00 75 88 8B 45 E4 8B 40 10 03 45 DC 8B 55 14 83 C2 20 89 02 68 00 80 00 00 6A 00 8B 45 D4 50 FF 55 EC 8B 55 DC 8B 42 3C 03 45 DC 83 C0 04 8B D8 83 C3 14 8D 45 E0 50 6A 40 68 00 10 00 00 52 FF 55 E8 8D 43 60 } + +condition: + $a0 +} + + +rule IProtect10FxlibdllmodebyFuXdas +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 4C 69 62 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 60 E8 00 00 00 00 5D 81 ED 71 10 40 00 FF 74 24 20 E8 40 00 00 00 0B C0 74 2F 89 85 63 10 40 00 8D 85 3C 10 40 00 50 FF B5 63 10 40 00 E8 92 00 00 00 0B C0 74 13 89 85 5F 10 40 00 8D 85 49 10 40 00 50 FF 95 5F 10 40 00 8B 85 67 10 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 81 E7 00 00 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 00 00 75 02 EB 17 81 EF 00 00 01 00 81 FF 00 00 00 70 73 07 BF 00 00 F7 BF EB 02 EB D3 97 64 8F 05 00 00 00 00 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00 00 00 00 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00 00 00 00 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 00 00 00 03 76 3C 81 3E 50 45 00 00 74 02 EB 7D 8B 7C 24 10 B9 96 00 00 00 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 00 00 00 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 00 00 00 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00 00 00 00 83 C4 04 C2 08 00 E8 FA FD FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02DxPack10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SecureEXE30ZipWorx +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 B8 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressorv12CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 45 78 50 72 2D 76 2E 31 2E 32 2E } + $a1 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 } + $a2 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? ?? 2B 05 84 ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 16 A1 ?? ?? ?? ?? 03 05 80 ?? ?? ?? 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? ?? 01 00 00 00 68 04 01 00 00 8D 85 F0 FE FF FF 50 6A 00 FF 15 } + +condition: + $a0 or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule NullsoftPIMPInstallSystemv13x +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC ?? ?? 00 00 56 57 6A ?? BE ?? ?? ?? ?? 59 8D BD } + +condition: + $a0 at pe.entry_point +} + + +rule Enigmaprotector110111VladimirSukhov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 } + $a1 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 3D 1A } + +condition: + $a0 or $a1 +} + + +rule PECompactv140b5v140b6 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 8A 11 } + +condition: + $a0 at pe.entry_point +} + + +rule VxExplosion1000 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 1E 06 50 81 ?? ?? ?? 56 FC B8 21 35 CD 21 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 26 ?? ?? ?? ?? ?? ?? 74 ?? 8C D8 48 8E D8 } + +condition: + $a0 at pe.entry_point +} + + +rule PKZIPSFXv11198990 +{ + meta: + author="malware-lu" +strings: + $a0 = { FC 2E 8C 0E ?? ?? A1 ?? ?? 8C CB 81 C3 ?? ?? 3B C3 72 ?? 2D ?? ?? 2D ?? ?? FA BC ?? ?? 8E D0 FB } + +condition: + $a0 at pe.entry_point +} + + +rule PEBundlev20b5v23 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 01 AD ?? ?? ?? ?? 01 AD } + +condition: + $a0 at pe.entry_point +} + + +rule PUNiSHERV15DemoFEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule HACKSTOPv110v111 +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 2F CD 21 B0 ?? B4 4C CD 21 50 B8 ?? ?? 58 EB } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1336ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 } + +condition: + $a0 +} + + +rule DualseXeEncryptor10bDual +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 3A 04 00 00 89 28 33 FF 8D 85 80 03 00 00 8D 8D 3A 04 00 00 2B C8 8B 9D 8A 04 00 00 E8 24 02 00 00 8D 9D 58 03 00 00 8D B5 7F 03 00 00 46 80 3E 00 74 24 56 FF 95 58 05 00 00 46 80 3E 00 75 FA 46 80 3E 00 74 E7 50 56 50 FF 95 5C 05 00 00 89 03 58 83 C3 04 EB E3 8D 85 69 02 00 00 FF D0 8D 85 56 04 00 00 50 68 1F 00 02 00 6A 00 8D 85 7A 04 00 00 50 } + +condition: + $a0 at pe.entry_point +} + + +rule MarjinZEXEScramblerSEbyMarjinZ +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 A3 02 00 00 E9 35 FD FF FF FF 25 C8 20 00 10 6A 14 68 C0 21 00 10 E8 E4 01 00 00 FF 35 7C 33 00 10 8B 35 8C 20 00 10 FF D6 59 89 45 E4 83 F8 FF 75 0C FF 75 08 FF 15 88 20 00 10 59 EB 61 6A 08 E8 02 03 00 00 59 83 65 FC 00 FF 35 7C 33 00 10 FF D6 89 45 E4 FF 35 78 33 00 10 FF D6 89 45 E0 8D 45 E0 50 8D 45 E4 50 FF 75 08 E8 D1 02 00 00 89 45 DC FF 75 E4 8B 35 74 20 00 10 FF D6 A3 7C 33 00 10 FF 75 E0 FF D6 83 C4 1C A3 78 33 00 10 C7 45 FC FE FF FF FF E8 09 00 00 00 8B 45 DC E8 A0 01 00 00 C3 } + +condition: + $a0 +} + + +rule nPack111502006BetaNEOx +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3 } + +condition: + $a0 at pe.entry_point +} + + +rule DingBoysPElockPhantasmv15b3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 55 57 56 52 51 53 9C FA E8 00 00 00 00 5D 81 ED 5B 53 40 00 B0 } + +condition: + $a0 at pe.entry_point +} + + +rule ShellModify01pll621 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 98 66 41 00 68 3C 3D 41 00 64 A1 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01MacromediaFlashProjector60Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Packman0001Bubbasoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 0F 85 ?? FF FF FF 8D B3 ?? ?? ?? ?? EB 3D 8B 46 0C 03 C3 50 FF 55 00 56 8B 36 0B F6 75 02 8B F7 03 F3 03 FB EB 1B D1 C1 D1 E9 73 05 0F B7 C9 EB 05 03 CB 8D 49 02 50 51 50 FF 55 04 AB 58 83 C6 04 8B 0E 85 C9 75 DF 5E 83 C6 14 8B 7E 10 85 FF 75 BC 8D 8B 00 } + +condition: + $a0 +} + + +rule aPackv098bDSESnotsaved +{ + meta: + author="malware-lu" +strings: + $a0 = { 8C CB BA ?? ?? 03 DA FC 33 F6 33 FF 4B 8E DB 8D ?? ?? ?? 8E C0 B9 ?? ?? F3 A5 4A 75 } + +condition: + $a0 +} + + +rule ASProtectvIfyouknowthisversionpostonPEiDboardh2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule Aluwainv809 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B EC 1E E8 ?? ?? 9D 5E } + +condition: + $a0 at pe.entry_point +} + + +rule AntiDote12DLLDemoSISTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF } + +condition: + $a0 +} + + +rule MSLRHv032afakeMicrosoftVisualCemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 64 8F 05 00 00 00 00 83 C4 0C 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftwareCompressV12BGSoftwareProtectTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Themida1201OreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 } + +condition: + $a0 +} + + +rule PECompactv126b1v126b2 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? 05 0E } + +condition: + $a0 at pe.entry_point +} + + +rule Cruncherv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 2E ?? ?? ?? ?? 2E ?? ?? ?? B4 30 CD 21 3C 03 73 ?? BB ?? ?? 8E DB 8D ?? ?? ?? B4 09 CD 21 06 33 C0 50 CB } + +condition: + $a0 at pe.entry_point +} + + +rule AntiDote1214SEDLLSISTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90 90 90 90 90 90 90 90 90 90 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC 11 DB } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectSKE21xexeAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule DBPEv210DingBoy +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? EB 58 75 73 65 72 33 32 2E 64 6C 6C ?? 4D 65 73 73 61 67 65 42 6F 78 41 ?? 6B 65 72 6E 65 6C } + +condition: + $a0 at pe.entry_point +} + + +rule NsPacKV37LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule tElock099tE +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 } + +condition: + $a0 at pe.entry_point +} + + +rule WinZipSelfExtractor22personaleditionWinZipComputing +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 FF 15 58 70 40 00 B3 22 38 18 74 03 80 C3 FE 40 33 D2 8A 08 3A CA 74 10 3A CB 74 07 40 8A 08 3A CA 75 F5 38 10 74 01 40 52 50 52 52 FF 15 5C 70 40 00 50 E8 15 FB FF FF 50 FF 15 8C 70 40 00 5B } + +condition: + $a0 at pe.entry_point +} + +rule ZipWorxSecureEXEv25ZipWORXTechnologiesLLC +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 B8 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 53 65 63 75 72 65 45 58 45 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 28 63 29 20 32 30 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEdition117iBoxaPLibAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 79 29 00 00 8D 9D 2C 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 } + +condition: + $a0 at pe.entry_point +} + + +rule Alloyv1x2000 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 46 23 40 ?? 0B } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoiner153Stubengine171GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 02 FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A8 10 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02MicrosoftVisualC70DLLAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 } + +condition: + $a0 at pe.entry_point +} + + +rule EYouDiDaiYueHeiFengGao +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ?? ?? ?? ?? 0F 6E C0 B8 ?? ?? ?? ?? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?? ?? ?? ?? ?? FF E0 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptorV21Xsoftcompletecom +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 C6 14 8B 55 FC E9 ?? FF FF FF } + $a1 = { E9 ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? ?? ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule PCShrinkerv045 +{ + meta: + author="malware-lu" +strings: + $a0 = { BD ?? ?? ?? ?? 01 AD E3 38 40 ?? FF B5 DF 38 40 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasProtectorV1033AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2D E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED 07 E2 40 00 8B D5 81 C2 56 E2 40 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftSentryv211 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 50 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv120EngdulekxtBorlandDelphiBorlandC +{ + meta: + author="malware-lu" +strings: + $a0 = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeStonesPEEncryptor20FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 51 52 56 57 55 E8 00 00 00 00 5D 81 ED 42 30 40 00 FF 95 32 35 40 00 B8 37 30 40 00 03 C5 2B 85 1B 34 40 00 89 85 27 34 40 00 83 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov300 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 33 C9 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv11Vaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 } + $a1 = { 8B 04 24 83 E8 4F 68 ?? ?? ?? ?? FF D0 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 or $a1 +} + + +rule Fusion10jaNooNi +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 04 30 40 00 68 04 30 40 00 E8 09 03 00 00 68 04 30 40 00 E8 C7 02 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UpxLock1012CyberDoomTeamXBoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 } + +condition: + $a0 at pe.entry_point +} + + +rule PCPEEncryptorAlphapreview +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 ?? 2B 8D EE 32 40 00 83 E9 0B 89 8D F2 32 40 ?? 80 BD D1 32 40 ?? 01 0F 84 } + +condition: + $a0 at pe.entry_point +} + + +rule VxKeypress1212 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? E8 ?? ?? E8 ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? EA ?? ?? ?? ?? 1E 33 DB 8E DB BB } + +condition: + $a0 at pe.entry_point +} + + +rule SoftwareCompressv12BGSoftwareProtectTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 1A 0F 41 00 89 44 24 1C 61 C2 04 00 E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPackV14LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtectorV11Avcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1300ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 22 EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 47 26 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule XXPack01bagie +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 00 68 00 ?? ?? ?? C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeLocker10IonIce +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 60 8B 6C 24 20 81 ED 05 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasProtectorV101AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 5D 81 ED D5 E4 41 00 8B D5 81 C2 23 E5 41 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv2001AlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 72 05 00 00 EB 4C } + +condition: + $a0 at pe.entry_point +} + + +rule USERNAMEv300 +{ + meta: + author="malware-lu" +strings: + $a0 = { FB 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 8C C8 2B C1 8B C8 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 33 C0 8E D8 06 0E 07 FC 33 F6 } + +condition: + $a0 at pe.entry_point +} + + +rule nSpackV2xLiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 } + +condition: + $a0 +} + + +rule GameGuardv20065xxdllsignbyhot_UNP +{ + meta: + author="malware-lu" +strings: + $a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 BA 4C 00 00 00 80 7C 24 08 01 0F 85 ?? 01 00 00 60 BE 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Upack_PatchoranyVersionDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 09 00 00 00 ?? ?? ?? 00 E9 06 02 } + +condition: + $a0 at pe.entry_point +} + + +rule PCPECalpha +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 8B CD 81 ?? ?? ?? ?? ?? 2B ?? ?? ?? ?? ?? 83 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4Unextractable +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 05 00 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule Escargot01finalMeat +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 40 30 2E 31 60 68 61 ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 92 ?? ?? ?? 8B 00 FF D0 50 B8 CD ?? ?? ?? 81 38 DE C0 37 13 75 2D 68 C9 ?? ?? ?? 6A 40 68 00 ?? 00 00 68 00 00 ?? ?? B8 96 ?? ?? ?? 8B 00 FF D0 8B 44 24 F0 8B 4C 24 F4 EB 05 49 C6 04 01 40 0B C9 75 F7 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 } + +condition: + $a0 at pe.entry_point +} + + +rule MetrowerksCodeWarriorv20GUI +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 53 56 83 EC 44 55 B8 FF FF FF FF 50 50 68 ?? ?? 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 } + +condition: + $a0 +} + + +rule UnnamedScrambler21Beta211p0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 15 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? 3A ?? ?? E8 ?? EE FF FF 33 C0 55 68 ?? 43 ?? ?? 64 FF 30 64 89 20 BA ?? 43 ?? ?? B8 E4 64 ?? ?? E8 0F FD FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? EE FF FF BA E8 64 ?? ?? 8B C3 8B 0D E4 64 ?? ?? E8 ?? D7 FF FF B8 F8 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 33 C0 A3 F8 ?? ?? ?? BB ?? ?? ?? ?? C7 45 EC E8 64 ?? ?? C7 45 E8 ?? ?? ?? ?? C7 45 E4 ?? ?? ?? ?? BE ?? ?? ?? ?? BF ?? ?? ?? ?? B8 E0 ?? ?? ?? BA 04 00 00 00 E8 ?? EF FF FF 68 F4 01 00 00 E8 ?? EE FF FF 83 7B 04 00 75 0B 83 3B 00 0F 86 ?? 07 00 00 EB 06 0F 8E ?? 07 00 00 8B 03 8B D0 B8 E4 ?? ?? ?? E8 ?? E5 FF FF B8 E4 ?? ?? ?? E8 ?? E3 FF FF 8B D0 8B 45 EC 8B 0B E8 } + +condition: + $a0 +} + + +rule NoodleCryptv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 } + $a1 = { EB 01 9A E8 ?? 00 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 9A E8 ?? ?? 00 00 EB 01 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule PoPa001PackeronPascalbagie +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 A4 3E 00 10 E8 30 F6 FF FF 33 C0 55 68 BE 40 00 10 ?? ?? ?? ?? 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 62 E7 FF FF 8B 45 EC E8 32 F2 FF FF 50 E8 B4 F6 FF FF A3 64 66 00 10 33 D2 55 68 93 40 00 10 64 FF 32 64 89 22 83 3D 64 66 00 10 FF 0F 84 3A 01 00 00 6A 00 6A 00 6A 00 A1 64 66 00 10 50 E8 9B F6 FF FF 83 E8 10 50 A1 64 66 00 10 50 E8 BC F6 FF FF 6A 00 68 80 66 00 10 6A 10 68 68 66 00 10 A1 64 66 00 10 50 E8 8B F6 FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule BlindSpot10s134k +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 50 02 00 00 8D 85 B0 FE FF FF 53 56 A3 90 12 40 00 57 8D 85 B0 FD FF FF 68 00 01 00 00 33 F6 50 56 FF 15 24 10 40 00 56 68 80 00 00 00 6A 03 56 56 8D 85 B0 FD FF FF 68 00 00 00 80 50 FF 15 20 10 40 00 56 56 68 00 08 00 00 50 89 45 FC FF 15 1C 10 40 00 8D 45 F8 8B 1D 18 10 40 00 56 50 6A 34 FF 35 90 12 40 00 FF 75 FC FF D3 85 C0 0F 84 7F 01 00 00 39 75 F8 0F 84 76 01 00 00 A1 90 12 40 00 66 8B 40 30 66 3D 01 00 75 14 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 14 10 40 00 EB 2C 66 3D 02 00 75 14 8D 85 E4 FE FF FF 50 68 04 01 00 00 FF 15 10 10 40 00 EB 12 8D 85 E4 FE FF FF 68 04 01 00 00 50 FF 15 0C 10 40 00 8B 3D 08 10 40 00 8D 85 E4 FE FF FF 68 54 10 40 00 50 } + +condition: + $a0 +} + + +rule GamehouseMediaProtectorVersionUnknown +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? 00 00 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv042 +{ + meta: + author="malware-lu" +strings: + $a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 52 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEStealthv274WebToolMaster +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 00 EB 17 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 60 90 E8 00 00 00 00 5D } + +condition: + $a0 at pe.entry_point +} + + +rule EXEManagerVersion301994cSolarDesigner +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 30 1E 06 CD 21 2E ?? ?? ?? BF ?? ?? B9 ?? ?? 33 C0 2E ?? ?? 47 E2 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv02BetaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 ?? ?? AD 8B F8 95 A5 33 C0 33 } + +condition: + $a0 at pe.entry_point +} + + +rule DEFv100Engbartxt +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AnslymCrypter +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A 68 30 1C 05 10 A1 60 56 05 10 50 E8 68 47 FB FF 8B D8 85 DB 0F 84 B6 02 00 00 53 A1 60 56 05 10 50 E8 F2 48 FB FF 8B F0 85 F6 0F 84 A0 02 00 00 E8 F3 } + +condition: + $a0 at pe.entry_point +} + + +rule ARMProtectorv02SMoKE +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 09 20 40 00 EB 02 83 09 8D B5 9A 20 40 00 EB 02 83 09 BA 0B 12 00 00 EB 01 00 8D 8D A5 32 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule CrypKeyV56XDLLKenonicControlsLtd +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 1D ?? ?? ?? ?? 83 FB 00 75 0A E8 ?? ?? ?? ?? E8 } + +condition: + $a0 at pe.entry_point +} + + +rule PEiDBundlev102v104BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 } + +condition: + $a0 at pe.entry_point +} + + +rule VxHeloween1172 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 81 EE ?? ?? 56 50 06 0E 1F 8C C0 01 ?? ?? 01 ?? ?? 80 ?? ?? ?? ?? 8B ?? ?? A3 ?? ?? 8A ?? ?? A2 ?? ?? B8 ?? ?? CD 21 3D } + +condition: + $a0 at pe.entry_point +} + + +rule PackedwithPKLITEv150withCRCcheck1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1F B4 09 BA ?? ?? CD 21 B8 ?? ?? CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule Pe123v2006412 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B C0 60 9C E8 01 00 00 00 C3 53 E8 72 00 00 00 50 E8 1C 03 00 00 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 8B 7D 0C 8B 75 08 F3 A4 61 5D C2 0C 00 E8 00 00 00 00 58 83 E8 05 C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B } + +condition: + $a0 at pe.entry_point +} + + +rule DropperCreatorV01Conflict +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 8D 05 ?? ?? ?? ?? 29 C5 8D 85 ?? ?? ?? ?? 31 C0 64 03 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 } + +condition: + $a0 +} + + +rule XCRv013 +{ + meta: + author="malware-lu" +strings: + $a0 = { 93 71 08 ?? ?? ?? ?? ?? ?? ?? ?? 8B D8 78 E2 ?? ?? ?? ?? 9C 33 C3 ?? ?? ?? ?? 60 79 CE ?? ?? ?? ?? E8 01 ?? ?? ?? ?? 83 C4 04 E8 AB FF FF FF ?? ?? ?? ?? 2B E8 ?? ?? ?? ?? 03 C5 FF 30 ?? ?? ?? ?? C6 ?? EB } + +condition: + $a0 at pe.entry_point +} + + +rule XCRv012 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C E8 ?? ?? ?? ?? 8B DD 5D 81 ED ?? ?? ?? ?? 89 9D } + +condition: + $a0 at pe.entry_point +} + + +rule InnoSetupModulev129 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 EC 89 45 C0 E8 5B 73 FF FF E8 D6 87 FF FF E8 C5 A9 FF FF E8 E0 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov3xx +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 } + +condition: + $a0 at pe.entry_point +} + + +rule dUP2xPatcherwwwdiablo2oo2cjbnet +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B CB 85 C9 74 ?? 80 3A 01 74 08 AC AE 75 0A 42 49 EB EF 47 46 42 49 EB E9 } + +condition: + $a0 +} + + +rule PseudoSigner02PEProtect09Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule pscrambler12byp0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 ?? ?? ?? ?? 10 E8 2D F3 FF FF 33 C0 55 68 E8 31 00 10 64 FF 30 64 89 20 8D 45 E0 E8 53 F5 FF FF 8B 45 E0 8D 55 E4 E8 30 F6 FF FF 8B 45 E4 8D 55 E8 E8 A9 F4 FF FF 8B 45 E8 8D 55 EC E8 EE F7 FF FF 8B 55 EC B8 C4 54 00 10 E8 D9 EC FF FF 83 3D C4 54 00 10 00 0F 84 05 01 00 00 80 3D A0 40 00 10 00 74 41 A1 C4 54 00 10 E8 D9 ED FF FF E8 48 E0 FF FF 8B D8 A1 C4 54 00 10 E8 C8 ED FF FF 50 B8 C4 54 00 10 E8 65 EF FF FF 8B D3 59 E8 69 E1 FF FF 8B C3 E8 12 FA FF FF 8B C3 E8 33 E0 FF FF E9 AD 00 00 00 B8 05 01 00 00 E8 0C E0 FF FF 8B D8 53 68 05 01 00 00 E8 57 F3 FF FF 8D 45 DC 8B D3 E8 39 ED FF FF 8B 55 DC B8 14 56 00 10 B9 00 32 00 10 E8 BB ED FF FF 8B 15 14 56 00 10 B8 C8 54 00 10 E8 53 E5 FF FF BA 01 00 00 00 B8 C8 54 00 10 E8 8C E8 FF FF E8 DF E0 FF FF 85 C0 75 52 6A 00 A1 C4 54 00 10 E8 3B ED FF FF 50 B8 C4 54 00 10 E8 D8 EE FF FF 8B D0 B8 C8 54 00 10 59 E8 3B E6 FF FF E8 76 E0 FF FF B8 C8 54 00 10 E8 4C E6 FF FF E8 67 E0 FF FF 6A 00 6A 00 6A 00 A1 14 56 00 10 E8 53 EE FF FF 50 6A 00 6A 00 E8 41 F3 FF FF 80 3D 9C 40 00 10 00 74 05 E8 EF FB FF FF 33 C0 5A 59 59 64 89 10 68 EF 31 00 10 8D 45 DC BA 05 00 00 00 E8 7D EB FF FF C3 E9 23 E9 FF FF EB EB 5B E8 63 EA FF FF 00 00 00 FF FF FF FF 08 00 00 00 74 65 6D 70 2E 65 78 65 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor2223compressedcodewwwstrongbitcom +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 } + $a1 = { E8 00 00 00 00 58 ?? ?? ?? ?? ?? 8B 1C 24 81 EB ?? ?? ?? ?? B8 ?? ?? ?? ?? 50 6A 04 68 00 10 00 00 50 6A 00 B8 C4 ?? ?? ?? 8B 04 18 FF D0 59 BA ?? ?? ?? ?? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ?? ?? ?? ?? 01 D9 FF D1 58 8B 1C 24 68 00 80 00 00 6A 00 50 B8 C8 ?? ?? ?? 8B 04 18 FF D0 59 58 5B 83 EB 05 C6 03 B8 43 89 03 83 C3 04 C6 03 C3 09 C9 74 46 89 C3 E8 A0 00 00 00 FC AD 83 F8 FF 74 38 53 89 CB 01 C3 01 0B 83 C3 04 AC 3C FE 73 07 25 FF 00 00 00 EB ED 81 C3 FE 00 00 00 09 C0 7A 09 66 AD 25 FF FF 00 00 EB DA AD 4E 25 FF FF FF 00 3D FF FF FF 00 75 CC ?? ?? ?? ?? ?? C3 } + +condition: + $a0 or $a1 +} + + +rule Armadillov265b1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 38 ?? ?? ?? 68 40 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 F4 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEdition117aPLibAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 74 1F 00 00 8D 9D 1E 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 } + +condition: + $a0 at pe.entry_point +} + + +rule PolyCryptPE214b215JLabSoftwareCreationshoep +{ + meta: + author="malware-lu" +strings: + $a0 = { 91 8B F4 AD FE C9 80 34 08 ?? E2 FA C3 60 E8 ED FF FF FF EB } + +condition: + $a0 +} + + +rule yodasProtector10xAshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule Upack_UnknownDLLDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 09 00 00 00 17 CD 00 00 E9 06 02 } + +condition: + $a0 at pe.entry_point +} + + +rule AINEXEv21 +{ + meta: + author="malware-lu" +strings: + $a0 = { A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 36 A3 ?? ?? 05 ?? ?? 36 A3 ?? ?? 2E A1 ?? ?? 8A D4 B1 04 D2 EA FE C9 } + +condition: + $a0 at pe.entry_point +} + + +rule AppProtectorSilentTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 97 00 00 00 0D 0A 53 69 6C 65 6E 74 20 54 65 61 6D 20 41 70 70 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 72 65 61 74 65 64 20 62 79 20 53 69 6C 65 6E 74 20 53 6F 66 74 77 61 72 65 0D 0A 54 68 65 6E 6B 7A 20 74 6F 20 44 6F 63 68 74 6F 72 20 58 0D 0A 0D 0A } + +condition: + $a0 at pe.entry_point +} + + +rule RODHighTECHAyman +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 8B 15 1D 13 40 00 F7 E0 8D 82 83 19 00 00 E8 58 0C 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ICrypt10byBuGGz +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 70 3B 00 10 E8 3C FA FF FF 33 C0 55 68 6C 3C 00 10 64 FF 30 64 89 20 6A 0A 68 7C 3C 00 10 A1 50 56 00 10 50 E8 D8 FA FF FF 8B D8 53 A1 50 56 00 10 50 E8 0A FB FF FF 8B F8 53 A1 50 56 00 10 50 E8 D4 FA FF FF 8B D8 53 E8 D4 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 64 56 00 10 E8 25 F6 FF FF B8 64 56 00 10 E8 13 F6 FF FF 8B CF 8B D6 E8 E6 FA FF FF 53 E8 90 FA FF FF 8D 4D EC BA 8C 3C 00 10 A1 64 56 00 10 E8 16 FB FF FF 8B 55 EC B8 64 56 00 10 E8 C5 F4 FF FF B8 64 56 00 10 E8 DB F5 FF FF E8 56 FC FF FF 33 C0 5A 59 59 64 89 10 68 73 3C 00 10 8D 45 EC E8 4D F4 FF FF C3 E9 E3 EE FF FF EB F0 5F 5E 5B E8 4D F3 FF FF 00 53 45 54 ?? ?? ?? ?? 00 FF FF FF FF 08 00 00 00 76 6F 74 72 65 63 6C 65 } + +condition: + $a0 at pe.entry_point +} + + +rule PEPackv099 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 83 ED 06 80 BD E0 04 ?? ?? 01 0F 84 F2 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV115V117LZMA430ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 83 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB 14 } + +condition: + $a0 at pe.entry_point +} + + +rule VxQuake518 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E 06 8C C8 8E D8 ?? ?? ?? ?? ?? ?? ?? B8 21 35 CD 21 81 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4UnextractableVirusShield +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 05 40 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium13013ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV130XObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 } + +condition: + $a0 at pe.entry_point +} + + +rule MetrowerksCodeWarriorv20Console +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 55 B8 FF FF FF FF 50 50 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 ?? ?? 00 00 E8 ?? ?? 00 00 E8 } + +condition: + $a0 +} + + +rule PESpinv07Cyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF } + +condition: + $a0 at pe.entry_point +} + + +rule SimpleUPXCryptorV3042005MANtiCORE +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 } + +condition: + $a0 at pe.entry_point +} + + +rule WinRAR32bitSFXModule +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? 00 00 00 00 00 00 90 90 90 ?? ?? ?? ?? ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? FF } + +condition: + $a0 at pe.entry_point +} + + +rule iPBProtect013017forgot +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeASPack211demadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv036alphaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { AB E2 E5 5D 59 8B 76 68 51 59 46 AD 85 C0 } + +condition: + $a0 +} + + +rule CrinklerV03V04RuneLHStubbeandAskeSimonChristensen +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 00 00 42 00 31 DB 43 EB 58 } + +condition: + $a0 at pe.entry_point +} + + +rule DingBoysPElockPhantasmv10v11 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 57 56 52 51 53 66 81 C3 EB 02 EB FC 66 81 C3 EB 02 EB FC } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactV2XBitsumTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 } + +condition: + $a0 at pe.entry_point +} + + +rule CRYPTVersion17cDismember +{ + meta: + author="malware-lu" +strings: + $a0 = { 0E 17 9C 58 F6 ?? ?? 74 ?? E9 } + +condition: + $a0 at pe.entry_point +} + + +rule VxXPEH4768 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5B 81 ?? ?? ?? 50 56 57 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B8 01 00 50 B8 ?? ?? 50 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule PECrypt32v102 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5B 83 ?? ?? EB ?? 52 4E 44 21 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PESHiELD025Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC E9 } + +condition: + $a0 at pe.entry_point +} + + +rule NETDLLMicrosoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 ?? 00 00 FF 25 } + +condition: + $a0 +} + + +rule MSLRH: Packer PEiD +{ + meta: + author="malware-lu" + note="Added some checks" +strings: + $a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 } + $b = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 } + $c = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 } + +condition: + for any of ($*) : ( $ at pe.entry_point ) +} + + +rule BeRoEXEPackerv100DLLLZMABeRoFarbrausch +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8B F9 81 FE ?? ?? ?? ?? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02ExeSmasherAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV125ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv107bDLLAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 } + +condition: + $a0 at pe.entry_point +} + + +rule MicroJoiner17coban2k +{ + meta: + author="malware-lu" +strings: + $a0 = { BF 00 10 40 00 8D 5F 21 6A 0A 58 6A 04 59 60 57 E8 8E 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeVOBProtectCDFEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 5F 81 EF 00 00 00 00 BE 00 00 40 00 8B 87 00 00 00 00 03 C6 57 56 8C A7 00 00 00 00 FF 10 89 87 00 00 00 00 5E 5F } + +condition: + $a0 at pe.entry_point +} + + +rule CelsiusCrypt21Z3r0 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 84 92 44 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 84 92 44 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D C4 92 44 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D AC 92 44 00 89 E5 5D FF E1 90 90 90 90 55 89 E5 5D E9 77 C2 00 00 90 90 90 90 90 90 90 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 } + $a1 = { 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00 00 00 00 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00 00 00 00 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule Armadillov260 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 D0 ?? ?? ?? 68 34 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 68 ?? ?? ?? 33 D2 8A D4 89 15 84 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov261 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 28 ?? ?? ?? 68 E4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 0C } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeASPack212emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule RatPackerGluestub +{ + meta: + author="malware-lu" +strings: + $a0 = { 40 20 FF 00 00 00 00 00 00 00 ?? BE 00 60 40 00 8D BE 00 B0 FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule CreateInstallv200335 +{ + meta: + author="malware-lu" +strings: + $a0 = { 81 EC 0C 04 00 00 53 56 57 55 68 60 50 40 00 6A 01 6A 00 FF 15 D8 80 40 00 8B F0 FF 15 D4 80 40 00 3D B7 00 00 00 75 0F 56 FF 15 B8 80 40 00 6A 02 FF 15 A4 80 40 00 33 DB E8 F2 FE FF FF 68 02 7F 00 00 89 1D 94 74 40 00 53 89 1D 98 74 40 00 FF 15 E4 80 40 } + +condition: + $a0 +} + + +rule SPECb3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 5B 53 50 45 43 5D E8 ?? ?? ?? ?? 5D 8B C5 81 ED 41 24 40 ?? 2B 85 89 26 40 ?? 83 E8 0B 89 85 8D 26 40 ?? 0F B6 B5 91 26 40 ?? 8B FD } + +condition: + $a0 at pe.entry_point +} + + +rule SPECb2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser +{ + meta: + author="malware-lu" +strings: + $a0 = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 } + +condition: + $a0 +} + + +rule PseudoSigner01MicrosoftVisualBasic5060Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXModifiedStubbFarbrauschConsumerConsulting +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC } + +condition: + $a0 at pe.entry_point +} + + +rule E2CbyDoP +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? FC 57 F3 A5 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule SVKProtectorv111 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 } + +condition: + $a0 at pe.entry_point +} + + +rule PCShrinkerv071 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 BD ?? ?? ?? ?? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ?? ?? ?? ?? 89 85 } + +condition: + $a0 at pe.entry_point +} + + +rule Petite21 +{ + meta: + author="malware-lu" +strings: + $a0 = { 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 } + +condition: + $a0 +} + + +rule BeRoEXEPackerv100DLLLZBRRBeRoFarbrausch +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC B2 80 33 DB A4 B3 02 E8 ?? ?? ?? ?? 73 F6 33 C9 E8 ?? ?? ?? ?? 73 1C 33 C0 E8 ?? ?? ?? ?? 73 23 B3 02 41 B0 10 } + +condition: + $a0 at pe.entry_point +} + + +rule hmimysPackerV12hmimys +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 95 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 5E AD 50 AD 50 97 AD 50 AD 50 AD 50 E8 C0 01 00 00 AD 50 AD 93 87 DE B9 ?? ?? ?? ?? E3 1D 8A 07 47 04 ?? 3C ?? 73 F7 8B 07 3C ?? 75 F3 B0 00 0F C8 05 ?? ?? ?? ?? 2B C7 AB E2 E3 AD 85 C0 74 2B 97 56 FF 13 8B E8 AC 84 C0 75 FB 66 AD 66 85 C0 74 E9 AC 83 EE 03 84 C0 74 08 56 55 FF 53 04 AB EB E4 AD 50 55 FF 53 04 AB EB E0 C3 8B 0A 3B 4A 04 75 0A C7 42 10 01 00 00 00 0C FF C3 } + +condition: + $a0 at pe.entry_point +} + + +rule EnigmaProtector131Build20070615DllSukhovVladimirSergeNMarkin +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 81 ED ?? ?? ?? ?? E9 49 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8A 84 24 28 00 00 00 80 F8 01 0F 84 07 00 00 00 B8 ?? ?? ?? ?? FF E0 E9 04 00 00 00 ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 81 C0 ?? ?? ?? ?? B9 ?? ?? ?? ?? BA ?? ?? ?? ?? 30 10 40 49 0F 85 F6 FF FF FF E9 04 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PureBasicDLLNeilHodgson +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule HPA +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 8B D6 83 ?? ?? 83 ?? ?? 06 0E 1E 0E 1F 33 FF 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov310 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 E0 97 44 00 68 20 C0 42 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 4C 41 44 00 33 D2 8A D4 89 15 90 A1 44 00 8B C8 81 E1 FF 00 00 00 89 0D 8C A1 44 00 C1 E1 08 03 CA 89 0D 88 A1 44 00 C1 E8 10 A3 84 A1 } + +condition: + $a0 at pe.entry_point +} + + +rule Upack012betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 48 01 40 00 AD ?? ?? ?? A5 ?? C0 33 C9 ?? ?? ?? ?? ?? ?? ?? F3 AB ?? ?? 0A ?? ?? ?? ?? AD 50 97 51 ?? 87 F5 58 8D 54 86 5C ?? D5 72 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B6 5F FF C1 } + +condition: + $a0 at pe.entry_point +} + + +rule VxNcuLi1688 +{ + meta: + author="malware-lu" +strings: + $a0 = { 0E 1E B8 55 AA CD 21 3D 49 4C 74 ?? 0E 0E 1F 07 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtectorvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C } + $a1 = { 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 00 47 44 49 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 53 6C 65 65 70 00 00 00 47 65 74 56 65 72 73 69 6F 6E 00 00 00 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 00 00 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 00 00 00 47 65 74 41 43 50 00 00 00 43 72 65 61 74 65 54 68 72 65 61 64 00 00 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 47 65 74 44 43 00 00 00 52 65 6C 65 61 73 65 44 43 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 00 00 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 00 00 00 53 65 74 50 69 78 65 6C 00 00 00 00 } + $a2 = { 00 00 00 00 55 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 64 69 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 53 68 6F 77 57 69 6E 64 6F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 47 65 74 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 52 65 6C 65 61 73 65 44 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 65 74 4D 65 73 73 61 67 65 41 00 } + +condition: + $a0 or $a1 or $a2 +} + + +rule XPackv142 +{ + meta: + author="malware-lu" +strings: + $a0 = { 72 ?? C3 8B DE 83 ?? ?? C1 ?? ?? 8C D8 03 C3 8E D8 8B DF 83 ?? ?? C1 ?? ?? 8C C0 03 C3 8E C0 C3 } + +condition: + $a0 +} + + +rule W32JeefoPEFileInfector +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A 02 A1 C8 ?? ?? ?? FF D0 E8 ?? ?? ?? ?? C9 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeSplitter13SplitCryptMethodBillPrisonerTPOC +{ + meta: + author="malware-lu" +strings: + $a0 = { 15 10 05 23 14 56 57 57 48 12 0B 16 66 66 66 66 66 66 66 66 66 02 C7 56 66 66 66 ED 26 6A ED 26 6A ED 66 E3 A6 69 E2 39 64 66 66 ED 2E 56 E6 5F 0D 12 61 E6 5F 2D 12 64 8D 81 E6 1F 6A 55 12 64 8D B9 ED 26 7E A5 33 ED 8A 8D 69 21 03 12 36 14 09 05 27 02 02 14 03 15 15 27 ED 2B 6A ED 13 6E ED B8 65 10 5A EB 10 7E EB 10 06 ED 50 65 95 30 ED 10 46 65 95 55 B4 ED A0 ED 50 65 95 37 ED 2B 6A EB DF AB 76 26 66 3F DF 68 66 66 66 9A 95 C0 6D AF 13 64 } + $a1 = { E8 00 00 00 00 5D 81 ED 05 10 40 00 B9 ?? ?? ?? ?? 8D 85 1D 10 40 00 80 30 66 40 E2 FA 8F 98 67 66 66 ?? ?? ?? ?? ?? ?? ?? 66 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule AntiDote12BetaDemoSISTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 69 D6 00 00 E8 C6 FD FF FF 68 69 D6 00 00 E8 BC FD FF FF 83 C4 08 E8 A4 FF FF FF 84 C0 74 2F 68 04 01 00 00 68 B0 21 60 00 6A 00 FF 15 08 10 60 00 E8 29 FF FF FF 50 68 88 10 60 00 68 78 10 60 00 68 B0 21 60 00 E8 A4 FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 90 90 90 90 90 90 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv211bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor224StrongbitSoftCompleteDevelopmenth1 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor224StrongbitSoftCompleteDevelopmenth2 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 F7 FE FF FF 05 ?? ?? 00 00 FF E0 E8 EB FE FF FF 05 ?? ?? 00 00 FF E0 E8 ?? 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor224StrongbitSoftCompleteDevelopmenth3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 } + +condition: + $a0 +} + + +rule ProActivateV10XTurboPowerSoftwareCompany +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 0E 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? ?? ?? ?? 90 90 90 90 90 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 A1 ?? ?? ?? ?? 83 C0 05 A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0D 00 00 00 E8 85 E2 FF FF 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 7A 81 3D ?? ?? ?? ?? 43 52 43 33 75 6E 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 62 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 56 81 3D ?? ?? ?? ?? 43 52 43 33 75 4A 81 3D ?? ?? ?? ?? 32 40 7E 7E 75 3E 81 3D ?? ?? ?? ?? 21 7E 7E 40 75 32 81 3D ?? ?? ?? ?? 43 52 43 33 } + +condition: + $a0 at pe.entry_point +} + + +rule PackMasterv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 } + $a1 = { 60 E8 01 ?? ?? ?? E8 83 C4 04 E8 01 ?? ?? ?? E9 5D 81 ED D3 22 40 ?? E8 04 02 ?? ?? E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule DBPEv153 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 55 57 56 52 51 53 9C FA E8 ?? ?? ?? ?? 5D 81 ED 5B 53 40 ?? B0 ?? E8 ?? ?? ?? ?? 5E 83 C6 11 B9 27 ?? ?? ?? 30 06 46 49 75 FA } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoiner152Stubengine16GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 46 FD FF FF 50 E8 0C 00 00 00 FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv12AlexeySolodovnikovh1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 } + +condition: + $a0 +} + + +rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCx +{ + meta: + author="malware-lu" +strings: + $a0 = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PENightMare2Beta +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A } + +condition: + $a0 at pe.entry_point +} + + +rule MinGWGCC3x +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 C7 04 24 ?? 00 00 00 FF 15 ?? ?? ?? ?? E8 ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? 55 } + +condition: + $a0 at pe.entry_point +} + + +rule PIRITv15 +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule Reg2Exe224byJanVorel +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 00 E8 CF 20 00 00 A3 F4 45 40 00 E8 CB 20 00 00 6A 0A 50 6A 00 FF 35 F4 45 40 00 E8 07 00 00 00 50 E8 BB 20 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 F8 45 40 00 E8 06 19 00 00 83 C4 0C 8B 44 24 04 A3 FC 45 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 8C 20 00 00 A3 F8 45 40 00 E8 02 20 00 00 E8 32 1D 00 00 E8 20 19 00 00 E8 A3 16 00 00 68 01 00 00 00 68 38 46 40 00 68 00 00 00 00 8B 15 38 46 40 00 E8 71 4F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 4F 00 00 FF 35 48 41 40 00 B8 00 01 00 00 E8 9D 15 00 00 8D 0D 1C 46 40 00 5A E8 82 16 00 00 68 00 01 00 00 FF 35 1C 46 40 00 E8 24 20 00 00 A3 24 46 40 00 FF 35 48 41 40 00 FF 35 24 46 40 00 FF 35 1C 46 40 00 E8 DC 10 00 00 8D 0D 14 46 40 00 5A E8 4A 16 } + +condition: + $a0 at pe.entry_point +} + + +rule SVKProtectorv13xEngPavolCerven +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallEmbedded2609Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 58 BB AD 19 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 1C 00 00 68 80 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXcrypterarchphaseNWC +{ + meta: + author="malware-lu" +strings: + $a0 = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule StarForceProtectionDriverProtectionTechnology +{ + meta: + author="malware-lu" +strings: + $a0 = { 57 68 ?? 0D 01 00 68 00 ?? ?? 00 E8 50 ?? FF FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 68 ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FishPEV10Xhellfish +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 ?? ?? 00 00 ?? ?? ?? ?? 00 00 02 00 00 00 A0 00 00 18 01 00 00 ?? ?? ?? ?? 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 C0 00 00 40 39 00 00 ?? ?? ?? ?? 00 00 08 00 00 00 00 01 00 C8 06 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PECrypter +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D EB 26 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv051 +{ + meta: + author="malware-lu" +strings: + $a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 } + +condition: + $a0 at pe.entry_point +} + + +rule LY_WGKXwwwszleyucom +{ + meta: + author="malware-lu" +strings: + $a0 = { 4D 79 46 75 6E 00 62 73 } + +condition: + $a0 +} + + +rule ASProtect13321RegisteredAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV111ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMicrosoftVisualC4xLCCWin321x +{ + meta: + author="malware-lu" +strings: + $a0 = { 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ?? ?? 00 80 C9 84 80 C9 68 BB F4 00 00 00 EB 01 EB } + +condition: + $a0 at pe.entry_point +} + + +rule dePACKdeNULL +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? 00 00 E8 ?? 00 00 00 } + $a1 = { EB 01 DD 60 68 00 ?? ?? ?? 68 ?? ?? ?? 00 E8 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? D2 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule EXECryptorv1401 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakePELockNT204emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 03 CD 20 EB EB 03 CD 20 03 61 9D 83 C4 04 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule PELockNTv203 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule Reg2Exe220221byJanVorel +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 00 E8 7D 12 00 00 A3 A0 44 40 00 E8 79 12 00 00 6A 0A 50 6A 00 FF 35 A0 44 40 00 E8 0F 00 00 00 50 E8 69 12 00 00 CC CC CC CC CC CC CC CC CC 68 2C 02 00 00 68 00 00 00 00 68 B0 44 40 00 E8 3A 12 00 00 83 C4 0C 8B 44 24 04 A3 B8 44 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 32 12 00 00 A3 B0 44 40 00 68 F4 01 00 00 68 BC 44 40 00 FF 35 B8 44 40 00 E8 1E 12 00 00 B8 BC 44 40 00 89 C1 8A 30 40 80 FE 5C 75 02 89 C1 80 FE 00 75 F1 C6 01 00 E8 EC 18 00 00 E8 28 16 00 00 E8 4A 12 00 00 68 00 FA 00 00 68 08 00 00 00 FF 35 B0 44 40 00 E8 E7 11 00 00 A3 B4 44 40 00 8B 15 D4 46 40 00 E8 65 0A 00 00 BB 00 00 10 00 B8 01 00 00 00 E8 72 0A 00 00 74 09 C7 00 01 00 00 00 83 C0 04 A3 D4 46 40 00 FF 35 B4 44 40 00 E8 26 05 00 00 8D 0D B8 46 40 00 5A E8 CF 0F 00 00 FF 35 B4 44 40 00 FF 35 B8 46 40 00 E8 EE 06 00 00 8D 0D B4 46 40 00 5A E8 } + +condition: + $a0 at pe.entry_point +} + + +rule PELockNTv201 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD } + +condition: + $a0 at pe.entry_point +} + + +rule PELockNTv204 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? CD ?? ?? ?? ?? ?? CD ?? ?? ?? ?? ?? EB ?? EB ?? EB ?? EB ?? CD ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 50 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXFreakv01BorlandDelphiHMX0101 +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 } + $a1 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 34 50 45 00 ?? ?? ?? 00 FF FF 00 00 ?? 24 ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 40 00 00 C0 00 00 ?? ?? ?? ?? 00 00 ?? 00 00 00 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 77 ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Obsidium13017Obsidiumsoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 } + +condition: + $a0 at pe.entry_point +} + + +rule Petite22c199899IanLuck +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 } + +condition: + $a0 at pe.entry_point +} + + +rule PluginToExev101BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Enigmaprotector110unregistered +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 } + $a1 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 E9 51 0B C4 80 BC 7E 35 09 37 E7 C9 3D C9 45 C9 4D 74 92 BA E4 E9 24 6B DF 3E 0E 38 0C 49 10 27 80 51 A1 8E 3A A3 C8 AE 3B 1C 35 } + +condition: + $a0 or $a1 +} + + +rule Obsidium1341ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule WebCopsDLLLINKDataSecurity +{ + meta: + author="malware-lu" +strings: + $a0 = { A8 BE 58 DC D6 CC C4 63 4A 0F E0 02 BB CE F3 5C 50 23 FB 62 E7 3D 2B } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PackMaster10PEXCloneAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 01 00 00 E8 83 C4 04 E8 01 90 90 90 E9 5D 81 ED D3 22 40 90 E8 04 02 90 90 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv037v038BetaStripbaserelocationtableOptionDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 } + +condition: + $a0 +} + + +rule AHTeamEPProtector03fakeSVKP13xFEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 00 00 00 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 } + +condition: + $a0 at pe.entry_point +} + + +rule InstallShieldCustom +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC 44 56 FF 15 ?? ?? 41 00 8B F0 85 F6 75 08 6A FF FF 15 ?? ?? 41 00 8A 06 57 8B 3D ?? ?? 41 00 3C 22 75 1B 56 FF D7 8B F0 8A 06 3C 22 74 04 84 C0 75 F1 80 3E 22 75 15 56 FF D7 8B } + +condition: + $a0 at pe.entry_point +} + + +rule Petitevafterv14 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeToolsv21EncruptorbyDISMEMBER +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5D 83 ?? ?? 1E 8C DA 83 ?? ?? 8E DA 8E C2 BB ?? ?? BA ?? ?? 85 D2 74 } + +condition: + $a0 at pe.entry_point +} + + +rule NTkrnlSecureSuiteNTkrnlteam +{ + meta: + author="malware-lu" +strings: + $a0 = { 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 } + +condition: + $a0 +} + + +rule PESpinv0b +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 26 E8 01 00 00 00 EA 5A 33 C9 } + +condition: + $a0 at pe.entry_point +} + + +rule VXTibsZhelatinStormWormvariant +{ + meta: + author="malware-lu" +strings: + $a0 = { FF 74 24 1C 58 8D 80 ?? ?? 77 04 50 68 62 34 35 04 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakePEX099emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED FF 22 40 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule NSPack3xLiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF ?? 38 01 0F 84 ?? 02 00 00 ?? 00 01 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv25RetailBitsumTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 } + +condition: + $a0 at pe.entry_point +} + + +rule WARNINGTROJANXiaoHui +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C E8 00 00 00 00 5D B8 ?? 85 40 00 2D ?? 85 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NFOv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8D 50 12 2B C9 B1 1E 8A 02 34 77 88 02 42 E2 F7 C8 8C } + +condition: + $a0 at pe.entry_point +} + + +rule PMODEWv112116121133DOSextender +{ + meta: + author="malware-lu" +strings: + $a0 = { FC 16 07 BF ?? ?? 8B F7 57 B9 ?? ?? F3 A5 06 1E 07 1F 5F BE ?? ?? 06 0E A4 } + +condition: + $a0 at pe.entry_point +} + + +rule AaseCrypterbysantasdad +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 B8 A0 3E 00 10 E8 93 DE FF FF 68 F8 42 00 10 E8 79 DF FF FF 68 00 43 00 10 68 0C 43 00 10 E8 42 DF FF FF 50 E8 44 DF FF FF A3 98 66 00 10 83 3D 98 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 1C 43 00 10 6A 00 E8 4B DF FF FF 68 2C 43 00 10 68 0C 43 ?? ?? ?? ?? DF FF FF 50 E8 0E DF FF FF A3 94 66 00 10 83 3D 94 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 38 43 00 10 6A 00 E8 15 DF FF FF 68 48 43 00 10 68 0C 43 00 10 E8 D6 DE FF FF 50 E8 D8 DE FF FF A3 A0 66 00 10 83 3D A0 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 58 43 00 10 6A 00 E8 DF DE FF FF 68 6C 43 00 10 68 0C 43 00 10 E8 A0 DE FF FF 50 E8 A2 DE FF FF } + +condition: + $a0 +} + + +rule aPackv098bJibz +{ + meta: + author="malware-lu" +strings: + $a0 = { 93 07 1F 05 ?? ?? 8E D0 BC ?? ?? EA } + +condition: + $a0 +} + + +rule UPackv011Dwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 1C F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 03 B3 00 8D 1C 5B 8D 9C 9E 0C 10 00 00 B0 01 67 E3 29 8B D7 } + +condition: + $a0 +} + + +rule NsPacKNetLiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C } + +condition: + $a0 +} + + +rule PseudoSigner02PENightMare2BetaAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01MicrosoftVisualC60DebugVersionAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 51 90 90 90 01 01 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule DJoinv07publicRC4encryptiondrmist +{ + meta: + author="malware-lu" +strings: + $a0 = { C6 05 ?? ?? 40 00 00 C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXv103v104 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC } + +condition: + $a0 at pe.entry_point +} + + +rule PEDiminisherV01Teraphy +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 51 52 56 57 55 E8 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4ExtrPasswcheckVirshield +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 05 C0 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeGuarderv18Exeiconcom +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D B2 04 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 } + +condition: + $a0 at pe.entry_point +} + + +rule codeCrypter031Tibbar +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 58 53 5B 90 BB ?? ?? ?? 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC } + +condition: + $a0 at pe.entry_point +} + + +rule RLPv073betaap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 8B DD E8 00 00 00 00 5D 95 32 C0 95 89 9D 80 00 00 00 B8 42 31 40 00 BB 41 30 40 00 2B C3 03 C5 33 D2 8A 10 40 B9 ?? ?? 00 00 8B F9 30 10 8A 10 40 49 75 F8 64 EF 86 3D 30 00 00 0F B9 FF 4B 89 52 5C 4C BD 77 C2 0C CE 88 4E 2D E8 00 00 00 5D 0D DB 5E 56 } + +condition: + $a0 +} + + +rule PEnguinCryptv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 93 ?? ?? 00 55 50 67 64 FF 36 00 00 67 64 89 26 00 00 BD 4B 48 43 42 B8 04 00 00 00 CC 3C 04 75 04 90 90 C3 90 67 64 8F 06 00 00 58 5D BB 00 00 40 00 33 C9 33 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule MetrowerksCodeWarriorDLLv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 53 56 57 8B 75 0C 8B 5D 10 83 FE 01 74 05 83 FE 02 75 12 53 56 FF 75 08 E8 6E FF FF FF 09 C0 75 04 31 C0 EB 21 53 56 FF 75 08 E8 ?? ?? ?? ?? 89 C7 09 F6 74 05 83 FE 03 75 0A 53 56 FF 75 08 E8 47 FF FF FF 89 F8 8D 65 F4 5F 5E 5B 5D C2 0C 00 C9 } + +condition: + $a0 +} + + +rule PECrc32088ZhouJinYu +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED B6 A4 45 00 8D BD B0 A4 45 00 81 EF 82 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv123b3v1241 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 08 } + +condition: + $a0 at pe.entry_point +} + + +rule Noodlecrypt2rsc +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 9A E8 76 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPack120BasicEditionLZMAAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 9C 0C 00 00 EB 0C 8B 85 98 0C 00 00 89 85 9C 0C 00 00 8D B5 C4 0C 00 00 8D 9D 82 04 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 2D 0C 00 00 89 85 94 0C 00 00 E8 59 01 00 00 EB 20 60 8B 85 9C 0C 00 00 FF B5 94 0C 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PENightMare2BetaAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E9 10 00 00 00 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A E9 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeXtremeProtector105FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5D 81 00 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackv118BasicDLLLZMAAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A } + +condition: + $a0 at pe.entry_point +} + + +rule CrypKeyv5v6 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? 58 83 E8 05 50 5F 57 8B F7 81 EF ?? ?? ?? ?? 83 C6 39 BA ?? ?? ?? ?? 8B DF B9 0B ?? ?? ?? 8B 06 } + +condition: + $a0 at pe.entry_point +} + + +rule InnoSetupModulev109a +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 A7 7F FF FF E8 FA 92 FF FF E8 F1 B3 FF FF 33 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV1300ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 } + $a1 = { EB 04 ?? ?? ?? ?? E8 ?? 00 00 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PCryptv351 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 43 52 59 50 54 FF 76 33 2E 35 31 00 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallEmbedded2312Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 00 FF 15 ?? ?? ?? ?? E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4Extractable +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 05 00 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 CD 09 00 00 89 85 14 0A 00 00 EB 14 60 FF B5 14 0A } + $a1 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 83 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 EB 09 00 00 89 85 3A 0A 00 00 EB 14 60 FF B5 3A 0A } + $a2 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 0C 00 00 EB 03 0C 00 00 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 47 02 00 00 EB 03 15 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 9B 0A } + $a3 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 2C 0A 00 00 8D 9D 22 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 CD 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 14 0A } + $a4 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 ?? ?? ?? ?? EB 14 60 FF B5 3A 0A } + $a5 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8D B5 CB 22 00 00 8D 9D F0 02 00 00 33 FF E8 ?? ?? ?? ?? EB 03 ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 9B 0A } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point +} + + +rule PseudoSigner02VOBProtectCD5Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 36 3E 26 8A C0 60 E8 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PESpinv04x +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B } + +condition: + $a0 +} + + +rule PseudoSigner02WatcomCCDLLAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F 87 01 00 00 00 F1 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasCrypter13AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC } + +condition: + $a0 at pe.entry_point +} + + +rule D1NS1GD1N +{ + meta: + author="malware-lu" +strings: + $a0 = { 18 37 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? 18 37 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 F0 00 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 F0 00 00 60 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule FSGv110EngdulekxtMicrosoftVisualC6070ASM +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 01 00 00 00 5A 5E E8 02 00 00 00 BA DD 5E 03 F2 EB 01 64 BB 80 ?? ?? 00 8B FA EB 01 A8 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv102aAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01MinGWGCC2xAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov253 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 40 ?? ?? ?? 68 54 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC } + $a1 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 40 ?? ?? ?? ?? 68 54 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 58 33 D2 8A D4 89 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Armadillov252 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? E0 ?? ?? ?? ?? 68 D4 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 38 } + $a1 = { 55 8B EC 6A FF 68 E0 ?? ?? ?? 68 D4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 38 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Armadillov251 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov250 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1331ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule CExev10a +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 0C 02 ?? ?? 56 BE 04 01 ?? ?? 8D 85 F8 FE FF FF 56 50 6A ?? FF 15 54 10 40 ?? 8A 8D F8 FE FF FF 33 D2 84 C9 8D 85 F8 FE FF FF 74 16 } + +condition: + $a0 at pe.entry_point +} + + +rule DIETv144v145f +{ + meta: + author="malware-lu" +strings: + $a0 = { F8 9C 06 1E 57 56 52 51 53 50 0E FC 8C C8 BA ?? ?? 03 D0 52 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv098 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D7 84 40 ?? 87 DD 8B 85 5C 85 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv099 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 2F 85 40 ?? 87 DD 8B 85 B4 85 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPacKV30LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 66 8B 06 66 83 F8 00 74 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMicrosoftVisualBasic5060 +{ + meta: + author="malware-lu" +strings: + $a0 = { C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv090 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? 40 00 C3 9C 60 BD ?? ?? 00 00 B9 02 00 00 00 B0 90 8D BD 7A 42 40 00 F3 AA 01 AD D9 43 40 00 FF B5 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv092 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 BD ?? ?? ?? ?? B9 02 ?? ?? ?? B0 90 8D BD A5 4F 40 ?? F3 AA 01 AD 04 51 40 ?? FF B5 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv094 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 ?? ?? ?? ?? 5D 55 58 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 01 85 ?? ?? ?? ?? 50 B9 02 } + +condition: + $a0 at pe.entry_point +} + + +rule PeX099bartCrackPl +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 F5 ?? ?? ?? 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV1304ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 ?? 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftwareCompressv14LITEBGSoftwareProtectTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A } + $a1 = { E8 00 00 00 00 81 2C 24 AA 1A 41 00 5D E8 00 00 00 00 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 00 00 00 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A 41 00 8B 4A 64 89 8D 51 1A 41 00 8B 4A 74 89 8D 59 1A 41 00 68 00 20 00 00 E8 D2 00 00 00 50 8D 8D 00 1C 41 00 50 51 E8 1B 00 00 00 83 C4 08 58 8D 78 74 8D B5 49 1A 41 00 B9 18 00 00 00 F3 A4 05 A4 00 00 00 50 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 4D 1A 41 00 89 44 24 1C 61 C2 04 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule FixupPakv120 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 E8 00 00 00 00 5D 81 ED ?? ?? 00 00 BE 00 ?? 00 00 03 F5 BA 00 00 ?? ?? 2B D5 8B DD 33 C0 AC 3C 00 74 3D 3C 01 74 0E 3C 02 74 0E 3C 03 74 0D 03 D8 29 13 EB E7 66 AD EB F6 AD EB F3 AC 0F B6 C8 3C 00 74 06 3C 01 74 09 EB 0A 66 AD 0F B7 C8 EB 03 AD 8B C8 } + +condition: + $a0 at pe.entry_point +} + + +rule ARCSFXArchive +{ + meta: + author="malware-lu" +strings: + $a0 = { 8C C8 8C DB 8E D8 8E C0 89 ?? ?? ?? 2B C3 A3 ?? ?? 89 ?? ?? ?? BE ?? ?? B9 ?? ?? BF ?? ?? BA ?? ?? FC AC 32 C2 8A D8 } + +condition: + $a0 at pe.entry_point +} + + +rule MoleBoxv230Teggo +{ + meta: + author="malware-lu" +strings: + $a0 = { 42 04 E8 ?? ?? 00 00 A3 ?? ?? ?? 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 ?? 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC CC CC CC CC CC CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 20 61 58 FF D0 E8 ?? ?? 00 00 CC CC CC CC CC CC CC } + +condition: + $a0 +} + + +rule VxIgor +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E B8 CD 7B CD 21 81 FB CD 7B 75 03 E9 87 00 33 DB 0E 1F 8C } + +condition: + $a0 at pe.entry_point +} + + +rule FACRYPTv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { B9 ?? ?? B3 ?? 33 D2 BE ?? ?? 8B FE AC 32 C3 AA 49 43 32 E4 03 D0 E3 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01WATCOMCCEXEAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 00 00 00 00 90 90 90 90 57 41 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV115V117aPlib043ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 45 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB } + +condition: + $a0 at pe.entry_point +} + + +rule EmbedPEv113cyclotron +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 } + +condition: + $a0 at pe.entry_point +} + + +rule eXcaliburv103forgotus +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 20 45 78 63 61 6C 69 62 75 72 20 28 63 29 20 62 79 20 66 6F 72 67 6F 74 2F 75 53 2F 44 46 43 47 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 } + +condition: + $a0 at pe.entry_point +} + + +rule Petite14 +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC } + +condition: + $a0 +} + + +rule Petite12 +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Petite13 +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1 } + +condition: + $a0 +} + + +rule Upack021betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 40 00 AD 8B F8 6A 04 95 A5 33 C0 AB 48 AB F7 D8 59 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 } + +condition: + $a0 at pe.entry_point +} + + +rule WebCopsEXELINKDataSecurity +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 03 05 EB 02 EB FC 55 EB 03 EB 04 05 EB FB EB 53 E8 04 00 00 00 72 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02FSG10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B } + +condition: + $a0 at pe.entry_point +} + + +rule ThemidaOreansTechnologies2004 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule VxNumberOne +{ + meta: + author="malware-lu" +strings: + $a0 = { F9 07 3C 53 6D 69 6C 65 3E E8 } + +condition: + $a0 at pe.entry_point +} + + +rule WinKriptv10MrCrimson +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 83 C0 08 EB D5 61 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv085f +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 } + +condition: + $a0 at pe.entry_point +} + + +rule RosAsm2050aBetov +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 60 8B 5D 08 B9 08 00 00 00 BF ?? ?? ?? ?? 83 C7 07 FD 8A C3 24 0F 04 30 3C 39 76 02 04 07 AA C1 EB 04 E2 EE FC 68 00 10 00 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 15 ?? ?? ?? ?? 61 8B E5 5D C2 04 00 } + +condition: + $a0 +} + + +rule Obsidium13021ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 26 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv211dAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 02 00 00 00 EB 09 5D 55 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv211cAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ACProtect14xRISCOsoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 } + +condition: + $a0 +} + + +rule SplashBitmapv100BoBBobsoft +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PEZipv10byBaGIE +{ + meta: + author="malware-lu" +strings: + $a0 = { D9 D0 F8 74 02 23 DB F5 F5 50 51 52 53 8D 44 24 10 50 55 56 57 D9 D0 22 C9 C1 F7 A0 55 66 C1 C8 B0 5D 81 E6 FF FF FF FF F8 77 07 52 76 03 72 01 90 5A C1 E0 60 90 BD 1F 01 00 00 87 E8 E2 07 E3 05 17 5D 47 E4 42 41 7F 06 50 66 83 EE 00 58 25 FF FF FF FF 51 } + +condition: + $a0 +} + + +rule LamerStopv10ccStefanEsser +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 05 ?? ?? CD 21 33 C0 8E C0 26 ?? ?? ?? 2E ?? ?? ?? 26 ?? ?? ?? 2E ?? ?? ?? BA ?? ?? FA } + +condition: + $a0 at pe.entry_point +} + + +rule ACProtectV14Xrisco +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 00 00 00 7C 83 04 24 06 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule VxGRUNT2Family +{ + meta: + author="malware-lu" +strings: + $a0 = { 48 E2 F7 C3 51 53 52 E8 DD FF 5A 5B 59 C3 B9 00 00 E2 FE C3 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeMicrosoftVisualC70FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BF ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 89 65 00 8B F4 89 3E 56 FF 15 ?? ?? ?? ?? 8B 4E ?? 89 0D ?? ?? ?? 00 8B 46 00 A3 } + +condition: + $a0 at pe.entry_point +} + + +rule InstallStub32bit +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 14 ?? 00 00 53 56 57 6A 00 FF 15 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 85 C0 74 29 } + +condition: + $a0 at pe.entry_point +} + + +rule VcasmProtector10evcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakePEBundle20x24xemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 83 BD 9C 38 40 00 01 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov190b4 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 B4 96 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXv103v104Modified +{ + meta: + author="malware-lu" +strings: + $a0 = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF } + +condition: + $a0 at pe.entry_point +} + + +rule NsPackV2XLiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 6E 73 70 61 63 6B 24 40 } + +condition: + $a0 +} + + +rule ThemidaWinLicenseV1000V1800OreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PACKWINv101p +{ + meta: + author="malware-lu" +strings: + $a0 = { 8C C0 FA 8E D0 BC ?? ?? FB 06 0E 1F 2E ?? ?? ?? ?? 8B F1 4E 8B FE 8C DB 2E ?? ?? ?? ?? 8E C3 FD F3 A4 53 B8 ?? ?? 50 CB } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv110b1 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 28 63 40 ?? 87 DD 8B 85 AD 63 } + +condition: + $a0 at pe.entry_point +} + + +rule MicroJoiner15coban2k +{ + meta: + author="malware-lu" +strings: + $a0 = { BF 05 10 40 00 83 EC 30 8B EC E8 C8 FF FF FF E8 C3 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule ANDpakk2018byDmitryANDAndreev +{ + meta: + author="malware-lu" +strings: + $a0 = { FC BE D4 00 40 00 BF 00 ?? ?? 00 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv110b2 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 94 60 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv110b5 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 49 } + +condition: + $a0 at pe.entry_point +} + + +rule NJoy10NEX +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 B8 9C 3B 40 00 E8 8C FC FF FF 6A 00 68 E4 39 40 00 6A 0A 6A 00 E8 40 FD FF FF E8 EF F5 FF FF 8D 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv110b7 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB 14 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv110b6 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 ?? 00 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 01 85 92 60 40 ?? BB B7 } + +condition: + $a0 at pe.entry_point +} + + +rule KBysPacker028BetaShoooo +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5E 83 EE 0A 8B 06 03 C2 8B 08 89 4E F3 83 EE 0F 56 52 8B F0 AD AD 03 C2 8B D8 6A 04 BF 00 10 00 00 57 57 6A 00 FF 53 08 5A 59 BD 00 80 00 00 55 6A 00 50 51 52 50 89 06 AD AD 03 C2 50 AD 03 C2 FF D0 6A 04 57 AD 50 6A 00 FF 53 } + +condition: + $a0 +} + + +rule nPack113002006BetaNEOx +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D ?? ?? ?? ?? ?? 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 9C 00 00 00 E8 2D 02 00 00 E8 DD 06 00 00 E8 2C 06 00 00 A1 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? C3 C3 56 57 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 8B F8 68 ?? ?? ?? ?? 57 FF D6 68 ?? ?? ?? ?? 57 A3 ?? ?? ?? ?? FF D6 5F A3 ?? ?? ?? ?? 5E C3 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02BorlandC1999Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 A1 ?? ?? ?? ?? A3 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv100bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 } + +condition: + $a0 at pe.entry_point +} + + +rule SEAAXEv22 +{ + meta: + author="malware-lu" +strings: + $a0 = { FC BC ?? ?? 0E 1F A3 ?? ?? E8 ?? ?? A1 ?? ?? 8B ?? ?? ?? 2B C3 8E C0 B1 03 D3 E3 8B CB BF ?? ?? 8B F7 F3 A5 } + +condition: + $a0 at pe.entry_point +} + + +rule PureBasic4xDLLNeilHodgson +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEPackerv70byTurboPowerSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E 06 8C C3 83 ?? ?? 2E ?? ?? ?? ?? B9 ?? ?? 8C C8 8E D8 8B F1 4E 8B FE } + +condition: + $a0 at pe.entry_point +} + + +rule VxSYP +{ + meta: + author="malware-lu" +strings: + $a0 = { 47 8B C2 05 1E 00 52 8B D0 B8 02 3D CD 21 8B D8 5A } + +condition: + $a0 at pe.entry_point +} + + +rule DSHIELD: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 E8 ?? ?? 5E 83 EE ?? 16 17 9C 58 B9 ?? ?? 25 ?? ?? 2E } + +condition: + $a0 at pe.entry_point +} + + +rule kkrunchy023alphaRyd +{ + meta: + author="malware-lu" +strings: + $a0 = { BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 8D 9D A0 08 00 00 E8 ?? 00 00 00 8B 45 10 EB 42 8D 9D A0 04 00 00 E8 ?? 00 00 00 49 49 78 40 8D 5D 20 74 03 83 C3 40 31 D2 42 E8 ?? 00 00 00 8D 0C 48 F6 C2 10 74 F3 41 91 8D 9D A0 08 00 00 E8 ?? 00 00 00 3D 00 08 00 00 83 D9 FF 83 F8 60 83 D9 FF 89 45 10 56 89 FE 29 C6 F3 A4 5E EB 90 BE ?? ?? ?? 00 BB ?? ?? ?? 00 55 46 AD 85 C0 74 ?? 97 56 FF 13 85 C0 74 16 95 AC 84 C0 75 FB 38 06 74 E8 78 ?? 56 55 FF 53 04 AB 85 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule NJoy12NEX +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 B8 A4 32 40 00 E8 E8 F1 FF FF 6A 00 68 54 2A 40 00 6A 0A 6A 00 E8 A8 F2 FF FF E8 C7 EA FF FF 8D 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AntiDote12DemoSISTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 F7 FE FF FF 05 CB 22 00 00 FF E0 E8 EB FE FF FF 05 BB 19 00 00 FF E0 E8 BD 00 00 00 08 B2 62 00 01 52 17 0C 0F 2C 2B 20 7F 52 79 01 30 07 17 29 4F 01 3C 30 2B 5A 3D C7 26 11 26 06 59 0E 78 2E 10 14 0B 13 1A 1A 3F 64 1D 71 33 57 21 09 24 8B 1B 09 37 08 61 0F 1D 1D 2A 01 87 35 4C 07 39 0B } + +condition: + $a0 +} + + +rule EXE32Packv137 +{ + meta: + author="malware-lu" +strings: + $a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED 4C 8E 40 } + +condition: + $a0 at pe.entry_point +} + + +rule EXE32Packv136 +{ + meta: + author="malware-lu" +strings: + $a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED CC 8D 40 } + +condition: + $a0 at pe.entry_point +} + + +rule AINEXEv230 +{ + meta: + author="malware-lu" +strings: + $a0 = { 0E 07 B9 ?? ?? BE ?? ?? 33 FF FC F3 A4 A1 ?? ?? 2D ?? ?? 8E D0 BC ?? ?? 8C D8 } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallEmbedded20XJitit +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptorv151x +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 C1 ?? ?? ?? FE C3 31 C0 64 FF 30 64 89 20 CC C3 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidiumv1304ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 } + $a1 = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule CopyProtectorv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 2E A2 ?? ?? 53 51 52 1E 06 B4 ?? 1E 0E 1F BA ?? ?? CD 21 1F } + +condition: + $a0 at pe.entry_point +} + + +rule EXE32Packv139 +{ + meta: + author="malware-lu" +strings: + $a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED EC 8D 40 } + +condition: + $a0 at pe.entry_point +} + + +rule EXE32Packv138 +{ + meta: + author="malware-lu" +strings: + $a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ?? ?? ?? ?? 02 81 ?? ?? ?? ?? ?? ?? ?? 3B DB 74 01 BE 5D 8B D5 81 ED DC 8D 40 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtBorlandC1999 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallEmbedded2547V2600Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 58 BB BC 18 00 00 2B C3 50 68 ?? ?? ?? ?? 68 60 1B 00 00 68 60 00 00 00 E8 35 FF FF FF E9 99 FF FF FF 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv131Engdulekxt +{ + meta: + author="malware-lu" +strings: + $a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB } + +condition: + $a0 at pe.entry_point +} + + +rule SDProtectorBasicProEdition110RandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 50 83 EC 08 64 A1 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 83 C4 08 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 64 } + +condition: + $a0 at pe.entry_point +} + + +rule Petite12c1998IanLuck +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 } + +condition: + $a0 at pe.entry_point +} + + +rule PcSharev40 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 90 34 40 00 68 B6 28 40 00 64 A1 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtector0X12Xvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 } + +condition: + $a0 +} + + +rule STNPEE113 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 57 56 52 51 53 E8 00 00 00 00 5D 8B D5 81 ED 97 3B 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftDefenderV11xRandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 } + +condition: + $a0 at pe.entry_point +} + + +rule CDCopsII +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D } + +condition: + $a0 at pe.entry_point +} + + +rule RLPack11BasicEditionap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 4A 02 00 00 8D 9D 11 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 } + +condition: + $a0 at pe.entry_point +} + + +rule EXE32Packv13x +{ + meta: + author="malware-lu" +strings: + $a0 = { 3B ?? 74 02 81 83 55 3B ?? 74 02 81 ?? 53 3B ?? 74 01 ?? ?? ?? ?? ?? 02 81 ?? ?? E8 ?? ?? ?? ?? 3B 74 01 ?? 5D 8B D5 81 ED } + +condition: + $a0 at pe.entry_point +} + + +rule VxInvoluntary1349 +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? B9 ?? ?? 8C DD ?? 8C C8 ?? 8E D8 8E C0 33 F6 8B FE FC ?? ?? AD ?? 33 C2 AB } + +condition: + $a0 at pe.entry_point +} + + +rule WinZip32bit6x +{ + meta: + author="malware-lu" +strings: + $a0 = { FF 15 FC 81 40 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPacKV36LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02LCCWin321xAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECrypt10ReBirth +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 60 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 4E 28 40 00 8B F7 AC } + +condition: + $a0 at pe.entry_point +} + + +rule NJoy11NEX +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 B8 0C 3C 40 00 E8 24 FC FF FF 6A 00 68 28 3A 40 00 6A 0A 6A 00 E8 D8 FC FF FF E8 7F F5 FF FF 8D 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PEcryptbyarchphase +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 E0 53 56 33 C0 89 45 E4 89 45 E0 89 45 EC ?? ?? ?? ?? 64 82 40 00 E8 7C C7 FF FF 33 C0 55 68 BE 84 40 00 64 FF 30 64 89 20 68 CC 84 40 00 ?? ?? ?? ?? 00 A1 10 A7 40 00 50 E8 1D C8 FF FF 8B D8 85 DB 75 39 E8 3A C8 FF FF 6A 00 6A 00 68 A0 A9 40 00 68 00 04 00 00 50 6A 00 68 00 13 00 00 E8 FF C7 FF FF 6A 00 68 E0 84 40 00 A1 A0 A9 40 00 50 6A 00 E8 ?? ?? ?? ?? E9 7D 01 00 00 53 A1 10 A7 40 00 50 E8 42 C8 FF FF 8B F0 85 F6 75 18 6A 00 68 E0 84 40 00 68 E4 84 40 00 6A 00 E8 71 C8 FF FF E9 53 01 00 00 53 6A 00 E8 2C C8 FF FF A3 ?? ?? ?? ?? 83 3D 48 A8 40 00 00 75 18 6A 00 68 E0 84 40 00 68 F8 84 40 00 6A 00 E8 43 C8 FF FF E9 25 01 00 00 56 E8 F8 C7 FF FF A3 4C A8 40 00 A1 48 A8 40 00 E8 91 A1 FF FF 8B D8 8B 15 48 A8 40 00 85 D2 7C 16 42 33 C0 8B 0D 4C A8 40 00 03 C8 8A 09 8D 34 18 88 0E 40 4A 75 ED 8B 15 48 A8 40 00 85 D2 7C 32 42 33 C0 8D 34 18 8A 0E 80 F9 01 75 05 C6 06 FF EB 1C 8D 0C 18 8A 09 84 ?? ?? ?? ?? ?? 00 EB 0E 8B 0D 4C A8 40 00 03 C8 0F B6 09 49 88 0E 40 4A 75 D1 8D ?? ?? ?? ?? E8 A5 A3 FF FF 8B 45 E8 8D 55 EC E8 56 D5 FF FF 8D 45 EC BA 18 85 40 00 E8 79 BA FF FF 8B 45 EC E8 39 BB FF FF 8B D0 B8 54 A8 40 00 E8 31 A6 FF FF BA 01 00 00 00 B8 54 A8 40 00 E8 12 A9 FF FF E8 DD A1 FF FF 68 50 A8 40 00 8B D3 8B 0D 48 A8 40 00 B8 54 A8 40 00 E8 56 A7 FF FF E8 C1 A1 FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule CrunchPEv30xx +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? FF 74 } + +condition: + $a0 at pe.entry_point +} + + +rule LameCryptLaZaRus +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 66 9C BB 00 ?? ?? 00 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 ?? ?? 40 00 FF E0 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPack29NorthStar +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 } + +condition: + $a0 at pe.entry_point +} + + +rule BeRoEXEPackerv100LZBRSBeRoFarbrausch +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtBorlandC +{ + meta: + author="malware-lu" +strings: + $a0 = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB } + $a1 = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule VIRUSIWormKLEZ +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 40 D2 40 ?? 68 04 AC 40 ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 BC D0 } + +condition: + $a0 +} + + +rule YZPack12UsAr +{ + meta: + author="malware-lu" +strings: + $a0 = { 4D 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02LocklessIntroPackAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITE3211 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 4B 4C 49 54 45 33 32 20 43 6F 70 79 72 69 67 68 74 20 31 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv20bartxt +{ + meta: + author="malware-lu" +strings: + $a0 = { 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeSVKP111emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 64 A0 23 00 00 00 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMASM32TASM32MicrosoftVisualBasic +{ + meta: + author="malware-lu" +strings: + $a0 = { F7 D8 0F BE C2 BE 80 ?? ?? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor239DLLminimumprotection +{ + meta: + author="malware-lu" +strings: + $a0 = { 51 68 ?? ?? ?? ?? 87 2C 24 8B CD 5D 81 E1 ?? ?? ?? ?? E9 ?? ?? ?? 00 89 45 F8 51 68 ?? ?? ?? ?? 59 81 F1 ?? ?? ?? ?? 0B 0D ?? ?? ?? ?? 81 E9 ?? ?? ?? ?? E9 ?? ?? ?? 00 81 C2 ?? ?? ?? ?? E8 ?? ?? ?? 00 87 0C 24 59 51 64 8B 05 30 00 00 00 8B 40 0C 8B 40 0C E9 ?? ?? ?? 00 F7 D6 2B D5 E9 ?? ?? ?? 00 87 3C 24 8B CF 5F 87 14 24 1B CA E9 ?? ?? ?? 00 83 C4 08 68 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? 00 E9 ?? ?? ?? 00 50 8B C5 87 04 24 8B EC 51 0F 88 ?? ?? ?? 00 FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 99 03 04 24 E9 ?? ?? ?? 00 C3 81 D5 ?? ?? ?? ?? 9C E9 ?? ?? ?? 00 81 FA ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 15 81 CB ?? ?? ?? ?? 81 F3 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 87 } + +condition: + $a0 at pe.entry_point +} + + +rule Frusionbiff +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 0C 53 55 56 57 68 04 01 00 00 C7 44 24 14 } + +condition: + $a0 at pe.entry_point +} + + +rule OpenSourceCodeCrypterp0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 09 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 34 44 40 00 E8 28 F8 FF FF 33 C0 55 68 9F 47 40 00 64 FF 30 64 89 20 BA B0 47 40 00 B8 1C 67 40 00 E8 07 FD FF FF 8B D8 85 DB 75 07 6A 00 E8 C2 F8 FF FF BA 28 67 40 00 8B C3 8B 0D 1C 67 40 00 E8 F0 E0 FF FF BE 01 00 00 00 B8 2C 68 40 00 E8 E1 F0 FF FF BF 0A 00 00 00 8D 55 EC 8B C6 E8 92 FC FF FF 8B 4D EC B8 2C 68 40 00 BA BC 47 40 00 E8 54 F2 FF FF A1 2C 68 40 00 E8 52 F3 FF FF 8B D0 B8 20 67 40 00 E8 A2 FC FF FF 8B D8 85 DB 0F 84 52 02 00 00 B8 24 67 40 00 8B 15 20 67 40 00 E8 78 F4 FF FF B8 24 67 40 00 E8 7A F3 FF FF 8B D0 8B C3 8B 0D 20 67 40 00 E8 77 E0 FF FF 8D 55 E8 A1 24 67 40 00 E8 42 FD FF FF 8B 55 E8 B8 24 67 40 00 } + +condition: + $a0 +} + + +rule QrYPt0rbyNuTraL +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 F9 00 0F 84 8D 01 00 00 8A C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 C1 3C F3 75 89 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BA D9 04 00 00 E8 00 00 00 00 5F 81 C7 16 01 00 00 80 2C 3A 01 } + $a1 = { 86 18 CC 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 BB 00 00 F7 BF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 78 56 34 12 87 03 E8 CD FE FF FF E8 B3 } + $a2 = { EB 00 E8 B5 00 00 00 E9 2E 01 00 00 64 FF 35 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 64 89 25 00 00 00 00 8B 44 24 04 } + +condition: + $a0 or $a1 or $a2 at pe.entry_point +} + + +rule EXECryptor2xxmaxcompressedresources +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC FC 53 57 56 89 45 FC 89 55 F8 89 C6 89 D7 66 81 3E 4A 43 0F 85 23 01 00 00 83 C6 0A C7 45 F4 08 00 00 00 31 DB BA 00 00 00 80 43 31 C0 E8 11 01 00 00 73 0E 8B 4D F0 E8 1F 01 00 00 02 45 EF AA EB E9 E8 FC 00 00 00 0F 82 97 00 00 00 E8 F1 00 00 00 73 5B B9 04 00 00 00 E8 FD 00 00 00 48 74 DE 0F 89 C7 00 00 00 E8 D7 00 00 00 73 1B 55 BD 00 01 00 00 E8 D7 00 00 00 88 07 47 4D 75 F5 E8 BF 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 C8 00 00 00 83 C0 07 89 45 F0 C6 45 EF 00 83 F8 08 74 89 E8 A9 00 00 00 88 45 EF E9 7C FF FF FF B9 07 00 00 00 E8 A2 00 00 00 50 } + +condition: + $a0 +} + + +rule Upackv024v028AlphaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 40 00 AD ?? ?? 95 AD 91 F3 A5 AD } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallEmbedded24222428Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D 9B 1A 00 00 B9 84 1A 00 00 BA 14 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD E0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 } + +condition: + $a0 at pe.entry_point +} + + +rule SVKProtectorv1051 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 EB 03 C7 84 E8 EB 03 C7 84 9A E8 00 00 00 00 5D 81 ED 10 00 00 00 EB 03 C7 84 E9 64 A0 23 00 00 00 EB } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeZCode101FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 } + +condition: + $a0 at pe.entry_point +} + + +rule PEPacker +{ + meta: + author="malware-lu" +strings: + $a0 = { FC 8B 35 70 01 40 ?? 83 EE 40 6A 40 68 ?? 30 10 } + +condition: + $a0 at pe.entry_point +} + + +rule ProgramProtectorXPv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? 58 83 D8 05 89 C3 81 C3 ?? ?? ?? ?? 8B 43 64 50 } + +condition: + $a0 at pe.entry_point +} + + +rule SimplePack111Method2NTbagieTMX +{ + meta: + author="malware-lu" +strings: + $a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032aemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 } + $a1 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 } + $a2 = { E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF FF FF 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C } + +condition: + $a0 or $a1 or $a2 at pe.entry_point +} + + +rule VxHafen1641 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 01 ?? ?? ?? CE CC 25 ?? ?? 25 ?? ?? 25 ?? ?? 40 51 D4 ?? ?? ?? CC 47 CA ?? ?? 46 8A CC 44 88 CC } + +condition: + $a0 at pe.entry_point +} + + +rule NativeUDPacker11ModdedPoisonIvyShellcodeokkixot +{ + meta: + author="malware-lu" +strings: + $a0 = { 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00 FF 15 94 40 40 00 89 C7 68 88 13 00 00 FF 15 98 40 40 00 FF 15 94 40 40 00 81 C7 88 13 00 00 39 F8 73 05 E9 84 00 00 00 6A 40 68 00 10 00 00 FF 35 04 30 40 00 6A 00 FF 15 A4 40 40 00 89 C7 FF 35 04 30 40 00 68 CA 10 40 00 50 FF 15 A8 40 40 00 6A 40 68 00 10 00 00 FF 35 08 30 40 00 6A 00 FF 15 A4 40 40 00 89 C6 68 00 30 40 00 FF 35 04 30 40 00 57 FF 35 08 30 40 00 50 6A 02 FF 15 4E 41 40 00 6A 00 6A 00 6A 00 56 6A 00 6A 00 FF 15 9C 40 40 00 50 6A 00 6A 00 6A 11 50 FF 15 4A 41 40 00 58 6A FF 50 FF 15 AC 40 40 00 6A 00 FF 15 A0 40 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor2xxcompressedresources +{ + meta: + author="malware-lu" +strings: + $a0 = { 56 57 53 31 DB 89 C6 89 D7 0F B6 06 89 C2 83 E0 1F C1 EA 05 74 2D 4A 74 15 8D 5C 13 02 46 C1 E0 08 89 FA 0F B6 0E 46 29 CA 4A 29 C2 EB 32 C1 E3 05 8D 5C 03 04 46 89 FA 0F B7 0E 29 CA 4A 83 C6 02 EB 1D C1 E3 04 46 89 C1 83 E1 0F 01 CB C1 E8 05 73 07 43 89 F2 01 DE EB 06 85 DB 74 0E EB A9 56 89 D6 89 D9 F3 A4 31 DB 5E EB 9D 89 F0 5B 5F 5E C3 } + +condition: + $a0 +} + + +rule NXPEPackerv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { FF 60 FF CA FF 00 BA DC 0D E0 40 00 50 00 60 00 70 00 80 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PolyBoxCAnskya +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 56 B8 E4 41 00 10 E8 3A E1 FF FF 33 C0 55 68 11 44 00 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 6A 0A 68 20 44 00 10 A1 1C 71 00 10 50 E8 CC E1 ?? ?? ?? ?? 85 DB 0F 84 77 01 00 00 53 A1 1C 71 00 10 50 E8 1E E2 FF FF 8B F0 85 F6 0F 84 61 01 00 00 53 A1 1C 71 00 10 50 E8 E0 E1 FF FF 85 C0 0F 84 4D 01 00 00 50 E8 DA E1 FF FF 8B D8 85 DB 0F 84 3D 01 00 00 56 B8 70 80 00 10 B9 01 00 00 00 8B 15 98 41 00 10 E8 9E DE FF FF 83 C4 04 A1 70 80 00 10 8B CE 8B D3 E8 E1 E1 FF FF 6A 00 6A 00 A1 70 80 00 10 B9 30 44 00 10 8B D6 E8 F8 FD FF FF } + +condition: + $a0 +} + + +rule UPolyXv05 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC ?? 00 BD 46 00 8B ?? B9 ?? 00 00 00 80 ?? ?? 51 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + $a1 = { 83 EC 04 89 14 24 59 BA ?? 00 00 00 52 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 } + $a2 = { BB 00 BD 46 00 83 EC 04 89 1C 24 ?? B9 ?? 00 00 00 80 33 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + $a3 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 83 EC 04 89 ?? 24 B9 ?? 00 00 00 81 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + $a4 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 ?? B9 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + $a5 = { EB 01 C3 ?? 00 BD 46 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 or $a1 or $a2 or $a3 or $a4 or $a5 +} + + +rule beriav007publicWIPsymbiont +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 18 53 8B 1D 00 30 ?? ?? 55 56 57 68 30 07 00 00 33 ED 55 FF D3 8B F0 3B F5 74 0D 89 AE 20 07 00 00 E8 88 0F 00 00 EB 02 33 F6 6A 10 55 89 35 30 40 ?? ?? FF D3 8B F0 3B F5 74 09 89 2E E8 3C FE FF FF EB 02 33 F6 6A 18 55 89 35 D8 43 ?? ?? FF D3 8B F0 } + +condition: + $a0 at pe.entry_point +} + + +rule PCGuardv405dv410dv415d +{ + meta: + author="malware-lu" +strings: + $a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule asscrypterbysantasdad +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 98 40 00 10 E8 AC EA FF FF 33 C0 55 68 78 51 00 10 64 ?? ?? ?? ?? 20 6A 0A 68 88 51 00 10 A1 E0 97 00 10 50 E8 D8 EA FF FF 8B D8 53 A1 E0 97 00 10 50 E8 12 EB FF FF 8B F8 53 A1 E0 97 00 10 50 E8 DC EA FF FF 8B D8 53 E8 DC EA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 F0 97 00 10 E8 C9 E7 FF FF B8 F0 97 00 10 E8 B7 E7 FF FF 8B CF 8B D6 E8 EE EA FF FF 53 E8 98 EA FF FF 8D 4D EC BA 9C 51 00 10 A1 F0 97 00 10 E8 22 EB FF FF 8B 55 EC B8 F0 97 00 10 E8 89 E6 FF FF B8 F0 97 00 10 E8 7F E7 FF FF E8 6E EC FF FF 33 C0 5A 59 59 64 89 10 68 7F 51 00 10 8D 45 EC E8 11 E6 FF FF C3 E9 FF DF FF FF EB F0 5F 5E 5B E8 0D E5 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 1C 00 00 00 45 4E 54 45 52 20 59 4F 55 52 20 4F 57 4E 20 50 41 53 53 57 4F 52 44 20 48 45 52 45 } + +condition: + $a0 at pe.entry_point +} + + +rule CopyControlv303 +{ + meta: + author="malware-lu" +strings: + $a0 = { CC 90 90 EB 0B 01 50 51 52 53 54 61 33 61 2D 35 CA D1 07 52 D1 A1 3C } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110Engbartxt +{ + meta: + author="malware-lu" +strings: + $a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Elanguage +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 06 00 00 00 50 E8 ?? 01 00 00 55 8B EC 81 C4 F0 FE FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule EXELOCK66615 +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? BF ?? ?? EB ?? EA ?? ?? ?? ?? 79 ?? 7F ?? 7E ?? 1C ?? 48 78 ?? E3 ?? 45 14 ?? 5A E9 } + +condition: + $a0 at pe.entry_point +} + + +rule AdysGluev010 +{ + meta: + author="malware-lu" +strings: + $a0 = { 2E 8C 06 ?? ?? 0E 07 33 C0 8E D8 BE ?? ?? BF ?? ?? FC B9 ?? ?? 56 F3 A5 1E 07 5F } + +condition: + $a0 at pe.entry_point +} + + +rule SVKProtectorv132 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv114v115v1203 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B ?? ?? ?? 72 ?? B4 09 BA ?? 01 CD 21 CD 20 4E 6F } + +condition: + $a0 at pe.entry_point +} + + +rule SafeGuardV10Xsimonzh2000 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 EB 29 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 9C 81 C1 E2 FF FF FF EB 01 ?? 9D FF E1 } + +condition: + $a0 at pe.entry_point +} + + +rule PEiDBundlev102v103DLLBoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoinerSmallbuild023GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 E1 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivatePersonalPackerPPP102ConquestOfTroycom +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 } + +condition: + $a0 +} + + +rule DIETv102bv110av120 +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? 3B FC 72 ?? B4 4C CD 21 FD F3 A5 FC } + +condition: + $a0 at pe.entry_point +} + + +rule UPXECLiPSElayer +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1334ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 } + $a1 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PKLITEv150Devicedrivercompression +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 09 BA 14 01 CD 21 B8 00 4C CD 21 F8 9C 50 53 51 52 56 57 55 1E 06 BB } + +condition: + $a0 at pe.entry_point +} + + +rule VxGrazie883 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E 0E 1F 50 06 BF 70 03 B4 1A BA 70 03 CD 21 B4 47 B2 00 BE 32 04 CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule PROTECTEXECOMv60 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E B4 30 CD 21 3C 02 73 ?? CD 20 BE ?? ?? E8 } + +condition: + $a0 at pe.entry_point +} + + +rule ENIGMAProtectorSukhovVladimir +{ + meta: + author="malware-lu" +strings: + $a0 = { 45 6E 69 67 6D 61 20 70 72 6F 74 65 63 74 6F 72 20 76 31 } + +condition: + $a0 +} + + +rule CRYPToCRACksPEProtectorV093LukasFleischer +{ + meta: + author="malware-lu" +strings: + $a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv147v150 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 5B 12 } + +condition: + $a0 at pe.entry_point +} + + +rule PocketPCMIB +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 FF BD 27 14 00 BF AF 18 00 A4 AF 1C 00 A5 AF 20 00 A6 AF 24 00 A7 AF ?? ?? ?? 0C 00 00 00 00 18 00 A4 8F 1C 00 A5 8F 20 00 A6 8F ?? ?? ?? 0C 24 00 A7 8F ?? ?? ?? 0C 25 20 40 00 14 00 BF 8F 08 00 E0 03 18 00 BD 27 ?? FF BD 27 18 00 ?? AF ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4ExtractableVirusShield +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 05 40 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule VxNoon1163 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5B 50 56 B4 CB CD 21 3C 07 ?? ?? 81 ?? ?? ?? 2E ?? ?? 4D 5A ?? ?? BF 00 01 89 DE FC } + +condition: + $a0 at pe.entry_point +} + + +rule PuNkMoD1xPuNkDuDe +{ + meta: + author="malware-lu" +strings: + $a0 = { 94 B9 ?? ?? 00 00 BC ?? ?? ?? ?? 80 34 0C } + +condition: + $a0 +} + + +rule PECrypt32Consolev10v101v102 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB } + +condition: + $a0 at pe.entry_point +} + + +rule InnoSetupModulev2018 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 73 71 FF FF E8 DA 85 FF FF E8 81 A7 FF FF E8 C8 } + +condition: + $a0 +} + + +rule Nakedbind10nakedcrew +{ + meta: + author="malware-lu" +strings: + $a0 = { 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B 4D 5A 74 08 81 EB 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPacKV31LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 } + +condition: + $a0 at pe.entry_point +} + + +rule AntiVirusVaccinev103 +{ + meta: + author="malware-lu" +strings: + $a0 = { FA 33 DB B9 ?? ?? 0E 1F 33 F6 FC AD 35 ?? ?? 03 D8 E2 } + +condition: + $a0 at pe.entry_point +} + + +rule VxKuku448 +{ + meta: + author="malware-lu" +strings: + $a0 = { AE 75 ED E2 F8 89 3E ?? ?? BA ?? ?? 0E 07 BF ?? ?? EB } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv12xNewStrain +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule SimpleUPXCryptorv3042005OnelayerencryptionMANtiCORE +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule AntiDote10Demo12SISTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 09 01 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 DB 01 47 65 74 56 65 72 73 69 6F 6E 45 78 41 00 73 01 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 00 7A 03 57 61 69 74 46 6F 72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 00 BF 02 52 65 73 75 6D 65 54 68 72 65 61 64 00 00 29 03 53 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 94 03 57 72 69 74 65 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 00 6B 03 56 69 72 74 75 61 6C 41 6C 6C 6F 63 45 78 00 00 A6 02 52 65 61 64 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 CA 01 47 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 00 00 62 00 43 72 65 61 74 65 50 72 6F 63 65 73 73 41 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C } + +condition: + $a0 +} + + +rule FSGv110EngbartxtWinRARSFX +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0 } + $a1 = { EB 01 02 EB 02 CD 20 B8 80 ?? 42 00 EB 01 55 BE F4 00 00 00 13 DF 13 D8 0F B6 38 D1 F3 F7 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule BJFntv11b +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallEmbedded26202623Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 58 BB AC 1E 00 00 2B C3 50 68 ?? ?? ?? ?? 68 B0 21 00 00 68 C4 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SLVc0deProtector11xSLVICU +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RJoinerbyVaskaSignfrompinch250320071700 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 FD FF FF 6A 00 E8 0C 00 00 00 FF 25 6C 10 40 00 FF 25 70 10 40 00 FF 25 74 10 40 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 } + +condition: + $a0 at pe.entry_point +} + + +rule AverCryptor10os1r1s +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 75 17 40 00 8B BD 9C 18 40 00 8B 8D A4 18 40 00 B8 BC 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 A0 18 40 00 33 C0 51 33 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 A0 18 40 00 8B 85 A8 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 BC 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 98 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 } + +condition: + $a0 at pe.entry_point +} + + +rule nSpackV23LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 70 61 63 6B 24 40 } + +condition: + $a0 +} + + +rule SENDebugProtector +{ + meta: + author="malware-lu" +strings: + $a0 = { BB ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 29 ?? ?? 4E E8 } + +condition: + $a0 at pe.entry_point +} + + +rule xPEP03xxIkUg +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 53 56 51 52 57 E8 16 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AntiDote14SESISTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 90 03 00 00 E8 C6 FD FF FF 68 90 03 00 00 E8 BC FD FF FF 68 90 03 00 00 E8 B2 FD FF FF 50 E8 AC FD FF FF 50 E8 A6 FD FF FF 68 69 D6 00 00 E8 9C FD FF FF 50 E8 96 FD FF FF 50 E8 90 FD FF FF 83 C4 20 E8 78 FF FF FF 84 C0 74 4F 68 04 01 00 00 68 10 22 60 00 6A 00 FF 15 08 10 60 00 68 90 03 00 00 E8 68 FD FF FF 68 69 D6 00 00 E8 5E FD FF FF 50 E8 58 FD FF FF 50 E8 52 FD FF FF E8 DD FE FF FF 50 68 A4 10 60 00 68 94 10 60 00 68 10 22 60 00 E8 58 FD FF FF 83 C4 20 33 C0 C2 10 00 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPack30NorthStar +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 } + +condition: + $a0 at pe.entry_point +} + + +rule ORiENV212FisunAV +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 5D 01 00 00 CE D1 CE CD 0D } + +condition: + $a0 at pe.entry_point +} + + +rule NsPackv23NorthStar +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD } + $a1 = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 } + +condition: + $a0 or $a1 +} + + +rule ObsidiumV1342ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SplashBitmapv100WithUnpackCodeBoBBobsoft +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40 } + +condition: + $a0 at pe.entry_point +} + + +rule KBySV028shoooo +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV12XObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPackV13LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PENinja131Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidiumv1300ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B } + $a1 = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B 50 EB 03 8A 0B 93 33 C0 EB 02 28 B9 8B 00 EB 01 04 C3 EB 04 65 B3 54 0A E9 FA 00 00 00 EB 01 A2 E8 D5 FF FF FF EB 02 2B 49 EB 03 7C 3E 76 58 EB 04 B8 94 92 56 EB 01 72 64 67 8F 06 00 00 EB 02 23 72 83 C4 04 EB 02 A9 CB E8 47 26 00 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Feokt +{ + meta: + author="malware-lu" +strings: + $a0 = { 89 25 A8 11 40 00 BF ?? ?? ?? 00 31 C0 B9 ?? ?? ?? 00 29 F9 FC F3 AA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 } + +condition: + $a0 at pe.entry_point +} + + +rule NTkrnlSecureSuite01015NTkrnlSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 } + +condition: + $a0 +} + + +rule PEPROTECT09 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 CF 00 00 00 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 } + +condition: + $a0 at pe.entry_point +} + + +rule EXERefactorV01random +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 90 0B 00 00 53 56 57 E9 58 8C 01 00 55 53 43 41 54 49 4F 4E } + +condition: + $a0 at pe.entry_point +} + + +rule CrunchPEv40 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 E9 06 ?? ?? 89 85 E1 06 ?? ?? FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 } + +condition: + $a0 +} + + +rule NullsoftPIMPInstallSystemv1x +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 5C 53 55 56 57 FF 15 ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Pohernah100byKas +{ + meta: + author="malware-lu" +strings: + $a0 = { 58 60 E8 00 00 00 00 5D 81 ED 20 25 40 00 8B BD 86 25 40 00 8B 8D 8E 25 40 00 6B C0 05 83 F0 04 89 85 92 25 40 00 83 F9 00 74 2D 81 7F 1C AB 00 00 00 75 1E 8B 77 0C 03 B5 8A 25 40 00 31 C0 3B 47 10 74 0E 50 8B 85 92 25 40 00 30 06 58 40 46 EB ED 83 C7 28 49 EB CE 8B 85 82 25 40 00 89 44 24 1C 61 FF E0 } + +condition: + $a0 at pe.entry_point +} + + +rule dUP2diablo2oo2 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F0 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? A2 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 3C 01 75 19 BE ?? ?? ?? ?? 68 00 02 00 00 56 68 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01ASPack2xxHeuristicAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 } + +condition: + $a0 at pe.entry_point +} + + +rule eXpressorv145CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C } + +condition: + $a0 at pe.entry_point +} + + +rule hmimysProtectv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 } + $a1 = { E8 BA 00 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 40 00 ?? ?? ?? 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 00 00 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 00 00 00 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule VProtectorV10Evcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01LCCWin32DLLAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 ?? ?? ?? ?? E9 } + +condition: + $a0 at pe.entry_point +} + + +rule CodeCryptv014b +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 C5 02 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F } + +condition: + $a0 at pe.entry_point +} + + +rule PellesC450DLLX86CRTLIB +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 85 DB 75 0D 83 3D ?? ?? ?? ?? 00 75 04 31 C0 EB 57 83 FB 01 74 05 83 FB 02 75 } + +condition: + $a0 at pe.entry_point +} + + +rule EEXEVersion112 +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 30 CD 21 3C 03 73 ?? BA 1F 00 0E 1F B4 09 CD 21 B8 FF 4C CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv120EngdulekxtMASM32TASM32 +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE } + +condition: + $a0 at pe.entry_point +} + + +rule PEDiminisherv01Teraphy +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 00 00 00 89 95 9A 33 40 00 80 BD 99 33 40 00 00 74 50 E8 02 01 00 00 8B FD 8D 9D 9A 33 40 00 8B 1B 8D 87 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02VBOX43MTEAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 } + +condition: + $a0 at pe.entry_point +} + + +rule SEAAXE +{ + meta: + author="malware-lu" +strings: + $a0 = { FC BC ?? ?? 0E 1F E8 ?? ?? 26 A1 ?? ?? 8B 1E ?? ?? 2B C3 8E C0 B1 ?? D3 E3 } + +condition: + $a0 at pe.entry_point +} + + +rule UpackV010V011Dwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? ?? ?? AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 ?? F3 AB C1 E0 ?? B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C ?? 73 ?? B0 ?? 3C ?? 72 02 2C ?? 50 0F B6 5F FF C1 E3 ?? B3 ?? 8D 1C 5B 8D ?? ?? ?? ?? ?? ?? B0 ?? 67 E3 29 8B D7 2B 56 0C 8A 2A 33 D2 84 E9 0F 95 C6 52 FE C6 8A D0 8D 14 93 FF D5 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakePCGuard403415FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule SimplePack111Method1bagieTMX +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC } + $a1 = { 60 E8 00 00 00 00 5B 8D 5B FA BD 00 00 ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 00 00 FF 77 10 6A 00 FF 93 38 03 00 00 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC F3 A5 89 C1 83 E1 03 F3 A4 5F 5E 8B 04 24 89 EA 03 57 0C E8 3F 01 00 00 58 68 00 40 00 00 FF 77 10 50 FF 93 3C 03 00 00 83 C7 28 4E 75 9E BE ?? ?? ?? ?? 09 F6 0F 84 0C 01 00 00 01 EE 8B 4E 0C 09 C9 0F 84 FF 00 00 00 01 E9 89 CF 57 FF 93 30 03 00 00 09 C0 75 3D 6A 04 68 00 10 00 00 68 00 10 00 00 6A 00 FF 93 38 03 00 00 89 C6 8D 83 6F 02 00 00 57 50 56 FF 93 44 03 00 00 6A 10 6A 00 56 6A 00 FF 93 48 03 00 00 89 E5 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule MASM32: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A ?? 68 00 30 40 00 68 ?? 30 40 00 6A 00 E8 07 00 00 00 6A 00 E8 06 00 00 00 FF 25 08 20 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftDefenderv10v11 +{ + meta: + author="malware-lu" +strings: + $a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD ?? 59 9C 50 74 0A 75 08 E8 59 C2 04 ?? 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 ?? ?? ?? ?? 58 05 BA 01 ?? ?? 03 C8 74 BE 75 BC E8 } + +condition: + $a0 at pe.entry_point +} + + +rule XtremeProtectorv106 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? 00 B9 75 ?? ?? 00 50 51 E8 05 00 00 00 E9 4A 01 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 8A 06 46 88 07 47 BB 02 00 00 00 02 D2 75 05 8A 16 46 12 D2 73 EA 02 D2 75 05 8A 16 46 12 D2 73 4F 33 C0 02 D2 75 05 8A 16 46 12 D2 0F 83 DF 00 00 00 02 } + +condition: + $a0 at pe.entry_point +} + + +rule VcasmProtector1112vcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidiumv1111 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 E7 1C 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxEddie1530 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? 50 06 56 1E 33 C0 50 1F C4 ?? ?? ?? 2E ?? ?? ?? ?? 2E } + +condition: + $a0 at pe.entry_point +} + + +rule KBySV028DLLshoooo +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? BA ?? ?? ?? ?? 03 C2 FF E0 ?? ?? ?? ?? 60 E8 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PEncrypt10JunkCode +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C BE 00 10 40 00 8B FE B9 ?? ?? ?? ?? BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 E9 ?? ?? ?? FF } + +condition: + $a0 at pe.entry_point +} + + +rule PEPasswordv02SMTSMF +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 ?? ?? ?? 8B EC 5D C3 33 C0 5D 8B FD 81 ED 33 26 40 ?? 81 EF ?? ?? ?? ?? 83 EF 05 89 AD 88 27 40 ?? 8D 9D 07 29 40 ?? 8D B5 62 28 40 ?? 46 80 } + +condition: + $a0 at pe.entry_point +} + + +rule EncryptPE22006710220061025WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv16Vaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 D0 68 ?? ?? ?? ?? FF D2 } + $a1 = { 33 D0 68 ?? ?? ?? ?? FF D2 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PEPaCKv10CCopyright1998byANAKiN +{ + meta: + author="malware-lu" +strings: + $a0 = { C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 20 2D 3D FE 20 50 45 2D 50 41 43 4B 20 76 31 2E 30 20 2D FE 2D 20 28 43 29 20 43 6F 70 } + +condition: + $a0 +} + + +rule YodasProtectorv1032Beta2AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxMTEnonencrypted +{ + meta: + author="malware-lu" +strings: + $a0 = { F7 D9 80 E1 FE 75 02 49 49 97 A3 ?? ?? 03 C1 24 FE 75 02 48 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01FSG131Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv212AlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 } + $a1 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Upack022023betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 } + $a1 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 59 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 } + $a2 = { AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 ?? 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 } + +condition: + $a0 or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule PseudoSigner01CodeLockAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B E9 } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv100c1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 2E 8C 1E ?? ?? 8B 1E ?? ?? 8C DA 81 C2 ?? ?? 3B DA 72 ?? 81 EB ?? ?? 83 EB ?? FA 8E D3 BC ?? ?? FB FD BE ?? ?? 8B FE } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakenSPack13emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv100c2 +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? A1 ?? ?? 2D ?? ?? 8C CB 81 C3 ?? ?? 3B C3 77 ?? 05 ?? ?? 3B C3 77 ?? B4 09 BA ?? ?? CD 21 CD 20 90 } + +condition: + $a0 at pe.entry_point +} + + +rule kkrunchyv017FGiesen +{ + meta: + author="malware-lu" +strings: + $a0 = { FC FF 4D 08 31 D2 8D 7D 30 BE } + +condition: + $a0 +} + + +rule ACProtectv190gRiscosoftwareInc +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 0F 87 02 00 00 00 1B F8 E8 01 00 00 00 73 83 04 24 06 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium133720070623ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv2000AlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 70 05 00 00 EB 4C } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov4000053SiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 20 8B 4B 00 68 80 E4 48 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4B 00 33 D2 8A D4 89 15 A4 A1 4B 00 8B C8 81 E1 FF 00 00 00 89 0D A0 A1 4B 00 C1 E1 08 03 CA 89 0D 9C A1 4B 00 C1 E8 10 A3 98 A1 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov160a +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 98 71 40 00 68 48 2D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule ACProtectUltraProtect10X20XRiSco +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 6F 72 74 5F 45 6E 64 73 73 00 } + +condition: + $a0 +} + + +rule Thinstall3035Jtit +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 } + $a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 C3 B9 08 00 00 00 E8 01 00 00 00 C3 33 C0 E8 E1 FF FF FF 13 C0 E2 F7 C3 33 C9 41 E8 D4 FF FF FF 13 C9 E8 CD FF FF FF 72 F2 C3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PENinjav10DzAkRAkerTNT +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 5B 2A 40 00 BF 35 12 00 00 E8 40 12 00 00 3D 22 83 A3 C6 0F 85 67 0F 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallEmbedded19XJitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 ?? ?? ?? ?? 50 E8 87 FC FF FF 59 59 A1 ?? ?? ?? ?? 8B 40 10 03 05 ?? ?? ?? ?? 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptorv13045 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 } + $a1 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 14 89 41 18 80 A1 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Obsidium1338ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPV073betaap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 2E 72 6C 70 00 00 00 00 00 50 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 E0 } + +condition: + $a0 +} + + +rule yCv13byAshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC C0 00 00 00 53 56 57 8D BD 40 FF FF FF B9 30 00 00 00 B8 CC CC CC CC F3 AB 60 E8 00 00 00 00 5D 81 ED 84 52 41 00 B9 75 5E 41 00 81 E9 DE 52 41 00 8B D5 81 C2 DE 52 41 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC } + +condition: + $a0 +} + + +rule PCPECalphapreview +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 51 52 56 57 55 E8 00 00 00 00 5D 8B CD 81 ED 33 30 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AlexProtectorv10Alex +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B } + +condition: + $a0 at pe.entry_point +} + + +rule Shrinkv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 9C FC BE ?? ?? BF ?? ?? 57 B9 ?? ?? F3 A4 8B ?? ?? ?? BE ?? ?? BF ?? ?? F3 A4 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule AHPack01FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 68 54 ?? ?? 00 B8 48 ?? ?? 00 FF 10 68 B3 ?? ?? 00 50 B8 44 ?? ?? 00 FF 10 68 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SentinelSuperProAutomaticProtectionv640Safenet +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? 6A 01 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C9 3D B7 00 00 00 A1 ?? ?? ?? ?? 0F 94 C1 85 C0 89 0D ?? ?? ?? ?? 0F 85 ?? ?? ?? ?? 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? FF 15 } + +condition: + $a0 at pe.entry_point +} + + +rule DxPack10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 8B FD 81 ED ?? ?? ?? ?? 2B B9 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 0F 84 } + +condition: + $a0 at pe.entry_point +} + + +rule Pohernah103byKas +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 2A 27 40 00 31 C0 40 83 F0 06 40 3D 40 1F 00 00 75 07 BE 6A 27 40 00 EB 02 EB EB 8B 85 9E 28 40 00 83 F8 01 75 17 31 C0 01 EE 3D 99 00 00 00 74 0C 8B 8D 86 28 40 00 30 0E 40 46 EB ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV1258ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 ?? E8 ?? 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule nPackv11150200BetaNEOx +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? 00 E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PerlApp602ActiveState +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 2C EA 40 00 FF D3 83 C4 0C 85 C0 0F 85 CD 00 00 00 6A 09 57 68 20 EA 40 00 FF D3 83 C4 0C 85 C0 75 12 8D 47 09 50 FF 15 1C D1 40 00 59 A3 B8 07 41 00 EB 55 6A 08 57 68 14 EA 40 00 FF D3 83 C4 0C 85 C0 75 11 8D 47 08 50 FF 15 1C D1 40 00 59 89 44 24 10 EB 33 6A 09 57 68 08 EA 40 00 FF D3 83 C4 0C 85 C0 74 22 6A 08 57 68 FC E9 40 00 FF D3 83 C4 0C 85 C0 74 11 6A 0B 57 68 F0 E9 40 00 FF D3 83 C4 0C 85 C0 75 55 } + $a1 = { 68 9C E1 40 00 FF 15 A4 D0 40 00 85 C0 59 74 0F 50 FF 15 1C D1 40 00 85 C0 59 89 45 FC 75 62 6A 00 8D 45 F8 FF 75 0C F6 45 14 01 50 8D 45 14 50 E8 9B 01 00 00 83 C4 10 85 C0 0F 84 E9 00 00 00 8B 45 F8 83 C0 14 50 FF D6 85 C0 59 89 45 FC 75 0E FF 75 14 FF 15 78 D0 40 00 E9 C9 00 00 00 68 8C E1 40 00 FF 75 14 50 } + +condition: + $a0 or $a1 +} + + +rule UPXProtectorv10x2 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB } + +condition: + $a0 +} + + +rule ThinstallEmbedded2501Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A8 1A 00 00 B9 6D 1A 00 00 BA 21 1B 00 00 BE 00 10 00 00 BF C0 53 00 00 BD F0 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 } + +condition: + $a0 at pe.entry_point +} + + +rule CodeVirtualizer1310OreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C FC E8 00 00 00 00 5F 81 EF ?? ?? ?? ?? 8B C7 81 C7 ?? ?? ?? ?? 3B 47 2C 75 02 EB 2E 89 47 2C B9 A7 00 00 00 EB 05 01 44 8F ?? 49 0B C9 75 F7 83 7F 40 00 74 15 8B 77 40 03 F0 EB 09 8B 1E 03 D8 01 03 83 C6 04 83 3E 00 75 F2 8B 74 24 24 8B DE 03 F0 B9 01 00 00 00 33 C0 F0 0F B1 4F 30 75 F7 AC } + +condition: + $a0 +} + + +rule VProtector13Xvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 60 8B B4 24 24 00 00 00 8B BC 24 28 00 00 00 FC C6 C2 80 33 DB A4 C6 C3 02 E8 A9 00 00 00 0F 83 F1 FF FF FF 33 C9 E8 9C 00 00 00 0F 83 2D 00 00 00 33 C0 E8 8F 00 00 00 0F 83 37 00 00 00 C6 C3 02 41 C6 C0 10 E8 7D 00 00 00 10 C0 0F 83 F3 FF FF FF } + $a1 = { E9 B9 16 00 00 55 8B EC 81 EC 74 04 00 00 57 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 FF FF C2 10 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 00 00 C2 14 68 FF FF 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 68 ?? ?? ?? ?? 9C 81 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9D 54 FF 14 24 68 00 00 00 00 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule Packman0001bubba +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 58 8D A8 ?? FE FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SimplePackV11XV12XMethod1bagie +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5B 8D 5B FA BD ?? ?? ?? ?? 8B 7D 3C 8D 74 3D 00 8D BE F8 00 00 00 0F B7 76 06 4E 8B 47 10 09 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule PEEncryptv40bJunkCode +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 ?? ?? 00 66 83 ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PEQuake006forgat +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 A5 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? ?? 00 5B ?? ?? 00 6E ?? ?? 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 ?? ?? 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule Kryptonv02 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 0C 24 E9 0A 7C 01 ?? AD 42 40 BD BE 9D 7A 04 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakePELockNT204FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressorPacK150XCGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 83 A5 ?? ?? ?? ?? ?? F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 35 2E 00 83 7D 0C ?? 75 23 8B 45 08 A3 ?? ?? ?? ?? 6A 04 68 00 10 00 00 68 20 03 00 00 6A 00 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? EB 04 } + +condition: + $a0 at pe.entry_point +} + + +rule D1S1Gv11BetaScrambledEXED1N +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 07 00 00 00 E8 1E 00 00 00 C3 90 58 89 C2 89 C2 25 00 F0 FF FF 50 83 C0 55 8D 00 FF 30 8D 40 04 FF 30 52 C3 8D 40 00 55 8B EC 83 C4 E8 53 56 57 8B 4D 10 8B 45 08 89 45 F8 8B 45 0C 89 45 F4 8D 41 61 8B 38 8D 41 65 8B 00 03 C7 89 45 FC 8D 41 69 8B 00 03 C7 8D 51 6D 8B 12 03 D7 83 C1 71 8B 09 03 CF 2B CA 72 0A 41 87 D1 80 31 FF 41 4A 75 F9 89 45 F0 EB 71 8B } + +condition: + $a0 +} + + +rule ReversingLabsProtector074betaAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 00 41 00 E8 01 00 00 00 C3 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ACProtect109gRiscosoftwareInc +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 F9 50 E8 01 00 00 00 7C 58 58 49 50 E8 01 00 00 00 7E 58 58 79 04 66 B9 B8 72 E8 01 00 00 00 7A 83 C4 04 85 C8 EB 01 EB C1 F8 BE 72 03 73 01 74 0F 81 01 00 00 00 F9 EB 01 75 F9 E8 01 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NorthStarPEShrinker13Liuxingping +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressorV13CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoinerSmallbuild035GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { 51 33 CB 86 C9 59 E8 9E FD FF FF 66 87 DB 6A 00 E8 0C 00 00 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Upack020betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 } + +condition: + $a0 at pe.entry_point +} + + +rule UPX20030XMarkusOberhumerLaszloMolnarJohnReiser +{ + meta: + author="malware-lu" +strings: + $a0 = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 } + +condition: + $a0 +} + + +rule WinUpackv039finalByDwingc2005h1 +{ + meta: + author="malware-lu" +strings: + $a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 39 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UnnamedScrambler12Bp0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 D8 53 56 57 33 C0 89 45 D8 89 45 DC 89 45 E0 89 45 E4 89 45 E8 B8 70 3A 40 00 E8 C4 EC FF FF 33 C0 55 68 5C 3F 40 00 64 FF 30 64 89 20 E8 C5 D7 FF FF E8 5C F5 FF FF B8 20 65 40 00 33 C9 BA 04 01 00 00 E8 D3 DB FF FF 68 04 01 00 00 68 20 65 40 00 6A 00 FF 15 10 55 40 00 BA 6C 3F 40 00 B8 14 55 40 00 E8 5A F4 FF FF 85 C0 0F 84 1B 04 00 00 BA 18 55 40 00 8B 0D 14 55 40 00 E8 16 D7 FF FF 8B 05 88 61 40 00 8B D0 B8 54 62 40 00 E8 D4 E3 FF FF B8 54 62 40 00 E8 F2 E2 FF FF 8B D0 B8 18 55 40 00 8B 0D 88 61 40 00 E8 E8 D6 FF FF FF 35 34 62 40 00 FF 35 30 62 40 00 FF 35 3C 62 40 00 FF 35 38 62 40 00 8D 55 E8 A1 88 61 40 00 E8 E3 F0 FF FF 8B 55 E8 } + +condition: + $a0 +} + + +rule Upack010012betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 } + +condition: + $a0 at pe.entry_point +} + + +rule PEArmorV07Xhying +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 55 56 81 C5 ?? ?? ?? ?? 55 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule LauncherGeneratorv103 +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 20 40 00 68 10 20 40 00 6A 00 6A 00 6A 20 6A 00 6A 00 6A 00 68 F0 22 40 00 6A 00 E8 93 00 00 00 85 C0 0F 84 7E 00 00 00 B8 00 00 00 00 3B 05 68 20 40 00 74 13 6A ?? 68 60 23 40 00 68 20 23 40 00 6A 00 E8 83 00 00 00 A1 58 20 40 00 3B 05 6C 20 40 00 } + +condition: + $a0 +} + + +rule yodasProtector102103AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NakedPacker10byBigBoote +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 FC 0F B6 05 34 ?? ?? ?? 85 C0 75 31 B8 50 ?? ?? ?? 2B 05 04 ?? ?? ?? A3 30 ?? ?? ?? A1 00 ?? ?? ?? 03 05 30 ?? ?? ?? A3 38 ?? ?? ?? E8 9A 00 00 00 A3 50 ?? ?? ?? C6 05 34 ?? ?? ?? 01 83 3D 50 ?? ?? ?? 00 75 07 61 FF 25 38 ?? ?? ?? 61 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 40 ?? ?? ?? C3 FF 74 24 04 6A 00 FF 15 44 ?? ?? ?? 50 FF 15 48 ?? ?? ?? C3 8B 4C 24 04 56 8B 74 24 10 57 85 F6 8B F9 74 0D 8B 54 24 10 8A 02 88 01 } + +condition: + $a0 +} + + +rule tElockv080 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 F9 11 00 00 C3 83 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01YodasProtector102Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 90 90 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtector11Xvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMASM32 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A } + +condition: + $a0 at pe.entry_point +} + + +rule Pohernah102byKas +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED DE 26 40 00 8B BD 05 28 40 00 8B 8D 0D 28 40 00 B8 25 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 09 28 40 00 31 C0 51 31 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 09 28 40 00 8B 85 11 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 25 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 01 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ActiveMARK5xTrymediaSystemsInc +{ + meta: + author="malware-lu" +strings: + $a0 = { 20 2D 2D 4D 50 52 4D 4D 47 56 41 2D 2D 00 75 73 65 72 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 78 41 00 54 68 69 73 20 61 70 70 6C 69 63 61 74 69 6F 6E 20 63 61 6E 6E 6F 74 20 72 75 6E 20 77 69 74 68 20 61 6E 20 61 63 74 69 76 65 20 64 65 62 75 67 } + +condition: + $a0 +} + + +rule RCryptorv20HideEPVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 DC 20 ?? 00 F7 D1 83 F1 FF E8 00 00 00 00 F7 D1 83 F1 FF C3 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov172v173 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 E8 C1 ?? ?? 68 F4 86 ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule AsCryptv01SToRM2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 83 ?? ?? E2 } + +condition: + $a0 +} + + +rule AsCryptv01SToRM3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 51 ?? ?? ?? 01 00 00 00 83 ?? ?? E2 } + +condition: + $a0 +} + + +rule ASProtectV2XDLLAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD } + +condition: + $a0 at pe.entry_point +} + + +rule AsCryptv01SToRM4 +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 ?? ?? ?? 83 ?? ?? ?? ?? 90 90 90 E2 } + +condition: + $a0 +} + + +rule yzpack20UsAr +{ + meta: + author="malware-lu" +strings: + $a0 = { 25 ?? ?? ?? ?? 61 87 CC 55 45 45 55 81 ED CA 00 00 00 55 A4 B3 02 FF 14 24 73 F8 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 1F B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3C AA EB DC FF 54 24 04 2B CB 75 0F FF 54 24 08 EB 27 AC D1 E8 74 30 13 C9 EB 1B 91 48 C1 E0 08 AC FF 54 24 08 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 99 BD ?? ?? ?? ?? FF 65 28 } + +condition: + $a0 at pe.entry_point +} + + +rule PasswordprotectormySMT +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? 5D 8B FD 81 ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? 83 ?? ?? 89 ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 46 80 ?? ?? 74 } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV1258V133XObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB } + +condition: + $a0 at pe.entry_point +} + + +rule ReflexiveArcadeWrapper +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 98 68 42 00 68 14 FA 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 F8 50 42 00 33 D2 8A D4 89 15 3C E8 42 00 8B C8 81 E1 FF 00 00 00 89 0D 38 E8 42 00 C1 E1 08 03 CA 89 0D 34 E8 42 00 C1 E8 10 A3 30 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule VxTrojanTelefoon +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 1E E8 3B 01 BF CC 01 2E 03 3E CA 01 2E C7 05 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv030betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 30 } + +condition: + $a0 at pe.entry_point +} + + +rule VxACMEClonewarMutant +{ + meta: + author="malware-lu" +strings: + $a0 = { FC AD 3D FF FF 74 20 E6 42 8A C4 E6 42 E4 61 0C 03 E6 61 AD B9 40 1F E2 FE } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov2xxCopyMemII +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A ?? 8B B5 ?? ?? ?? ?? C1 E6 04 8B 85 ?? ?? ?? ?? 25 07 ?? ?? 80 79 05 48 83 C8 F8 40 33 C9 8A 88 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 81 E2 07 ?? ?? 80 79 05 4A 83 CA F8 42 33 C0 8A 82 } + +condition: + $a0 at pe.entry_point +} + + +rule TPACKv05cm1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 8E FE } + +condition: + $a0 at pe.entry_point +} + + +rule EXEStealthv271 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED B0 27 40 } + +condition: + $a0 at pe.entry_point +} + + +rule TPACKv05cm2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? FD 60 BE ?? ?? BF ?? ?? B9 ?? ?? F3 A4 8B F7 BF ?? ?? FC 46 E9 CE FD } + +condition: + $a0 at pe.entry_point +} + + +rule ExeJoiner10Yodaf2f +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv101bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 } + +condition: + $a0 at pe.entry_point +} + + +rule MacromediaWindowsFlashProjectorPlayerv30 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC 44 56 FF 15 94 13 42 00 8B F0 B1 22 8A 06 3A C1 75 13 8A 46 01 46 3A C1 74 04 84 C0 75 F4 38 0E 75 0D 46 EB 0A 3C 20 7E 06 } + +condition: + $a0 at pe.entry_point +} + + +rule PESpinV11cyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E } + +condition: + $a0 at pe.entry_point +} + + +rule RLPack118aPlib043ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule DotFixNiceProtectvna +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 55 00 00 00 8D BD 00 10 40 00 68 ?? ?? ?? 00 03 3C 24 8B F7 90 68 31 10 40 00 9B DB E3 55 DB 04 24 8B C7 DB 44 24 04 DE C1 DB 1C 24 8B 1C 24 66 AD 51 DB 04 24 90 90 DA 8D 77 10 40 00 DB 1C 24 D1 E1 29 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv032betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 32 } + +condition: + $a0 at pe.entry_point +} + + +rule PackItBitch10archphase +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 28 ?? ?? ?? 35 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 41 ?? ?? ?? 50 ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? ?? ?? 79 ?? ?? ?? 7D ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule JDPack2xJDPack +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 68 51 40 00 68 04 25 40 00 64 A1 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RPolyCryptv10personalpolycryptorsignfrompinch +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 58 97 97 60 61 8B 04 24 80 78 F3 6A E8 00 00 00 00 58 E8 00 00 00 00 58 91 91 EB 00 0F 85 6B F4 76 6F E8 00 00 00 00 83 C4 04 E8 00 00 00 00 58 90 E8 00 00 00 00 83 C4 04 8B 04 24 80 78 F1 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv031betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 31 } + +condition: + $a0 at pe.entry_point +} + + +rule Packmanv0001 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 58 8D A8 ?? ?? FF FF 8D 98 ?? ?? ?? FF 8D ?? ?? 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PEPack099Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A E9 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor239minimumprotection +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? E9 ?? ?? ?? FF 50 C1 C8 18 89 05 ?? ?? ?? ?? C3 C1 C0 18 51 E9 ?? ?? ?? FF 84 C0 0F 84 6A F9 FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF E8 CF E9 FF FF B8 01 00 00 00 E9 ?? ?? ?? FF 2B D0 68 A0 36 80 D4 59 81 C9 64 98 FF 99 E9 ?? ?? ?? FF 84 C0 0F 84 8E EC FF FF E9 ?? ?? ?? FF C3 87 3C 24 5F 8B 00 03 45 FC 83 C0 18 E9 ?? ?? ?? FF 87 0C 24 59 B8 01 00 00 00 D3 E0 23 D0 E9 02 18 00 00 0F 8D DB 00 00 00 C1 E8 14 E9 CA 00 00 00 9D 87 0C 24 59 87 1C 24 68 AE 73 B9 96 E9 C5 10 00 00 0F 8A ?? ?? ?? ?? E9 ?? ?? ?? FF 81 FD F5 FF 8F 07 E9 4F 10 00 00 C3 E9 5E 12 00 00 87 3C 24 E9 ?? ?? ?? FF E8 ?? ?? ?? FF 83 3D ?? ?? ?? ?? 00 0F 85 ?? ?? ?? ?? 8D 55 EC B8 ?? ?? ?? ?? E9 ?? ?? ?? FF E8 A7 1A 00 00 E8 2A CB FF FF E9 ?? ?? ?? FF C3 E9 ?? ?? ?? FF 59 89 45 E0 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMicrosoftVisualC60ASM +{ + meta: + author="malware-lu" +strings: + $a0 = { F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68 } + +condition: + $a0 at pe.entry_point +} + + +rule HaspdongleAlladin +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 53 51 52 57 56 8B 75 1C 8B 3E ?? ?? ?? ?? ?? 8B 5D 08 8A FB ?? ?? 03 5D 10 8B 45 0C 8B 4D 14 8B 55 18 80 FF 32 } + +condition: + $a0 at pe.entry_point +} + + +rule SafeDiscv4 +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 42 6F 47 5F } + +condition: + $a0 +} + + +rule PKLITEv112v115v1201 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 73 ?? 2D ?? ?? FA 8E D0 FB 2D ?? ?? 8E C0 50 B9 ?? ?? 33 FF 57 BE ?? ?? FC F3 A5 CB B4 09 BA ?? ?? CD 21 CD 20 } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv112v115v1202 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? BA ?? ?? 3B C4 73 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptorv153 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 ?? ?? 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 CC C3 } + +condition: + $a0 +} + + +rule MSLRHv032afakeEXE32Pack13xemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC 56 3B D2 74 02 81 85 57 E8 00 00 00 00 3B DB 74 01 90 83 C4 14 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule eXpressorv11CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 15 13 00 00 E9 F0 12 00 00 E9 58 12 00 00 E9 AF 0C 00 00 E9 AE 02 00 00 E9 B4 0B 00 00 E9 E0 0C 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPackV11LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivatePersonalPackerPPPv102ConquestOfTroycom +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 17 00 00 00 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxHorse1776 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5D 83 ?? ?? 06 1E 26 ?? ?? ?? ?? BF ?? ?? 1E 0E 1F 8B F7 01 EE B9 ?? ?? FC F3 A6 1F 1E 07 } + +condition: + $a0 at pe.entry_point +} + + +rule PEShit: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF } + +condition: + $a0 at pe.entry_point +} + + +rule DrWebVirusFindingEngineInSoftEDVSysteme +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 01 00 00 00 C2 0C 00 8D 80 00 00 00 00 8B D2 8B ?? 24 04 } + +condition: + $a0 at pe.entry_point +} + + +rule PluginToExev100BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv15PrivateVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point +} + + +rule NeoLitev200 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 44 24 04 23 05 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 FE 05 ?? ?? ?? ?? 0B C0 74 } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv200bextra +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EA ?? ?? ?? ?? F3 A5 C3 59 2D ?? ?? 8E D0 51 2D ?? ?? 50 80 } + +condition: + $a0 at pe.entry_point +} + + +rule Crunch5Fusion4 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 15 03 ?? ?? ?? 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 55 E8 } + +condition: + $a0 +} + + +rule MSLRHv032afakePEBundle023xemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule PEMangle +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C BE ?? ?? ?? ?? 8B FE B9 ?? ?? ?? ?? BB 44 52 4F 4C AD 33 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv302v302av304Relocationspack +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? BF ?? ?? B9 ?? ?? 8C CD 81 ED ?? ?? 8B DD 81 EB ?? ?? 8B D3 FC FA 1E 8E DB 01 15 33 C0 2E AC } + +condition: + $a0 at pe.entry_point +} + + +rule UPXProtectorv10x +{ + meta: + author="malware-lu" +strings: + $a0 = { EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 } + +condition: + $a0 at pe.entry_point +} + + +rule NorthStarPEShrinkerv13byLiuxingping +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 73 ?? FF FF 8B 06 83 F8 00 74 11 8D B5 7F ?? FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 4F ?? FF FF 2B D0 89 95 4F ?? FF FF 01 95 67 ?? FF FF 8D B5 83 ?? FF FF 01 } + +condition: + $a0 +} + + +rule CodeCryptv015b +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 31 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEdition117Ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv100 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB C4 84 40 ?? 87 DD 8B 85 49 85 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeASProtect10FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D } + +condition: + $a0 at pe.entry_point +} + + +rule KGCryptvxx +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 64 A1 30 ?? ?? ?? 84 C0 74 ?? 64 A1 20 ?? ?? ?? 0B C0 74 } + +condition: + $a0 at pe.entry_point +} + + +rule VxKBDflags1024 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B EC 2E 89 2E 24 03 BC 00 04 8C D5 2E 89 2E 22 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasProtectorV102AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 23 3F 42 00 8B D5 81 C2 72 3F 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3A 66 42 00 81 E9 1D 40 42 00 8B D5 81 C2 1D 40 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 C3 1F 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1311ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01MicrosoftVisualC620Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 55 8B EC 83 EC 50 53 56 57 BE 90 90 90 90 8D 7D F4 A5 A5 66 A5 8B } + +condition: + $a0 at pe.entry_point +} + + +rule MEGALITEv120a +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 2D 73 ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 90 } + +condition: + $a0 at pe.entry_point +} + + +rule GoatsMutilatorV16Goat_e0f +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 EA 0B 00 00 ?? ?? ?? 8B 1C 79 F6 63 D8 8D 22 B0 BF F6 49 08 C3 02 BD 3B 6C 29 46 13 28 5D } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillo430aSiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 41 4E 53 49 29 2C 20 61 70 70 20 73 74 72 69 6E 67 73 20 61 72 65 20 27 25 73 27 20 61 6E 64 20 27 25 73 27 00 00 00 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 55 4E 49 43 } + +condition: + $a0 +} + + +rule Upackv038betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 } + $a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 38 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 97 FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule DCryptPrivate09bdrmist +{ + meta: + author="malware-lu" +strings: + $a0 = { B9 ?? ?? ?? 00 E8 00 00 00 00 58 68 ?? ?? ?? 00 83 E8 0B 0F 18 00 D0 00 48 E2 FB C3 } + +condition: + $a0 at pe.entry_point +} + + +rule kkrunchyV02XRyd +{ + meta: + author="malware-lu" +strings: + $a0 = { BD ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? ?? 57 BE ?? ?? ?? ?? 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 } + +condition: + $a0 at pe.entry_point +} + + +rule SkDUndetectabler3NoFSG2MethodSkD +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 10 02 00 00 68 00 02 00 00 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00 00 00 00 EB 0F 8B 8D F4 FD FF FF 83 C1 01 89 8D F4 FD FF FF 8B 95 F4 FD FF FF 3B 15 ?? 16 00 01 73 1C 8B 85 F4 FD FF FF 8B 0D ?? 16 00 01 8D 54 01 07 81 FA 74 10 00 01 75 02 EB 02 EB C7 8B 85 F4 FD FF FF 50 E8 ?? 00 00 00 83 C4 04 89 85 F0 FD FF FF 8B 8D F0 FD FF FF 89 4D FC C7 45 F8 00 00 00 00 EB 09 8B 55 F8 83 C2 01 89 55 F8 8B 45 F8 3B 85 F4 FD FF FF 73 15 8B 4D FC 03 4D F8 8B 15 ?? 16 00 01 03 55 F8 8A 02 88 01 EB D7 83 3D ?? 16 00 01 00 74 } + +condition: + $a0 at pe.entry_point +} + + +rule NTPacker10ErazerZ +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 E0 53 33 C0 89 45 E0 89 45 E4 89 45 E8 89 45 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 8D 4D EC BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FC FF FF 8B 55 EC B8 ?? ?? 40 00 E8 ?? ?? FF FF 8D 4D E8 BA ?? ?? 40 00 A1 ?? ?? 40 00 E8 ?? FE FF FF 8B 55 E8 B8 ?? ?? 40 00 E8 ?? ?? FF FF B8 ?? ?? 40 00 E8 ?? FB FF FF 8B D8 A1 ?? ?? 40 00 BA ?? ?? 40 00 E8 ?? ?? FF FF 75 26 8B D3 A1 ?? ?? 40 00 E8 ?? ?? FF FF 84 C0 75 2A 8D 55 E4 33 C0 E8 ?? ?? FF FF 8B 45 E4 8B D3 E8 ?? ?? FF FF EB 14 8D 55 E0 33 C0 E8 ?? ?? FF FF 8B 45 E0 8B D3 E8 ?? ?? FF FF 6A 00 E8 ?? ?? FF FF 33 C0 5A 59 59 64 89 10 68 ?? ?? 40 00 8D 45 E0 BA 04 00 00 00 E8 ?? ?? FF FF C3 E9 ?? ?? FF FF EB EB 5B E8 ?? ?? FF FF 00 00 00 FF FF FF FF 01 00 00 00 25 00 00 00 FF FF FF FF 01 00 00 00 5C 00 00 00 FF FF FF FF 06 00 00 00 53 45 52 56 45 52 00 00 FF FF FF FF 01 00 00 00 31 } + +condition: + $a0 at pe.entry_point +} + + +rule SexeCrypter11bysantasdad +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 D8 39 00 10 E8 30 FA FF FF 33 C0 55 68 D4 3A 00 10 64 FF 30 64 89 ?? ?? ?? ?? E4 3A 00 10 A1 00 57 00 10 50 E8 CC FA FF FF 8B D8 53 A1 00 57 00 10 50 E8 FE FA FF FF 8B F8 53 A1 00 57 00 10 50 E8 C8 FA FF FF 8B D8 53 E8 C8 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 14 57 00 10 E8 AD F6 FF FF B8 14 57 00 10 E8 9B F6 FF FF 8B CF 8B D6 E8 DA FA FF FF 53 E8 84 FA FF FF 8D 4D EC BA F8 3A 00 10 A1 14 57 00 10 E8 0A FB FF FF 8B 55 EC B8 14 57 00 10 E8 65 F5 FF FF B8 14 57 00 10 E8 63 F6 FF FF E8 52 FC FF FF 33 C0 5A 59 59 64 89 10 68 DB 3A 00 10 8D 45 EC E8 ED F4 FF FF C3 E9 83 EF FF FF EB F0 5F 5E 5B E8 ED F3 FF FF 00 53 45 54 54 49 4E 47 53 00 00 00 00 FF FF FF FF 12 00 00 00 6B 75 74 68 37 36 67 62 62 67 36 37 34 76 38 38 67 79 } + +condition: + $a0 at pe.entry_point +} + + +rule VxGotcha879 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5B 81 EB ?? ?? 9C FC 2E ?? ?? ?? ?? ?? ?? ?? 8C D8 05 ?? ?? 2E ?? ?? ?? ?? 50 2E ?? ?? ?? ?? ?? ?? 8B C3 05 ?? ?? 8B F0 BF 00 01 B9 20 00 F3 A4 0E B8 00 01 50 B8 DA DA CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule MZ0oPE106bTaskFall +{ + meta: + author="malware-lu" +strings: + $a0 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 } + $a1 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ?? ?? ?? ?? C3 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4C 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule SoftDefenderv11xRandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 74 07 75 05 ?? ?? ?? ?? ?? 74 1F 75 1D ?? 68 ?? ?? ?? 00 59 9C 50 74 0A 75 08 ?? 59 C2 04 00 ?? ?? ?? E8 F4 FF FF FF ?? ?? ?? 78 0F 79 0D } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv010v012BetaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 48 01 ?? ?? ?? ?? ?? 95 A5 33 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeBorlandDelphi6070FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 53 8B D8 33 C0 A3 00 00 00 00 6A 00 E8 00 00 00 FF A3 00 00 00 00 A1 00 00 00 00 A3 00 00 00 00 33 C0 A3 00 00 00 00 33 C0 A3 00 00 00 00 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule STProtectorV15SilentSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 } + +condition: + $a0 +} + + +rule ASPackv105bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor226minimumprotection +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 68 ?? ?? ?? ?? 58 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 0C 24 59 E8 ?? ?? ?? 00 89 45 F8 E9 ?? ?? ?? ?? 0F 83 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 14 24 5A 57 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 58 81 C0 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? 81 C8 ?? ?? ?? ?? 81 E0 ?? ?? ?? ?? E9 ?? ?? ?? 00 C3 E9 ?? ?? ?? ?? C3 BF ?? ?? ?? ?? 81 CB ?? ?? ?? ?? BA ?? ?? ?? ?? 52 E9 ?? ?? ?? 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? 00 E9 ?? ?? ?? ?? 87 34 24 5E 66 8B 00 66 25 ?? ?? E9 ?? ?? ?? ?? 8B CD 87 0C 24 8B EC 51 89 EC 5D 8B 05 ?? ?? ?? ?? 09 C0 E9 ?? ?? ?? ?? 59 81 C1 ?? ?? ?? ?? C1 C1 ?? 23 0D ?? ?? ?? ?? 81 F9 ?? ?? ?? ?? E9 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 13 D0 0B F9 E9 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 64 24 08 31 C0 64 8F 05 00 00 00 00 5A E9 ?? ?? ?? ?? 3C A4 0F 85 ?? ?? ?? 00 8B 45 FC 66 81 38 ?? ?? 0F 84 05 00 00 00 E9 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 3C 24 5F 31 DB 31 C9 31 D2 68 ?? ?? ?? ?? E9 ?? ?? ?? ?? 89 45 FC 33 C0 89 45 F4 83 7D FC 00 E9 ?? ?? ?? ?? 53 52 8B D1 87 14 24 81 C0 ?? ?? ?? ?? 0F 88 ?? ?? ?? ?? 3B CB } + +condition: + $a0 at pe.entry_point +} + + +rule PEProtector093CRYPToCRACk +{ + meta: + author="malware-lu" +strings: + $a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 00 00 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 00 00 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 00 00 03 C1 75 09 83 EC 04 0F 85 DD 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PellesC300400450EXEX86CRTLIB +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 02 E8 ?? ?? ?? ?? 59 A3 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackv118BasicaPLibAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 } + +condition: + $a0 at pe.entry_point +} + + +rule vfpexeNcV500WangJianGuo +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoiner153Stubengine17GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 33 FD FF FF 50 E8 0D 00 00 00 CC FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule TheHypersprotectorTheHyper +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC 14 8B FC E8 14 00 00 00 ?? ?? 01 01 ?? ?? 01 01 ?? ?? ?? 00 ?? ?? 01 01 ?? ?? 02 01 5E E8 0D 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8B 46 04 FF 10 8B D8 E8 0D 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 53 8B 06 FF 10 89 07 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule ANDpakk2006DmitryAndreev +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 FC BE D4 00 40 00 BF 00 10 00 01 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 } + +condition: + $a0 +} + + +rule Thinstall2628Jtit +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 } + $a1 = { E8 00 00 00 00 58 BB 34 1D 00 00 2B C3 50 68 00 00 40 00 68 00 40 00 00 68 BC 00 00 00 E8 C3 FE FF FF E9 99 FF FF FF CC CC CC CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule UPXModifierv01x +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1333ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 } + $a1 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 27 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PureBasic4xNeilHodgson +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3 } + +condition: + $a0 at pe.entry_point +} + + +rule VxAugust16thIronMaiden +{ + meta: + author="malware-lu" +strings: + $a0 = { BA 79 02 03 D7 B4 1A CD 21 B8 24 35 CD 21 5F 57 89 9D 4E 02 8C 85 50 02 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtector10Xvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 E8 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 05 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PEPACK099 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 83 ED 06 80 BD E0 04 00 00 01 0F 84 F2 } + +condition: + $a0 at pe.entry_point +} + + +rule Freshbindv20gFresh +{ + meta: + author="malware-lu" +strings: + $a0 = { 64 A1 00 00 00 00 55 89 E5 6A FF 68 1C A0 41 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXSCRAMBLER306OnToL +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompact2xxBitSumTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PESpinv01Cyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF } + $a1 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 00 00 00 B9 A5 08 00 00 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D C4 28 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 59 81 C1 1D 00 00 00 52 51 C1 E9 05 23 D1 FF } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule VxEddie2100 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 4F 4F 0E E8 ?? ?? 47 47 1E FF ?? ?? CB E8 ?? ?? 84 C0 ?? ?? 50 53 56 57 1E 06 B4 51 CD 21 8E C3 ?? ?? ?? ?? ?? ?? ?? 8B F2 B4 2F CD 21 AC } + +condition: + $a0 at pe.entry_point +} + + +rule NETexecutableMicrosoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00 00 00 00 00 FF 25 } + +condition: + $a0 +} + + +rule tElockv098 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E } + +condition: + $a0 at pe.entry_point +} + + +rule AZProtect0001byAlexZakaAZCRC +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 70 FC 60 8C 80 4D 11 00 70 25 81 00 40 0D 91 BB 60 8C 80 4D 11 00 70 21 81 1D 61 0D 81 00 40 CE 60 8C 80 4D 11 00 70 25 81 25 81 25 81 25 81 29 61 41 81 31 61 1D 61 00 40 B7 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 BE 00 ?? ?? 00 BF 00 00 40 00 EB 17 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 FF 25 ?? ?? ?? 00 8B C6 03 C7 8B F8 57 55 8B EC 05 7F 00 00 00 50 E8 E5 FF FF FF BA 8C ?? ?? 00 89 02 E9 1A 01 00 00 ?? 00 00 00 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 47 65 74 56 6F 6C 75 6D 65 49 6E 66 6F 72 6D 61 74 69 6F 6E 41 00 4D 65 73 73 61 67 65 42 6F 78 41 00 45 78 69 74 50 72 6F 63 65 73 73 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 } + $a1 = { FC 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 8B C2 C1 C0 10 66 8B C1 C3 F0 DA 55 8B EC 53 56 33 C9 33 DB 8B 4D 0C 8B 55 10 8B 75 08 4E 4A 83 FB 08 72 05 33 DB 43 EB 01 43 33 C0 8A 04 31 8A 24 13 2A C4 88 04 31 E2 E6 5E 5B C9 C2 0C } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 } + $a1 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule MEW510Northfox +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv090 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 02 00 00 00 E8 00 E8 00 00 00 00 5E 2B } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1258ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SVKProtectorv132EngPavolCerven +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 06 36 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E } + +condition: + $a0 at pe.entry_point +} + + +rule ExeSplitter12BillPrisonerTPOC +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 95 02 00 00 64 A1 00 00 00 00 83 38 FF 74 04 8B 00 EB F7 8B 40 04 C3 55 8B EC B8 00 00 00 00 8B 75 08 81 E6 00 00 FF FF B9 06 00 00 00 56 56 E8 B0 00 00 00 5E 83 F8 01 75 06 8B C6 C9 C2 04 00 81 EE 00 00 01 00 E2 E5 C9 C2 04 00 55 8B EC 8B 75 0C 8B DE 03 76 3C 8D 76 18 8D 76 60 8B 36 03 F3 56 8B 76 20 03 F3 33 D2 8B C6 8B 36 03 F3 8B 7D 08 B9 0E 00 00 00 FC F3 A6 0B C9 75 02 EB 08 } + +condition: + $a0 +} + + +rule COPv10c1988 +{ + meta: + author="malware-lu" +strings: + $a0 = { BF ?? ?? BE ?? ?? B9 ?? ?? AC 32 ?? ?? ?? AA E2 ?? 8B ?? ?? ?? EB ?? 90 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv25RetailSlimLoaderBitsumTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? 01 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Morphinev27Holy_FatherRatter29A +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + $a1 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 47 65 74 50 72 6F 63 } + +condition: + $a0 or $a1 +} + + +rule diPackerV1XdiProtectorSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 0F 00 2D E9 01 00 A0 E3 68 01 00 EB 8C 00 00 EB 2B 00 00 EB 00 00 20 E0 1C 10 8F E2 8E 20 8F E2 00 30 A0 E3 67 01 00 EB 0F 00 BD E8 00 C0 8F E2 00 F0 9C E5 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01REALBasicAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule PPCPROTECT11XAlexeyGorchakov +{ + meta: + author="malware-lu" +strings: + $a0 = { FF 5F 2D E9 20 00 9F E5 00 00 90 E5 18 00 8F E5 18 00 9F E5 00 00 90 E5 10 00 8F E5 01 00 A0 E3 00 00 00 EB 02 00 00 EA 04 F0 1F E5 } + +condition: + $a0 at pe.entry_point +} + + +rule nPackV111502006BetaNEOxuinC +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D 40 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 41 00 00 00 B8 80 ?? ?? ?? 2B 05 08 ?? ?? ?? A3 3C ?? ?? ?? E8 5E 00 00 00 E8 E0 01 00 00 E8 EC 06 00 00 E8 F7 05 00 00 A1 3C ?? ?? ?? C7 05 40 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 ?? ?? ?? C3 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule EnigmaProtector11X13XSukhovVladimirSergeNMarkin +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 B8 00 10 40 00 E8 01 00 00 00 9A 83 C4 10 8B E5 5D E9 } + +condition: + $a0 +} + + +rule HardlockdongleAlladin +{ + meta: + author="malware-lu" +strings: + $a0 = { 5C 5C 2E 5C 48 41 52 44 4C 4F 43 4B 2E 56 58 44 00 00 00 00 5C 5C 2E 5C 46 45 6E 74 65 44 65 76 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov190c +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 74 9D 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule Upack_PatchDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 81 3A 00 00 00 02 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeJoinerV10Yodaf2f +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PCShrink071beta +{ + meta: + author="malware-lu" +strings: + $a0 = { 01 AD 54 3A 40 00 FF B5 50 3A 40 00 6A 40 FF 95 88 3A 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMASM32TASM32 +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B } + $a1 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PEiDBundlev101BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A } + +condition: + $a0 at pe.entry_point +} + + +rule UPX072 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E } + +condition: + $a0 at pe.entry_point +} + + +rule AdFlt2: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 01 9C 0F A0 0F A8 60 FD 6A 00 0F A1 BE ?? ?? AD } + +condition: + $a0 at pe.entry_point +} + + +rule RLPack120BasicEditionaPLibAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 92 05 00 00 EB 0C 8B 85 8E 05 00 00 89 85 92 05 00 00 8D B5 BA 05 00 00 8D 9D 41 04 00 00 33 FF E8 38 01 00 00 EB 1B 8B 85 92 05 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 9E 05 00 00 00 74 0E 83 BD A2 05 00 00 00 74 05 E8 D6 01 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AsCryptv01SToRM1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 81 ?? ?? ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? E2 ?? EB } + +condition: + $a0 +} + + +rule SmartEMicrosoft +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 15 03 00 00 00 ?? 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 8F 07 00 00 89 85 83 07 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 2F 06 00 00 E8 8E 04 00 00 49 0F 88 23 06 } + +condition: + $a0 at pe.entry_point +} + + +rule PE_Admin10EncryptPE12003518SoldFlyingCat +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 } + $a1 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 90 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule MacromediaWindowsFlashProjectorPlayerv40 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 44 56 FF 15 24 41 43 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C } + +condition: + $a0 at pe.entry_point +} + + +rule WWPack32v100v111v112v120 +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtectorV11vcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 1A ED 41 00 B9 EC EB 41 00 50 51 E8 74 00 00 00 E8 51 6A 00 00 58 83 E8 10 B9 B3 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule MaskPE16yzkzero +{ + meta: + author="malware-lu" +strings: + $a0 = { 36 81 2C 24 ?? ?? ?? 00 C3 60 } + +condition: + $a0 +} + + +rule bambam001bedrock +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 14 E8 9A 05 00 00 8B D8 53 68 ?? ?? ?? ?? E8 6C FD FF FF B9 05 00 00 00 8B F3 BF ?? ?? ?? ?? 53 F3 A5 E8 8D 05 00 00 8B 3D ?? ?? ?? ?? A1 ?? ?? ?? ?? 66 8B 15 ?? ?? ?? ?? B9 ?? ?? ?? ?? 2B CF 89 45 E8 89 0D ?? ?? ?? ?? 66 89 55 EC 8B 41 3C 33 D2 03 C1 83 C4 10 66 8B 48 06 66 8B 50 14 81 E1 FF FF 00 00 8D 5C 02 18 8D 41 FF 85 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01MEW11SE10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 } + +condition: + $a0 +} + + +rule PseudoSigner01BorlandDelphi6070Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 53 8B D8 33 C0 A3 09 09 09 00 6A 00 E8 09 09 00 FF A3 09 09 09 00 A1 09 09 09 00 A3 09 09 09 00 33 C0 A3 09 09 09 00 33 C0 A3 09 09 09 00 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV12ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 77 1E 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PEProtect09Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 00 00 00 58 83 C0 07 C6 90 C3 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPack32v1x +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 55 8B E8 33 DB EB 60 } + +condition: + $a0 at pe.entry_point +} + + +rule ChSfxsmallv11 +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? E8 ?? ?? 8B EC 83 EC ?? 8C C8 BB ?? ?? B1 ?? D3 EB 03 C3 8E D8 05 ?? ?? 89 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXModifiedStubcFarbrauschConsumerConsulting +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02NorthStarPEShrinker13Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv098tE +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMicrosoftVisualBasicMASM32 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv022v023BetaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 } + +condition: + $a0 at pe.entry_point +} + + +rule VxVirusConstructorbased +{ + meta: + author="malware-lu" +strings: + $a0 = { BB ?? ?? B9 ?? ?? 2E ?? ?? ?? ?? 43 43 ?? ?? 8B EC CC 8B ?? ?? 81 ?? ?? ?? 06 1E B8 ?? ?? CD 21 3D ?? ?? ?? ?? 8C D8 48 8E D8 } + $a1 = { E8 ?? ?? 5D 81 ?? ?? ?? 06 1E E8 ?? ?? E8 ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? ?? B4 4A BB FF FF CD 21 83 ?? ?? B4 4A CD 21 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PESHiELD02 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02Gleam100Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF } + +condition: + $a0 at pe.entry_point +} + + +rule DBPEv233DingBoy +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PEtite2xlevel0Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 } + +condition: + $a0 at pe.entry_point +} + + +rule EPack14litefinalby6aHguT +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C0 8B C0 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 } + +condition: + $a0 at pe.entry_point +} + + +rule tElock098tE +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 25 E4 FF FF 00 00 00 ?? ?? ?? ?? 1E ?? ?? 00 00 00 00 00 00 00 00 00 3E ?? ?? 00 2E ?? ?? 00 26 ?? ?? 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 36 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 56 ?? ?? 00 00 00 00 00 69 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 } + +condition: + $a0 at pe.entry_point +} + + +rule UnnamedScrambler10p0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC 53 56 33 C0 89 45 ?? ?? ?? ?? 40 00 E8 11 F4 FF FF BE 30 6B 40 00 33 C0 55 68 C9 42 40 00 64 FF 30 64 89 20 E8 C9 FA FF FF BA D8 42 40 00 8B ?? ?? ?? ?? FF FF 8B D8 B8 28 6B 40 00 8B 16 E8 37 F0 FF FF B8 2C 6B 40 00 8B 16 E8 2B F0 FF FF B8 28 6B 40 00 E8 19 F0 FF FF 8B D0 8B C3 8B 0E E8 42 E3 FF FF BA DC 42 40 00 8B C6 E8 2A FA FF FF 8B D8 B8 20 6B 40 00 8B 16 E8 FC EF FF FF B8 24 6B 40 00 8B 16 E8 F0 EF FF FF B8 20 6B 40 00 E8 DE EF FF FF 8B D0 8B C3 8B 0E E8 07 E3 FF FF 6A 00 6A 19 6A 00 6A 32 A1 28 6B 40 00 E8 59 EF FF FF 83 E8 05 03 C0 8D 55 EC E8 94 FE FF FF 8B 55 EC B9 24 6B 40 00 A1 20 6B 40 00 E8 E2 F6 FF FF 6A 00 6A 19 6A 00 6A 32 } + +condition: + $a0 +} + + +rule WARNINGTROJANADinjector +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 61 BE 00 20 44 00 8D BE 00 F0 FB FF C7 87 9C E0 04 00 6A F0 8A 5E 57 83 CD FF EB 0E } + +condition: + $a0 at pe.entry_point +} + + +rule TopSpeedv3011989 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E BA ?? ?? 8E DA 8B ?? ?? ?? 8B ?? ?? ?? FF ?? ?? ?? 50 53 } + +condition: + $a0 at pe.entry_point +} + + +rule CodeCryptv0164 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F EB 03 FF 1D 34 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXHiT001DJSiba +{ + meta: + author="malware-lu" +strings: + $a0 = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule PseudoSigner01ASProtectAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 } + +condition: + $a0 at pe.entry_point +} + + +rule PocketPCARM +{ + meta: + author="malware-lu" +strings: + $a0 = { F0 40 2D E9 00 40 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 ?? 00 00 EB 07 30 A0 E1 06 20 A0 E1 05 10 A0 E1 04 00 A0 E1 ?? ?? ?? EB F0 40 BD E8 ?? 00 00 EA ?? 40 2D E9 ?? ?? 9F E5 ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 9F E5 00 ?? ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AnskyaBinderv11Anskya +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? ?? 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtectorV10Bvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 } + +condition: + $a0 at pe.entry_point +} + + +rule SecurePE1Xwwwdeepzoneorg +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 04 24 E8 00 00 00 00 5D 81 ED 4C 2F 40 00 89 85 61 2F 40 00 8D 9D 65 2F 40 00 53 C3 00 00 00 00 8D B5 BA 2F 40 00 8B FE BB 65 2F 40 00 B9 C6 01 00 00 AD 2B C3 C1 C0 03 33 C3 AB 43 81 FB 8E 2F 40 00 75 05 BB 65 2F 40 00 E2 E7 89 AD 1A 31 40 00 89 AD 55 34 40 00 89 AD 68 34 40 00 8D 85 BA 2F 40 00 50 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule yPv10bbyAshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 4C 32 40 00 E8 03 00 00 00 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 00 00 00 90 EB 01 C2 E8 03 00 00 00 EB 01 ?? AC ?? ?? ?? ?? ?? ?? ?? EB 01 E8 } + +condition: + $a0 +} + + +rule MSLRHv031a +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F } + $a1 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F CA C0 C7 91 0F CB C1 D9 0C 86 F9 86 D7 D1 D9 EB 01 A5 EB 01 11 EB 01 1D 0F C1 C2 0F CB 0F C1 C2 EB 01 A1 C0 E9 FD 0F C1 D1 EB 01 E3 0F CA 87 D9 EB 01 F3 0F CB 87 C2 0F C0 F9 D0 F7 EB 01 2F 0F C9 C0 DC C4 EB 01 35 0F CA D3 D1 86 C8 EB 01 01 0F C0 F5 87 C8 D0 DE EB 01 95 EB 01 E1 EB 01 FD EB 01 EC 87 D3 0F CB C1 DB 35 D3 E2 0F C8 86 E2 86 EC C1 FB 12 D2 EE 0F C9 D2 F6 0F CA 87 C3 C1 D3 B3 EB 01 BF D1 CB 87 C9 0F CA 0F C1 DB EB 01 44 C0 CA F2 0F C1 D1 0F CB EB 01 D3 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule Upackv039finalDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 } + $a1 = { FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF } + +condition: + $a0 or $a1 +} + + +rule vprotector12vcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 } + $a1 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 00 00 00 8B 44 24 04 8B 00 3D 04 00 00 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00 00 00 00 74 F3 75 F1 EB 24 64 FF 35 00 00 00 00 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 00 00 9D 90 EB F4 64 89 25 00 00 00 00 EB E6 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 00 00 00 8B 5C 24 0C 8B A3 C4 00 00 00 64 8F 05 00 00 00 00 83 C4 04 EB 14 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C9 99 F7 F1 E9 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 E8 05 00 00 00 0F 01 EB 05 E8 EB FB 00 00 83 C4 04 E8 08 00 00 00 0F 01 83 C0 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule FakeNinjav28Spirit +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 } + +condition: + $a0 +} + + +rule PECompactv133 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 00 80 40 ?? 90 90 01 85 9E 80 40 ?? BB E8 0E } + +condition: + $a0 at pe.entry_point +} + + +rule DragonArmorOrient +{ + meta: + author="malware-lu" +strings: + $a0 = { BF 4C ?? ?? 00 83 C9 FF 33 C0 68 34 ?? ?? 00 F2 AE F7 D1 49 51 68 4C ?? ?? 00 E8 11 0A 00 00 83 C4 0C 68 4C ?? ?? 00 FF 15 00 ?? ?? 00 8B F0 BF 4C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 4C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 5C ?? ?? 00 E8 C0 09 00 00 8B 1D 04 ?? ?? 00 83 C4 0C 68 5C ?? ?? 00 56 FF D3 A3 D4 ?? ?? 00 BF 5C ?? ?? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 5C ?? ?? 00 8B D1 68 34 ?? ?? 00 C1 E9 02 F3 AB 8B CA 83 E1 } + +condition: + $a0 +} + + +rule ThemidaWinLicenseV1802OreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftDefender1xRandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD 00 59 9C 50 74 0A 75 08 E8 59 C2 04 00 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 E6 01 00 00 03 C8 74 BD 75 BB E8 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PellesC2x4xDLLPelleOrinius +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 } + +condition: + $a0 at pe.entry_point +} + + +rule UPX290LZMADelphistubMarkusOberhumerLaszloMolnarJohnReiser +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV119aPlib043ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule VirogensPEShrinkerv014 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 55 E8 ?? ?? ?? ?? 87 D5 5D 60 87 D5 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 57 56 AD 0B C0 74 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtBorlandDelphiBorlandC +{ + meta: + author="malware-lu" +strings: + $a0 = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 } + $a1 = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 } + $a2 = { EB 01 2E EB 02 A5 55 BB 80 ?? ?? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule PseudoSigner01ACProtect109Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 02 00 00 90 90 90 04 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorV16dVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv032BetaPatchDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 ?? ?? AD 50 ?? AD 91 F3 A5 } + +condition: + $a0 +} + + +rule Apex30alpha500mhz +{ + meta: + author="malware-lu" +strings: + $a0 = { 5F B9 14 00 00 00 51 BE 00 10 40 00 B9 00 ?? ?? 00 8A 07 30 06 46 E2 FB 47 59 E2 EA 68 ?? ?? ?? 00 C3 } + +condition: + $a0 +} + + +rule SimbiOZPoly21Extranger +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 50 8B C4 83 C0 04 C7 00 ?? ?? ?? ?? 58 C3 90 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov184 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 E8 C1 40 00 68 F4 86 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov183 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 64 84 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov182 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 74 81 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov180 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 E8 C1 00 00 68 F4 86 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeSplitter13SplitMethodBillPrisonerTPOC +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5D 81 ED 08 12 40 00 E8 66 FE FF FF 55 50 8D 9D 81 11 40 00 53 8D 9D 21 11 40 00 53 6A 08 E8 76 FF FF FF 6A 40 68 00 30 00 00 68 00 01 00 00 6A 00 FF 95 89 11 40 00 89 85 61 10 40 00 50 68 00 01 00 00 FF 95 85 11 40 00 8D 85 65 10 40 00 50 FF B5 61 10 40 00 FF 95 8D 11 40 00 6A 00 68 80 00 00 00 6A 02 6A 00 ?? ?? ?? ?? 01 1F 00 FF B5 61 10 40 00 FF 95 91 11 40 00 89 85 72 10 40 00 6A 00 8D ?? ?? ?? ?? 00 50 FF B5 09 10 40 00 8D 85 F5 12 40 00 50 FF B5 72 10 40 00 FF 95 95 11 40 00 FF B5 72 10 40 00 FF 95 99 11 40 00 8D 85 0D 10 40 00 50 8D 85 1D 10 40 00 50 B9 07 00 00 00 6A 00 E2 FC } + $a1 = { E9 FE 01 00 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 73 76 63 45 72 30 31 31 2E 74 6D 70 00 00 00 00 00 00 00 00 00 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8B 00 85 C0 0F 84 5F 02 00 00 8B 48 30 80 39 6B 74 07 80 39 4B 74 02 EB E7 80 79 0C 33 74 02 EB DF 8B 40 18 C3 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule RJoiner12aVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 0C 01 00 00 8D 85 F4 FE FF FF 56 50 68 04 01 00 00 FF 15 0C 10 40 00 94 90 94 8D 85 F4 FE FF FF 50 FF 15 08 10 40 00 94 90 94 BE 00 20 40 00 94 90 94 83 3E FF 74 7D 53 57 33 DB 8D 7E 04 94 90 94 53 68 80 00 00 00 6A 02 53 6A 01 68 00 00 00 C0 57 FF 15 04 10 40 00 89 45 F8 94 90 94 8B 06 8D 74 06 04 94 90 94 8D 45 FC 53 50 8D 46 04 FF 36 50 FF 75 F8 FF 15 00 10 40 00 94 90 94 FF 75 F8 FF 15 10 10 40 00 94 90 94 8D 85 F4 FE FF FF 6A 0A 50 53 57 68 20 10 40 00 53 FF 15 18 10 40 00 94 90 94 8B 06 8D 74 06 04 94 90 94 83 3E FF 75 89 5F 5B 33 C0 5E C9 C2 10 00 CC CC 24 11 } + +condition: + $a0 +} + + +rule VxVirusConstructorIVPbased +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? E8 ?? ?? 5D ?? ?? ?? ?? ?? 81 ED ?? ?? ?? ?? ?? ?? E8 ?? ?? 81 FC ?? ?? ?? ?? 8D ?? ?? ?? BF ?? ?? 57 A4 A5 } + +condition: + $a0 at pe.entry_point +} + + +rule EncryptPE12003518WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv168v184 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 7B 11 } + +condition: + $a0 at pe.entry_point +} + + +rule SDProtectorProEdition116RandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 } + $a1 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 18 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 93 03 00 00 03 C8 74 C4 75 C2 E8 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Reg2Exe222223byJanVorel +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 00 E8 2F 1E 00 00 A3 C4 35 40 00 E8 2B 1E 00 00 6A 0A 50 6A 00 FF 35 C4 35 40 00 E8 07 00 00 00 50 E8 1B 1E 00 00 CC 68 48 00 00 00 68 00 00 00 00 68 C8 35 40 00 E8 76 16 00 00 83 C4 0C 8B 44 24 04 A3 CC 35 40 00 68 00 00 00 00 68 A0 0F 00 00 68 00 00 00 00 E8 EC 1D 00 00 A3 C8 35 40 00 E8 62 1D 00 00 E8 92 1A 00 00 E8 80 16 00 00 E8 13 14 00 00 68 01 00 00 00 68 08 36 40 00 68 00 00 00 00 8B 15 08 36 40 00 E8 71 3F 00 00 B8 00 00 10 00 BB 01 00 00 00 E8 82 3F 00 00 FF 35 48 31 40 00 B8 00 01 00 00 E8 0D 13 00 00 8D 0D EC 35 40 00 5A E8 F2 13 00 00 68 00 01 00 00 FF 35 EC 35 40 00 E8 84 1D 00 00 A3 F4 35 40 00 FF 35 48 31 40 00 FF 35 F4 35 40 00 FF 35 EC 35 40 00 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv120EngdulekxtBorlandDelphiMicrosoftVisualC +{ + meta: + author="malware-lu" +strings: + $a0 = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule CrunchPE: Packer PEiD +{ + meta: + author="malware-lu" + note="Added extra checks" +strings: + $a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 } + $b = { EB 10 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 5D 81 ED 18 ?? ?? ?? 8B C5 55 60 9C 2B 85 E9 06 ?? ?? 89 85 E1 06 ?? ?? FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 03 00 00 89 85 D9 41 00 00 68 EC 49 7B 79 33 C0 50 E8 11 03 00 00 89 85 D1 41 00 00 E8 67 05 00 00 E9 56 05 00 00 51 52 53 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 5B 8B C2 C1 C0 10 66 8B C1 5A 59 C3 68 03 02 00 00 E8 80 04 00 00 0F 82 A8 02 00 00 96 8B 44 24 04 0F C8 8B D0 25 0F 0F 0F 0F 33 D0 C1 C0 08 0B C2 8B D0 25 33 33 33 33 33 D0 C1 C0 04 0B C2 8B D0 25 55 55 55 55 33 D0 C1 C0 02 0B C2 } + +condition: + for any of ($*) : ( $ at pe.entry_point ) +} + + +rule CICompressv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 04 68 00 10 00 00 FF 35 9C 14 40 00 6A 00 FF 15 38 10 40 00 A3 FC 10 40 00 97 BE 00 20 40 00 E8 71 00 00 00 3B 05 9C 14 40 00 75 61 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 C0 68 94 10 40 00 FF 15 2C 10 40 00 A3 F8 10 40 00 6A 00 68 F4 10 40 00 FF 35 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeShieldv27b +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 40 85 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 87 DD 8B 85 E6 90 40 00 01 85 33 90 40 00 66 C7 85 30 90 40 00 90 90 01 85 DA 90 40 00 01 85 DE 90 40 00 01 85 E2 90 40 00 BB 7B 11 00 00 03 9D EA 90 40 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXInlinerv10byGPcH +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 } + +condition: + $a0 +} + + +rule PKLITEv114v120 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 CD 20 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeToolsCOM2EXE +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5D 83 ED ?? 8C DA 2E 89 96 ?? ?? 83 C2 ?? 8E DA 8E C2 2E 01 96 ?? ?? 60 } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallEmbedded2545Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 F2 FF FF FF 50 68 ?? ?? ?? ?? 68 40 1B 00 00 E8 42 FF FF FF E9 9D FF FF FF 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxARCV4 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 5D 81 ED 06 01 81 FC 4F 50 74 0B 8D B6 86 01 BF 00 01 57 A4 EB 11 1E 06 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillo3X5XSiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 60 33 C9 75 02 EB 15 EB 33 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakePESHiELD025emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 2B 00 00 00 0D 0A 0D 0A 0D 0A 52 65 67 69 73 74 41 72 65 64 20 74 6F 3A 20 4E 4F 4E 2D 43 4F 4D 4D 45 52 43 49 41 4C 21 21 0D 0A 0D 0A 0D 00 58 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov252beta2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? B0 ?? ?? ?? ?? 68 60 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF ?? ?? ?? 15 24 } + +condition: + $a0 at pe.entry_point +} + + +rule CipherWallSelfExtratorDecryptorConsolev15 +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 0B 6E 5B 9B 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 } + +condition: + $a0 at pe.entry_point +} + + +rule PCShrinkerv029 +{ + meta: + author="malware-lu" +strings: + $a0 = { BD ?? ?? ?? ?? 01 AD 55 39 40 ?? 8D B5 35 39 40 } + +condition: + $a0 at pe.entry_point +} + + +rule NsPacKV33LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 00 74 } + +condition: + $a0 at pe.entry_point +} + + +rule CopyMinderMicrocosmLtd +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 25 ?? ?? ?? ?? EF 6A 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? CC FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 ?? ?? ?? ?? FF 25 } + +condition: + $a0 at pe.entry_point +} + + +rule Crunchv5BitArts +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 15 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 1D 00 00 00 8B C5 55 60 9C 2B 85 FC 07 00 00 89 85 E8 07 00 00 FF 74 24 2C E8 20 02 00 00 0F 82 94 06 00 00 E8 F3 04 00 00 49 0F 88 88 06 00 00 8B B5 E8 07 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PCShrinkerv020 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 E8 01 ?? ?? 60 01 AD B3 27 40 ?? 68 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillo500SiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule SLVc0deProtector060SLVICU +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD } + +condition: + $a0 +} + + +rule Kryptonv03 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 0C 24 E9 C0 8D 01 ?? C1 3A 6E CA 5D 7E 79 6D B3 64 5A 71 EA } + +condition: + $a0 at pe.entry_point +} + + +rule CrackStopv101cStefanEsser1997 +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 48 BB FF FF B9 EB 27 8B EC CD 21 FA FC } + +condition: + $a0 at pe.entry_point +} + + +rule Kryptonv05 +{ + meta: + author="malware-lu" +strings: + $a0 = { 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 71 44 ?? ?? 2B 85 64 60 ?? ?? EB 43 DF } + +condition: + $a0 at pe.entry_point +} + + +rule Kryptonv04 +{ + meta: + author="malware-lu" +strings: + $a0 = { 54 E8 ?? ?? ?? ?? 5D 8B C5 81 ED 61 34 ?? ?? 2B 85 60 37 ?? ?? 83 E8 06 } + +condition: + $a0 at pe.entry_point +} + + +rule PassLock2000v10EngMoonlightSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 00 00 00 E8 1F 01 00 00 C7 43 60 01 00 00 00 8D 83 E4 01 00 00 50 FF 15 F0 61 40 00 83 EC 44 C7 04 24 44 00 00 00 C7 44 24 2C 00 00 00 00 54 FF 15 E8 61 40 00 B8 0A 00 00 00 F7 44 24 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv029Betav031BetaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 ?? ?? AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 } + +condition: + $a0 +} + + +rule AlexProtector10beta2byAlex +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 10 40 00 E8 24 00 00 00 EB 01 E9 8B 44 24 0C EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 83 80 B8 00 00 00 02 33 C0 EB 01 E9 C3 58 83 C4 04 EB 03 EB 03 C7 EB FB E8 01 00 00 00 A8 83 C4 04 50 64 FF 35 00 00 00 00 64 89 25 } + +condition: + $a0 +} + + +rule MoleBoxv254Teggo +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 8B 4D F0 8B 11 89 15 ?? ?? ?? 00 8B 45 FC A3 ?? ?? ?? 00 5F 5E 8B E5 5D C3 CC CC CC E8 EB FB FF FF 58 E8 ?? 07 00 00 58 89 44 24 24 61 58 58 FF D0 E8 ?? ?? 00 00 6A 00 FF 15 ?? ?? ?? 00 CC CC CC CC CC CC CC CC CC CC CC CC CC CC } + +condition: + $a0 +} + +rule Obsidium1337ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PESpinv03Engcyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 } + $a1 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PseudoSigner02PEPack099Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 11 00 00 00 5D 83 ED 06 80 BD E0 04 90 90 01 0F 84 F2 FF CC 0A } + +condition: + $a0 at pe.entry_point +} + + +rule VxVCL +{ + meta: + author="malware-lu" +strings: + $a0 = { AC B9 00 80 F2 AE B9 04 00 AC AE 75 ?? E2 FA 89 } + +condition: + $a0 at pe.entry_point +} + + +rule VterminalV10XLeiPeng +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 58 05 ?? ?? ?? ?? 9C 50 C2 04 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PEEncrypt10Liwuyue +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 00 00 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 00 00 EB F1 89 45 FC E8 C8 FF FF FF 2D 0F 05 00 00 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 5D EC 8B 41 18 8B C8 49 85 C9 72 5A 41 33 C0 8B D8 C1 E3 02 03 DA 8B 3B 03 3E 81 3F 47 65 74 50 75 40 8B DF 83 C3 04 81 3B 72 6F 63 41 75 33 8B DF 83 C3 08 81 3B 64 64 72 65 75 26 83 C7 0C 66 81 3F 73 73 } + +condition: + $a0 at pe.entry_point +} + + +rule InstallAnywhere61ZeroGSoftwareInc +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 } + $a1 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule iLUCRYPTv4018exe +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B EC FA C7 ?? ?? ?? ?? 4C 4C C3 FB BF ?? ?? B8 ?? ?? 2E ?? ?? D1 C8 4F 81 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02ASProtectAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD } + +condition: + $a0 at pe.entry_point +} + + +rule EncryptPEV22006710WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 } + $a1 = { 60 9C 64 FF 35 00 00 00 00 E8 73 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Themida10xx18xxnocompressionOreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 } + $a1 = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB } + +condition: + $a0 or $a1 +} + + +rule StonesPEEncryptorv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 63 3A 40 ?? 2B 95 C2 3A 40 ?? 83 EA 0B 89 95 CB 3A 40 ?? 8D B5 CA 3A 40 ?? 0F B6 36 } + +condition: + $a0 at pe.entry_point +} + + +rule PolyBoxDAnskya +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 33 C9 51 51 51 51 51 53 33 C0 55 68 84 2C 40 00 64 FF 30 64 89 20 C6 45 FF 00 B8 B8 46 40 00 BA 24 00 00 00 E8 8C F3 FF FF 6A 24 BA B8 46 40 00 8B 0D B0 46 40 00 A1 94 46 40 00 E8 71 FB FF FF 84 C0 0F 84 6E 01 00 00 8B 1D D0 46 40 00 8B C3 83 C0 24 03 05 D8 46 40 00 3B 05 B4 46 40 00 0F 85 51 01 00 00 8D 45 F4 BA B8 46 40 00 B9 10 00 00 00 E8 A2 EC FF FF 8B 45 F4 BA 9C 2C 40 00 E8 F1 ED FF FF } + +condition: + $a0 +} + + +rule Mew10execoder10NorthfoxHCC +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 } + +condition: + $a0 at pe.entry_point +} + + +rule PECrypt102 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 } + +condition: + $a0 at pe.entry_point +} + + +rule DIETv100d +{ + meta: + author="malware-lu" +strings: + $a0 = { FC 06 1E 0E 8C C8 01 ?? ?? ?? BA ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV119LZMA430ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ENIGMAProtectorV112SukhovVladimir +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 83 C5 FA 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeASPack212FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB } + +condition: + $a0 at pe.entry_point +} + + +rule MacromediaWindowsFlashProjectorPlayerv50 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 44 56 FF 15 70 61 44 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C 3C 20 7E 08 8A 46 01 46 3C 20 7F F8 8A 06 84 C0 74 0C 3C 20 7F 08 8A 46 01 46 84 C0 75 F4 8D 44 24 04 C7 44 24 30 00 } + +condition: + $a0 at pe.entry_point +} + + +rule IDApplicationProtector12IDSecuritySuite +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 00 00 CC CC CC CC E9 CA 02 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4ExtractablePasswordchecking +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 05 80 1A B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule HASPHLProtectionV1XAladdin +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 } + $a1 = { 55 8B EC 53 56 57 60 8B C4 A3 ?? ?? ?? ?? B8 ?? ?? ?? ?? 2B 05 ?? ?? ?? ?? A3 ?? ?? ?? ?? 83 3D ?? ?? ?? ?? 00 74 15 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 83 C4 04 E9 A5 00 00 00 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 8B 15 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule ASProtectv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv11 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov275a +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 68 ?? ?? ?? 68 D0 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner0132Lite003Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 ?? ?? ?? ?? E9 } + +condition: + $a0 at pe.entry_point +} + + +rule VxDoom666 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? 5E 83 EE ?? B8 CF 7B CD 21 3D CF 7B ?? ?? 0E 1F 81 C6 ?? ?? BF ?? ?? B9 ?? ?? FC F3 A4 06 1F 06 B8 ?? ?? 50 CB B4 48 BB 2C 00 CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule VxSpanz +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 5E 81 EE ?? ?? 8D 94 ?? ?? B4 1A CD 21 C7 84 } + +condition: + $a0 at pe.entry_point +} + + +rule BeRoEXEPackerv100DLLLZBRSBeRoFarbrausch +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 BE ?? ?? ?? ?? BF ?? ?? ?? ?? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ?? ?? ?? ?? 72 03 A4 EB F2 E8 ?? ?? ?? ?? 8D 51 FF E8 ?? ?? ?? ?? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 } + +condition: + $a0 at pe.entry_point +} + + +rule Pksmart10b +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? 8C C8 8B C8 03 C2 81 ?? ?? ?? 51 B9 ?? ?? 51 1E 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule PELockv106 +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45 } + +condition: + $a0 at pe.entry_point +} + + +rule LaunchAnywherev4001 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 53 83 EC 48 55 B8 FF FF FF FF 50 50 68 E0 3E 42 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 68 C0 69 44 00 E8 E4 80 FF FF 59 E8 4E 29 00 00 E8 C9 0D 00 00 85 C0 75 08 6A FF E8 6E 2B 00 00 59 E8 A8 2C 00 00 E8 23 2E 00 00 FF 15 4C C2 44 00 89 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv033v034BetaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 59 F3 A5 83 C8 FF 8B DF AB 40 AB 40 } + +condition: + $a0 at pe.entry_point +} + + +rule GameGuardnProtect +{ + meta: + author="malware-lu" +strings: + $a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE ?? ?? ?? ?? 31 FF 74 06 61 E9 4A 4D 50 30 8D BE ?? ?? ?? ?? 31 C9 74 06 61 E9 4A 4D 50 30 B8 7D 00 00 00 39 C2 B8 4C 00 00 00 F7 D0 75 3F 64 A1 30 00 00 00 85 C0 78 23 8B 40 0C 8B 40 0C C7 40 20 00 10 00 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 85 C0 75 16 E9 12 00 00 00 31 C0 64 A0 20 00 00 00 85 C0 75 05 E9 01 00 00 00 61 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasProtectorV1032AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 94 73 42 00 8B D5 81 C2 E3 73 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 BF A4 42 00 81 E9 8E 74 42 00 8B D5 81 C2 8E 74 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 63 29 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 } + +condition: + $a0 at pe.entry_point +} + + +rule nBinderv40 +{ + meta: + author="malware-lu" +strings: + $a0 = { 5C 6E 62 34 5F 74 6D 70 5F 30 31 33 32 34 35 34 33 35 30 5C 00 00 00 00 00 00 00 00 00 E9 55 43 4C FF 01 1A 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 32 88 DB 0E A4 B8 DC 79 } + +condition: + $a0 +} + + +rule AnslymFUDCrypter +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A } + +condition: + $a0 at pe.entry_point +} + + +rule EPExEPackV10EliteCodingGroup +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 } + +condition: + $a0 at pe.entry_point +} + + +rule SimplePack12build3009Method2bagie +{ + meta: + author="malware-lu" +strings: + $a0 = { 4D 5A 90 EB 01 00 52 E9 86 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule WinZip32bitSFXv6xmodule +{ + meta: + author="malware-lu" +strings: + $a0 = { FF 15 ?? ?? ?? 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 38 08 74 06 40 80 38 00 75 F6 80 38 00 74 01 40 33 C9 ?? ?? ?? ?? FF 15 } + +condition: + $a0 at pe.entry_point +} + + +rule VxEinstein +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 42 CD 21 72 31 B9 6E 03 33 D2 B4 40 CD 21 72 19 3B C1 75 15 B8 00 42 } + +condition: + $a0 at pe.entry_point +} + + +rule VideoLanClient +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule CrunchPEv10xx +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 80 BD ?? ?? ?? ?? ?? 75 09 C6 85 } + +condition: + $a0 at pe.entry_point +} + + +rule VxTravJack883 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? 9C 9E 26 ?? ?? 51 04 ?? 7D ?? 00 ?? 2E ?? ?? ?? ?? 8C C8 8E C0 8E D8 80 ?? ?? ?? ?? 74 ?? 8A ?? ?? ?? BB ?? ?? 8A ?? 32 C2 88 ?? FE C2 43 81 } + +condition: + $a0 at pe.entry_point +} + + +rule RSCsProcessPatcherv151 +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 20 40 00 E8 C3 01 00 00 80 38 00 74 0D 66 81 78 FE 22 20 75 02 EB 03 40 EB EE 8B F8 B8 04 60 40 00 68 C4 20 40 00 68 D4 20 40 00 6A 00 6A 00 6A 04 6A 00 6A 00 6A 00 57 50 E8 9F 01 00 00 85 C0 0F 84 39 01 00 00 BE 00 60 40 00 8B 06 A3 28 21 40 00 83 } + +condition: + $a0 +} + + +rule kryptor9 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5E B9 ?? ?? ?? ?? 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 } + +condition: + $a0 at pe.entry_point +} + + +rule SecuPackv15 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 CC 3A 40 ?? E8 E0 FC FF FF 33 C0 55 68 EA 3C 40 ?? 64 FF 30 64 89 20 6A ?? 68 80 ?? ?? ?? 6A 03 6A ?? 6A 01 ?? ?? ?? 80 } + +condition: + $a0 at pe.entry_point +} + + +rule kryptor5 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 ?? ?? ?? E9 EB 6C 58 40 FF E0 } + +condition: + $a0 at pe.entry_point +} + + +rule kryptor6 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 ?? ?? ?? E9 EB 68 58 33 D2 74 02 E9 E9 40 42 75 02 } + +condition: + $a0 at pe.entry_point +} + + +rule ACProtectV13Xrisco +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 50 E8 01 00 00 00 75 83 } + +condition: + $a0 at pe.entry_point +} + + +rule PELockNTv202c +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02MinGWGCC2xAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 E8 02 00 00 00 C9 C3 90 90 45 58 45 } + +condition: + $a0 at pe.entry_point +} + + +rule FreeBASIC016b +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 88 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 68 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 8D 76 00 8D BC 27 00 00 00 00 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?? ?? ?? 00 89 EC 5D C3 90 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv16bv16cVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 } + $a1 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule FileShield: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 1E EB ?? 90 00 00 8B D8 } + +condition: + $a0 at pe.entry_point +} + + +rule SDC12SelfDecryptingBinaryGeneratorbyClaesMNyberg +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 A0 91 40 00 E8 DB FE FF FF 55 89 E5 53 83 EC 14 8B 45 08 8B 00 8B 00 3D 91 00 00 C0 77 3B 3D 8D 00 00 C0 72 4B BB 01 00 00 00 C7 44 24 04 00 00 00 00 C7 04 24 08 00 00 00 E8 CE 24 00 00 83 F8 01 0F 84 C4 00 00 00 85 C0 0F 85 A9 00 00 00 31 C0 83 C4 14 5B 5D C2 04 00 3D 94 00 00 C0 74 56 3D 96 00 00 C0 74 1E 3D 93 00 00 C0 75 E1 EB B5 3D 05 00 00 C0 8D B4 26 00 00 00 00 74 43 3D 1D 00 00 C0 75 CA C7 44 24 04 00 00 00 00 C7 04 24 04 00 00 00 E8 73 24 00 00 83 F8 01 0F 84 99 00 00 00 85 C0 74 A9 C7 04 24 04 00 00 00 FF D0 B8 FF FF FF FF EB 9B 31 DB 8D 74 26 00 E9 69 FF FF FF C7 44 24 04 00 00 00 00 C7 04 24 0B 00 00 00 E8 37 24 00 00 83 F8 01 74 7F 85 C0 0F 84 6D FF FF FF C7 04 24 0B 00 00 00 8D 76 00 FF D0 B8 FF FF FF FF E9 59 FF FF FF C7 04 24 08 00 00 00 FF D0 B8 FF FF FF FF E9 46 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 08 00 00 00 E8 ED 23 00 00 B8 FF FF FF FF 85 DB 0F 84 25 FF FF FF E8 DB 15 00 00 B8 FF FF FF FF E9 16 FF FF FF C7 44 24 04 01 00 00 00 C7 04 24 04 00 00 00 E8 BD 23 00 00 B8 FF FF FF FF E9 F8 FE FF FF C7 44 24 04 01 00 00 00 C7 04 24 0B 00 00 00 E8 9F 23 00 00 B8 FF FF FF FF E9 DA FE FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv1501 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 ?? BA ?? ?? CD 21 B8 ?? ?? CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule Inbuildv10hard +{ + meta: + author="malware-lu" +strings: + $a0 = { B9 ?? ?? BB ?? ?? 2E ?? ?? 2E ?? ?? 43 E2 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeShieldvxx +{ + meta: + author="malware-lu" +strings: + $a0 = { 65 78 65 73 68 6C 2E 64 6C 6C C0 5D 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv20Vaska +{ + meta: + author="malware-lu" +strings: + $a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? 02 00 00 F7 D1 83 F1 FF 59 BA 32 21 ?? 00 F7 D1 83 F1 FF F7 D1 83 F1 FF 80 02 E3 F7 D1 83 F1 FF C0 0A 05 F7 D1 83 F1 FF 80 02 6F F7 D1 83 F1 FF 80 32 A4 F7 D1 83 F1 FF 80 02 2D F7 D1 83 F1 FF 42 49 85 C9 75 CD 1C 4F 8D 5B FD 62 1E 1C 4F 8D 5B FD 4D 9D B9 ?? ?? ?? 1E 1C 4F 8D 5B FD 22 1C 4F 8D 5B FD 8E A2 B9 B9 E2 83 DB E2 E5 4D CD 1E BF 60 AB 1F 4D DB 1E 1E 3D 1E 92 1B 8E DC 7D EC A4 E2 4D E5 20 C6 CC B2 8E EC 2D 7D DC 1C 4F 8D 5B FD 83 56 8E E0 3A 7D D0 8E 9D 6E 7D D6 4D 25 06 C2 AB 20 CC 3A 4D 2D 9D 6B 0B 81 45 CC 18 4D 2D 1F A1 A1 6B C2 CC F7 E2 4D 2D 9E 8B 8B CC DE 2E 2D F7 1E AB 7D 45 92 30 8E E6 B9 7D D6 8E 9D 27 DA FD FD 1E 1E 8E DF B8 7D CF 8E A3 4D 7D DC 1C 4F 8D 5B FD 33 D7 1E 1E 1E A6 0B 41 A1 A6 42 61 6B 41 6B 4C 45 1E 21 F6 26 BC E2 62 1E 62 1E 62 1E 23 63 59 ?? 1E 62 1E 62 1E 33 D7 1E 1E 1E 85 6B C2 41 AB C2 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 20 33 9E 1E 1E 1E 85 A2 0B 8B C2 27 41 EB A1 A2 C2 1E C0 FD F0 FD 30 62 1E 33 7E 1E 1E 1E C6 2D 42 AB 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 C0 FD F0 8E 1D 1C 4F 8D 5B FD E0 00 33 5E 1E 1E 1E BF 0B EC C2 E6 42 A2 C2 45 1E C0 FD F0 FD 30 CE 36 CC F2 1C 4F 8D 5B FD } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv125 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? F3 0D } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv1Vaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 } + $a1 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PECompactv122 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 ?? 70 40 ?? 90 90 01 85 9E 70 40 ?? BB F3 08 } + +condition: + $a0 at pe.entry_point +} + + +rule Packmanv10BrandonLaCombe +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA 8B E8 C6 06 E9 8B 43 0C 89 46 01 6A 04 68 00 10 00 00 FF 73 08 51 FF 55 08 8B } + +condition: + $a0 at pe.entry_point +} + + +rule SpecialEXEPaswordProtectorV101EngPavolCerven +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E } + +condition: + $a0 at pe.entry_point +} + + +rule ExeSmashervxx +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C FE 03 ?? 60 BE ?? ?? 41 ?? 8D BE ?? 10 FF FF 57 83 CD FF EB 10 } + +condition: + $a0 at pe.entry_point +} + + +rule PEArmor046ChinaCrackingGroup +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 AA 00 00 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 3D ?? ?? 00 2D ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B ?? ?? 00 5C ?? ?? 00 6F ?? ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 } + +condition: + $a0 at pe.entry_point +} + + +rule VMProtect106107PolyTech +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 } + +condition: + $a0 +} + + +rule USSR031bySpirit +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5D 83 C5 12 55 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 8C C9 30 C9 E3 01 C3 BE 32 ?? ?? ?? B0 ?? 30 06 8A 06 46 81 FE 00 ?? ?? ?? 7C F3 } + +condition: + $a0 +} + + +rule PeCompact253DLLSlimLoaderBitSumTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 32 00 00 08 0C 00 48 E1 01 56 57 53 55 8B 5C 24 1C 85 DB 0F 84 AB 21 E8 BD 0E E6 60 0D 0B 6B 65 72 6E 6C 33 32 } + +condition: + $a0 at pe.entry_point +} + + +rule LameCryptv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 66 9C BB ?? ?? ?? ?? 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 } + +condition: + $a0 at pe.entry_point +} + + +rule Cygwin32: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 04 83 3D } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv123RC4build0807exeAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule Armadillov210b2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 18 12 41 00 68 24 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov190 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 64 9A 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressorProtection150XCGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 EB 01 ?? ?? ?? ?? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ?? ?? ?? ?? 00 74 08 EB 01 E9 E9 56 01 00 00 EB 02 E8 E9 C7 05 ?? ?? ?? ?? 01 00 00 00 EB 01 C2 E8 E2 05 00 00 EB 02 DA 9F 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF D0 59 59 EB 01 C8 EB 02 66 F0 68 ?? ?? ?? ?? E8 0E 05 00 00 59 EB 01 DD 83 65 F4 00 EB 07 8B 45 F4 40 89 45 F4 83 7D F4 61 73 1F EB 02 DA 1A 8B 45 F4 0F ?? ?? ?? ?? ?? ?? 33 45 F4 8B 4D F4 88 ?? ?? ?? ?? ?? EB 01 EB EB } + +condition: + $a0 +} + + +rule VxNecropolis1963 +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 30 CD 21 3C 03 ?? ?? B8 00 12 CD 2F 3C FF B8 ?? ?? ?? ?? B4 4A BB 40 01 CD 21 ?? ?? FA 0E 17 BC ?? ?? E8 ?? ?? FB A1 ?? ?? 0B C0 } + +condition: + $a0 at pe.entry_point +} + + +rule Shrinkv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? 50 9C FC BE ?? ?? 8B FE 8C C8 05 ?? ?? 8E C0 06 57 B9 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02UPX06Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PESpinV071cyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E } + +condition: + $a0 at pe.entry_point +} + + +rule XHider10GlobaL +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC 33 C0 89 45 EC B8 54 20 44 44 E8 DF F8 FF FF 33 C0 55 68 08 21 44 44 64 FF 30 64 89 20 8D 55 EC B8 1C 21 44 44 E8 E0 F9 FF FF 8B 55 EC B8 40 ?? ?? 44 E8 8B F5 FF FF 6A 00 6A 00 6A 02 6A 00 6A 01 68 00 00 00 40 A1 40 ?? ?? 44 E8 7E F6 FF FF 50 E8 4C F9 FF FF 6A 00 50 E8 4C F9 FF FF A3 28 ?? ?? 44 E8 CE FE FF FF 33 C0 5A 59 59 64 89 10 68 0F 21 44 44 8D 45 EC E8 F1 F4 FF FF C3 E9 BB F2 FF FF EB F0 E8 FC F3 FF FF FF FF FF FF 0E 00 00 00 63 3A 5C 30 30 30 30 30 30 31 2E 64 61 74 00 } + $a1 = { 85 D2 74 23 8B 4A F8 41 7F 1A 50 52 8B 42 FC E8 30 00 00 00 89 C2 58 52 8B 48 FC E8 48 FB FF FF 5A 58 EB 03 FF 42 F8 87 10 85 D2 74 13 8B 4A F8 49 7C 0D FF 4A F8 75 08 8D 42 F8 E8 5C FA FF FF C3 8D 40 00 85 C0 7E 24 50 83 C0 0A 83 E0 FE 50 E8 2F FA FF FF 5A 66 C7 44 02 FE 00 00 83 C0 08 5A 89 50 FC C7 40 F8 01 00 00 00 C3 31 C0 C3 90 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule PseudoSigner01MicrosoftVisualC70DLLAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8D 6C 01 00 81 EC 00 00 00 00 8B 45 90 83 F8 01 56 0F 84 00 00 00 00 85 C0 0F 84 ?? ?? ?? ?? E9 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEShieldV05Smoke +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 } + $a1 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 00 00 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule UnnamedScrambler25Ap0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 0B 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 6C 3E 40 00 E8 F7 EA FF FF 33 C0 55 68 60 44 40 00 64 FF 30 64 89 20 BA 70 44 40 00 B8 B8 6C 40 00 E8 62 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 A1 EB FF FF BA E8 64 40 00 8B C3 8B 0D B8 6C 40 00 E8 37 D3 FF FF C7 05 BC 6C 40 00 0A 00 00 00 BB 68 6C 40 00 BE 90 6C 40 00 BF E8 64 40 00 B8 C0 6C 40 00 BA 04 00 00 00 E8 07 EC FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 09 F3 FF FF 89 03 83 3B 00 0F 84 BB 04 00 00 B8 C0 6C 40 00 8B 16 E8 06 E2 FF FF B8 C0 6C 40 00 E8 24 E1 FF FF 8B D0 8B 03 8B 0E E8 D1 D2 FF FF 8B C7 A3 20 6E 40 00 8D 55 EC 33 C0 E8 0C D4 FF FF 8B 45 EC B9 1C 6E 40 00 BA 18 6E 40 00 } + +condition: + $a0 +} + + +rule Armadillov177 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 B0 71 40 00 68 6C 37 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule VxTrivial25 +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 4E FE C6 CD 21 B8 ?? 3D BA ?? 00 CD 21 93 B4 40 CD } + +condition: + $a0 at pe.entry_point +} + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule Armadillov171 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 } + +condition: + $a0 at pe.entry_point +} +*/ + +rule KBySV022shoooo +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? E8 01 00 00 00 C3 C3 11 55 07 8B EC B8 ?? ?? ?? ?? E8 } + +condition: + $a0 at pe.entry_point +} + + +rule InnoSetupModule +{ + meta: + author="malware-lu" +strings: + $a0 = { 49 6E 6E 6F 53 65 74 75 70 4C 64 72 57 69 6E 64 6F 77 00 00 53 54 41 54 49 43 } + $a1 = { 55 8B EC 83 C4 ?? 53 56 57 33 C0 89 45 F0 89 45 ?? 89 45 ?? E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF E8 ?? ?? FF FF } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule piritv15 +{ + meta: + author="malware-lu" +strings: + $a0 = { 5B 24 55 50 44 FB 32 2E 31 5D } + +condition: + $a0 at pe.entry_point +} + + +rule SoftSentryv30 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 B0 06 } + +condition: + $a0 at pe.entry_point +} + + +rule EncryptPEV22007411WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 1B 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 54 65 6D 70 50 61 74 68 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov19x +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 98 ?? ?? ?? 68 10 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov285 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 68 ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?? ?? ?? 33 D2 8A D4 89 15 24 } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectvxx +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD } + +condition: + $a0 at pe.entry_point +} + + +rule ExeShieldv17 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 90 1F 06 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 } + +condition: + $a0 at pe.entry_point +} + + +rule Splasherv10v30 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 8B 44 24 24 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 50 E8 ED 02 ?? ?? 8C C0 0F 84 } + +condition: + $a0 at pe.entry_point +} + + +rule FreeCryptor01build002GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 04 24 40 90 83 C0 07 80 38 90 90 74 02 EB FF 90 68 27 ?? ?? 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 FF E4 90 8B 04 24 64 A3 00 00 00 00 8B 64 24 08 90 83 C4 08 } + +condition: + $a0 +} + + +rule EXEShieldV06SMoKE +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 } + $a1 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 00 00 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PseudoSigner02MicrosoftVisualBasic5060Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? E8 0A 00 00 00 00 00 00 00 00 00 30 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPack118DllLZMA430ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 08 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv100v103 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? BA ?? ?? 8C DB 03 D8 3B } + +condition: + $a0 at pe.entry_point +} + + +rule Shrinkerv34 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D B4 ?? ?? ?? ?? 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 ?? 0B 00 00 83 C4 04 8B 75 08 A3 B4 ?? ?? ?? 85 F6 74 23 83 7D 0C 03 77 1D 68 FF } + $a1 = { BB ?? ?? BA ?? ?? 81 C3 07 00 B8 40 B4 B1 04 D3 E8 03 C3 8C D9 49 8E C1 26 03 0E 03 00 2B } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Shrinkerv32 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D ?? ?? ?? ?? ?? 55 8B EC 56 57 75 65 68 00 01 ?? ?? E8 ?? E6 FF FF 83 C4 04 8B 75 08 A3 ?? ?? ?? ?? 85 F6 74 1D 68 FF } + +condition: + $a0 at pe.entry_point +} + + +rule Shrinkerv33 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D ?? ?? ?? 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01JDPack1xJDProtect09Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 22 00 00 00 5D 8B D5 81 ED 90 90 90 90 2B 95 90 90 90 90 81 EA 06 90 90 90 89 95 90 90 90 90 83 BD 45 00 01 00 01 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Upack024027beta028alphaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 40 00 AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 00 00 B0 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01LocklessIntroPackAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 2C E8 EB 1A 90 90 5D 8B C5 81 ED F6 73 90 90 2B 85 90 90 90 90 83 E8 06 89 85 FF 01 EC AD E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov250b3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 B8 ?? ?? ?? 68 F8 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?? ?? ?? 33 D2 8A D4 89 15 D0 } + +condition: + $a0 at pe.entry_point +} + + +rule PEBundlev02v20x +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 6A 04 68 ?? 10 ?? ?? 68 ?? 02 ?? ?? 6A ?? FF 95 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftProtectwwwsoftprotectbyru +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? C7 00 00 00 00 00 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? 01 } + +condition: + $a0 at pe.entry_point +} + + +rule NTPackerV2XErazerZ +{ + meta: + author="malware-lu" +strings: + $a0 = { 4B 57 69 6E 64 6F 77 73 00 10 55 54 79 70 65 73 00 00 3F 75 6E 74 4D 61 69 6E 46 75 6E 63 74 69 6F 6E 73 00 00 47 75 6E 74 42 79 70 61 73 73 00 00 B7 61 50 4C 69 62 75 00 00 00 } + +condition: + $a0 +} + + +rule SiliconRealmsInstallStub +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? 92 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 ?? ?? 40 00 33 D2 8A D4 89 15 ?? ?? 40 00 8B C8 81 E1 FF 00 00 00 89 0D ?? ?? 40 00 C1 E1 08 03 CA 89 0D ?? ?? 40 00 C1 E8 10 A3 } + +condition: + $a0 +} + + +rule Armadillov430v440SiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 40 ?? ?? 00 68 80 ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 ?? ?? 00 33 D2 8A D4 89 15 30 ?? ?? 00 8B C8 81 E1 FF 00 00 00 89 0D 2C ?? ?? 00 C1 E1 08 03 CA 89 0D 28 ?? ?? 00 C1 E8 10 A3 24 } + $a1 = { 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule MoleBoxv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? 60 E8 4F } + +condition: + $a0 +} + + +rule FucknJoyv10cUsAr +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 } + $a1 = { 60 E8 00 00 00 00 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 00 00 0B C0 0F 84 2C 01 00 00 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 00 00 0B C0 0F 84 0C 01 00 00 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 00 0B C0 0F 84 EC 00 00 00 89 85 4D 08 40 00 8D 85 51 08 40 00 50 FF B5 6C 08 40 00 E8 AF 02 00 00 0B C0 0F 84 CC 00 00 00 89 85 5C 08 40 00 8D 85 67 07 40 00 E8 7B 02 00 00 8D B5 C4 07 40 00 56 6A 64 FF 95 74 07 40 00 46 80 3E 00 75 FA C7 06 74 6D 70 2E 83 C6 04 C7 06 65 78 65 00 8D 85 36 07 40 00 E8 4C 02 00 00 33 DB 53 53 6A 02 53 53 68 00 00 00 40 8D 85 C4 07 40 00 50 FF 95 74 07 40 00 89 85 78 07 40 00 8D 85 51 07 40 00 E8 21 02 00 00 6A 00 8D 85 7C 07 40 00 50 68 00 ?? ?? 00 8D 85 F2 09 40 00 50 FF } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PseudoSigner02VideoLanClientAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftWrap +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 53 51 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 36 ?? ?? ?? E8 ?? 01 ?? ?? 60 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 5F } + +condition: + $a0 at pe.entry_point +} + + +rule AI1Creator1Beta2byMZ +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 FE FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 } + +condition: + $a0 +} + + +rule JAMv211 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 06 16 07 BE ?? ?? 8B FE B9 ?? ?? FD FA F3 2E A5 FB 06 BD ?? ?? 55 CB } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv0978 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 24 88 40 ?? 87 DD 8B 85 A9 88 } + +condition: + $a0 at pe.entry_point +} + + +rule Setup2GoInstallerStub +{ + meta: + author="malware-lu" +strings: + $a0 = { 5B 53 45 54 55 50 5F 49 4E 46 4F 5D 0D 0A 56 65 72 } + +condition: + $a0 +} + + +rule themida1005httpwwworeanscom +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasProtectorv1033exescrcomAshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8E 00 00 00 E8 03 00 00 00 EB 01 ?? E8 81 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B7 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AA 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 } + +condition: + $a0 at pe.entry_point +} + + +rule ORiENv211DEMO +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 5D 01 00 00 CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv0977 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB A0 86 40 ?? 87 DD 8B 85 2A 87 } + +condition: + $a0 at pe.entry_point +} + + +rule PESpinv13betaCyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv13bVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 } + $a1 = { 61 83 EF 4F 60 68 ?? ?? ?? ?? FF D7 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule mkfpackllydd +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5B 81 EB 05 00 00 00 8B 93 9F 08 00 00 53 6A 40 68 00 10 00 00 52 6A 00 FF 93 32 08 00 00 5B 8B F0 8B BB 9B 08 00 00 03 FB 56 57 E8 86 08 00 00 83 C4 08 8D 93 BB 08 00 00 52 53 FF E6 } + +condition: + $a0 +} + + +rule PESpinV03cyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02BorlandDelphiSetupModuleAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 90 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0 E8 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PELOCKnt204 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 } + +condition: + $a0 at pe.entry_point +} + + +rule MacromediaWindowsFlashProjectorPlayerv60 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C } + +condition: + $a0 at pe.entry_point +} + + +rule IMPostorPack10MahdiHezavehi +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? ?? 00 83 C6 01 FF E6 00 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 ?? 02 ?? ?? 00 10 00 00 00 02 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PluginToExev102BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv120 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 ?? ?? 72 ?? B4 09 BA ?? ?? CD 21 B4 4C CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivateexeProtectorV18SetiSoftTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 } + +condition: + $a0 +} + + +rule PENinjamodified +{ + meta: + author="malware-lu" +strings: + $a0 = { 5D 8B C5 81 ED B2 2C 40 00 2B 85 94 3E 40 00 2D 71 02 00 00 89 85 98 3E 40 00 0F B6 B5 9C 3E 40 00 8B FD } + +condition: + $a0 at pe.entry_point +} + + +rule DotFixNiceProtect21GPcHSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 FF 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 B8 ?? ?? ?? ?? 03 C5 50 B8 ?? ?? ?? ?? 03 C5 FF 10 BB ?? ?? ?? ?? 03 DD 83 C3 0C 53 50 B8 ?? ?? ?? ?? 03 C5 FF 10 6A 40 68 00 10 00 00 FF 74 24 2C 6A 00 FF D0 89 44 24 1C 61 C3 } + +condition: + $a0 +} + + +rule EXEStealthv276WebToolMaster +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 65 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 59 4F 55 52 20 41 44 20 48 45 52 45 21 50 69 52 41 43 59 20 69 53 20 41 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor239DLLcompressedresources +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 68 ?? ?? ?? ?? 58 C1 C0 0F E9 ?? ?? ?? 00 87 04 24 58 89 45 FC E9 ?? ?? ?? FF FF 05 ?? ?? ?? ?? E9 ?? ?? ?? 00 C1 C3 18 E9 ?? ?? ?? ?? 8B 55 08 09 42 F8 E9 ?? ?? ?? FF 83 7D F0 01 0F 85 ?? ?? ?? ?? E9 ?? ?? ?? 00 87 34 24 5E 8B 45 FC 33 D2 56 8B F2 E9 ?? ?? ?? 00 BA ?? ?? ?? ?? E8 ?? ?? ?? 00 A3 ?? ?? ?? ?? C3 E9 ?? ?? ?? 00 C3 83 C4 04 C3 E9 ?? ?? ?? FF 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 ?? ?? ?? 00 E9 ?? ?? ?? FF C1 C2 03 81 CA ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 03 C2 5A E9 ?? ?? ?? FF 81 E7 ?? ?? ?? ?? 81 EF ?? ?? ?? ?? 81 C7 ?? ?? ?? ?? 89 07 E9 ?? ?? ?? ?? 0F 89 ?? ?? ?? ?? 87 14 24 5A 50 C1 C8 10 } + +condition: + $a0 at pe.entry_point +} + + +rule UnoPiX103110BaGiE +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 04 C7 04 24 00 ?? ?? ?? C3 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 00 00 00 02 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 10 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv110b3 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 95 } + +condition: + $a0 at pe.entry_point +} + + +rule IonicWindSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 9B DB E3 9B DB E2 D9 2D 00 ?? ?? 00 55 89 E5 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule SimplePackV11XMethod2bagie +{ + meta: + author="malware-lu" +strings: + $a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 } + $a1 = { 4D 5A 90 EB 01 00 52 E9 89 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 } + +condition: + $a0 or $a1 +} + + +rule PCGuardv500d +{ + meta: + author="malware-lu" +strings: + $a0 = { FC 55 50 E8 00 00 00 00 5D 60 E8 03 00 00 00 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 30 D2 40 00 EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 00 00 00 83 EB 0E EB 01 0C } + +condition: + $a0 at pe.entry_point +} + + +rule PESHiELDv0251 +{ + meta: + author="malware-lu" +strings: + $a0 = { 5D 83 ED 06 EB 02 EA 04 8D } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEdition117DLLaPLibAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 53 03 00 00 8D 9D 02 02 00 00 33 FF E8 ?? ?? ?? ?? EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv110b4 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 90 90 BB 44 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02PEX099Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallVirtualizationSuite30XThinstallCompany +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA } + $a1 = { 9C 60 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 BA FE FF FF E9 ?? ?? ?? ?? CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA ?? ?? ?? ?? 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 ?? ?? ?? ?? E8 DF 00 00 00 73 1B 55 BD ?? ?? ?? ?? E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule NullsoftInstallSystemv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 0C 53 55 56 57 C7 44 24 10 70 92 40 00 33 DB C6 44 24 14 20 FF 15 2C 70 40 00 53 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 2D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 } + +condition: + $a0 +} + + +rule SLVc0deProtectorv11SLV +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 58 C6 00 EB C6 40 01 08 FF E0 E9 4C } + $a1 = { E8 01 00 00 00 A0 5D EB 01 69 81 ED 5F 1A 40 00 8D 85 92 1A 40 00 F3 8D 95 83 1A 40 00 8B C0 8B D2 2B C2 83 E8 05 89 42 01 E8 FB FF FF FF 69 83 C4 08 E8 06 00 00 00 69 E8 F2 FF FF FF F3 B9 05 00 00 00 51 8D B5 BF 1A 40 00 8B FE B9 58 15 00 00 AC 32 C1 F6 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule FreeJoinerSmallbuild031032GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 32 ?? 66 8B C3 58 E8 ?? FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule SLVc0deProtectorv06SLV +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 97 11 40 00 8D B5 EF 11 40 00 B9 FE 2D 00 00 8B FE AC F8 ?? ?? ?? ?? ?? ?? 90 } + +condition: + $a0 at pe.entry_point +} + + +rule PEArmor04600759hying +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 } + +condition: + $a0 +} + + +rule RpolycryptbyVaska2003071841 +{ + meta: + author="malware-lu" +strings: + $a0 = { 58 ?? ?? ?? ?? ?? ?? ?? E8 00 00 00 58 E8 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? 04 } + +condition: + $a0 +} + + +rule DBPEvxxxDingBoy +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 20 ?? ?? 40 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 9C 55 57 56 52 51 53 9C E8 ?? ?? ?? ?? 5D 81 ED } + +condition: + $a0 at pe.entry_point +} + + +rule SoftwareCompressBGSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 BE 00 00 00 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 00 00 00 73 F6 33 C9 E8 64 00 00 00 73 1C 33 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 12 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 2B CB 75 10 E8 42 00 00 00 EB 28 AC D1 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4UnextrPasswcheckVirshield +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 05 C0 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv0399Dwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? 00 00 02 00 00 00 00 00 00 ?? 00 00 00 00 00 10 00 00 ?? 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? 00 14 00 00 00 00 ?? ?? 00 ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? 00 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? 00 ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 } + $a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 } + $a2 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 3A 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 10 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? 00 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 99 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule UPXModifiedstub +{ + meta: + author="malware-lu" +strings: + $a0 = { 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF } + +condition: + $a0 at pe.entry_point +} + + +rule Cryptic20Tughack +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 00 00 40 00 BB ?? ?? ?? 00 B9 00 10 00 00 BA ?? ?? ?? 00 03 D8 03 C8 03 D1 3B CA 74 06 80 31 ?? 41 EB F6 FF E3 } + +condition: + $a0 at pe.entry_point +} + + +rule KGBSFX +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE 00 A0 46 00 8D BE 00 70 F9 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv20betaJeremyCollake +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 05 ?? ?? ?? ?? 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule DevCv4 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A ?? A1 ?? ?? ?? 00 FF D0 E8 ?? FF FF FF } + +condition: + $a0 +} + + +rule DevCv5 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 14 6A ?? FF 15 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 } + +condition: + $a0 +} + + +rule CRYPToCRACksPEProtectorV092LukasFleischer +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 01 00 00 00 E8 58 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 37 84 DB 75 33 8B F3 03 ?? ?? 81 3E 50 45 00 00 75 26 } + +condition: + $a0 at pe.entry_point +} + + +rule UpackV037Dwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 } + $a1 = { 60 E8 09 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C9 5E 87 0E } + $a2 = { BE ?? ?? ?? ?? AD 50 FF ?? ?? EB } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule Obsidiumv13037ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 } + +condition: + $a0 at pe.entry_point +} + + +rule VxCompiler +{ + meta: + author="malware-lu" +strings: + $a0 = { 8C C3 83 C3 10 2E 01 1E ?? 02 2E 03 1E ?? 02 53 1E } + +condition: + $a0 at pe.entry_point +} + + +rule BJFntv13 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? 3A ?? ?? 1E EB ?? CD 20 9C EB ?? CD 20 EB ?? CD 20 60 EB } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakePEtite21emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule UPXShitv01500mhz +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 } + $a1 = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 } + $a2 = { E8 ?? ?? ?? ?? 5E 83 C6 ?? AD 89 C7 AD 89 C1 AD 30 07 47 E2 ?? AD FF E0 C3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule PackmanV0001Bubbasoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 58 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 8D ?? ?? 48 } + +condition: + $a0 at pe.entry_point +} + + +rule DJoinv07publicxorencryptiondrmist +{ + meta: + author="malware-lu" +strings: + $a0 = { C6 05 ?? ?? 40 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoinerSmallbuild033GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 66 33 C3 66 8B C1 58 E8 AC FD FF FF 6A 00 E8 0D 00 00 00 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AnticrackSoftwareProtectorv109ACProtect +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 04 24 06 C3 ?? ?? ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UnderGroundCrypterbyBooster2000 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 B8 74 3C 00 11 E8 94 F9 FF FF E8 BF FE FF FF E8 0A F3 FF FF 8B C0 } + +condition: + $a0 +} + + +rule MicroJoiner16coban2k +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C0 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B } + +condition: + $a0 at pe.entry_point +} + + +rule WiseInstallerStubv11010291 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 40 0F 00 00 53 56 57 6A 04 FF 15 F4 30 40 00 FF 15 74 30 40 00 8A 08 89 45 E8 80 F9 22 75 48 8A 48 01 40 89 45 E8 33 F6 84 C9 74 0E 80 F9 22 74 09 8A 48 01 40 89 45 E8 EB EE 80 38 22 75 04 40 89 45 E8 80 38 20 75 09 40 80 38 20 74 FA 89 45 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivateEXEProtector18 +{ + meta: + author="malware-lu" +strings: + $a0 = { BB DC EE 0D 76 D9 D0 8D 16 85 D8 90 D9 D0 } + +condition: + $a0 +} + + +rule SimpleUPXCryptorv3042005multilayerencryptionMANtiCORE +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 } + $a1 = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule Themida1201compressedOreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv155 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A2 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 9E 80 40 ?? BB 2D 12 } + +condition: + $a0 at pe.entry_point +} + + +rule PolyCryptPE214b215JLabSoftwareCreationshsigned +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 6F 6C 79 43 72 79 70 74 20 50 45 20 28 63 29 20 32 30 30 34 2D 32 30 30 35 2C 20 4A 4C 61 62 53 6F 66 74 77 61 72 65 2E 00 50 00 43 00 50 00 45 } + +condition: + $a0 +} + + +rule PECompactv156 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 90 40 ?? 87 DD 8B 85 A2 90 40 ?? 01 85 03 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 9E 90 40 ?? BB 2D 12 } + +condition: + $a0 at pe.entry_point +} + + +rule PGMPACKv013 +{ + meta: + author="malware-lu" +strings: + $a0 = { FA 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3 } + +condition: + $a0 at pe.entry_point +} + + +rule PGMPACKv014 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ?? ?? BF ?? ?? E8 ?? ?? E8 ?? ?? BB ?? ?? BA ?? ?? 8A C3 8B F3 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner0232Lite003Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 06 FC 1E 07 BE 90 90 90 90 6A 04 68 90 10 90 90 68 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakePEtite22FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 } + +condition: + $a0 at pe.entry_point +} + + +rule MEW10byNorthfox +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 } + +condition: + $a0 +} + + +rule theWRAPbyTronDoc +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 48 D2 4B 00 E8 BC 87 F4 FF BB 04 0B 4D 00 33 C0 55 68 E8 D5 4B 00 64 FF 30 64 89 20 E8 9C F4 FF FF E8 F7 FB FF FF 6A 40 8D 55 F0 A1 F0 ED 4B 00 8B 00 E8 42 2E F7 FF 8B 4D F0 B2 01 A1 F4 C2 40 00 E8 F7 20 F5 FF 8B F0 B2 01 A1 B4 C3 40 00 E8 F1 5B F4 FF 89 03 33 D2 8B 03 E8 42 1E F5 FF 66 B9 02 00 BA FC FF FF FF 8B C6 8B 38 FF 57 0C BA B8 A7 4D 00 B9 04 00 00 00 8B C6 8B 38 FF 57 04 83 3D B8 A7 4D 00 00 0F 84 5E 01 00 00 8B 15 B8 A7 4D 00 83 C2 04 F7 DA 66 B9 02 00 8B C6 8B 38 FF 57 0C 8B 0D B8 A7 4D 00 8B D6 8B 03 E8 2B 1F F5 FF 8B C6 E8 B4 5B F4 FF 33 D2 8B 03 E8 DF 1D F5 FF BA F0 44 4E 00 B9 01 00 00 00 8B 03 8B 30 FF 56 04 80 3D F0 44 4E 00 0A 75 3F BA B8 A7 4D 00 B9 04 00 00 00 8B 03 8B 30 FF 56 04 8B 15 B8 A7 } + +condition: + $a0 at pe.entry_point +} + + +rule Petitev211 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 } + +condition: + $a0 at pe.entry_point +} + + +rule Petitev212 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 } + +condition: + $a0 at pe.entry_point +} + + +rule MaskPEV20yzkzero +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 18 00 00 00 64 8B 18 83 C3 30 C3 40 3E 0F B6 00 C1 E0 ?? 83 C0 ?? 36 01 04 24 C3 } + +condition: + $a0 +} + + +rule PseudoSigner01Morphine12Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 06 00 90 90 90 90 90 90 90 90 EB 08 E8 90 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 51 66 90 90 90 59 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule EZIPv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 19 32 00 00 E9 7C 2A 00 00 E9 19 24 00 00 E9 FF 23 00 00 E9 1E 2E 00 00 E9 88 2E 00 00 E9 2C } + +condition: + $a0 at pe.entry_point +} + + +rule y0dasCrypterv12 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC } + +condition: + $a0 at pe.entry_point +} + + +rule ChinaProtectdummy +{ + meta: + author="malware-lu" +strings: + $a0 = { C3 E8 ?? ?? ?? ?? B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 B9 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 30 C3 56 8B ?? ?? ?? 6A 40 68 00 10 00 00 8D ?? ?? 50 6A 00 E8 ?? ?? ?? ?? 89 30 83 C0 04 5E C3 8B 44 ?? ?? 56 8D ?? ?? 68 00 40 00 00 FF 36 56 E8 ?? ?? ?? ?? 68 00 80 00 00 6A 00 56 E8 ?? ?? ?? ?? 5E C3 } + +condition: + $a0 +} + + +rule BopCryptv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BD ?? ?? ?? ?? E8 ?? ?? 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule MinkeV101Codius +{ + meta: + author="malware-lu" +strings: + $a0 = { 26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A 83 01 00 00 CC 00 00 00 00 06 00 00 00 01 64 53 74 75 62 00 10 55 54 79 70 65 73 00 00 C7 53 79 73 74 65 6D 00 00 81 53 79 73 49 6E 69 74 00 0C 4B 57 69 6E 64 6F 77 73 00 00 8A 75 46 75 6E 63 74 69 6F 6E 73 } + +condition: + $a0 +} + + +rule PseudoSigner02BorlandDelphiDLLAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 B4 B8 90 90 90 90 E8 00 00 00 00 E8 00 00 00 00 8D 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule bambam004bedrock +{ + meta: + author="malware-lu" +strings: + $a0 = { BF ?? ?? ?? ?? 83 C9 FF 33 C0 68 ?? ?? ?? ?? F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 11 0A 00 00 83 C4 0C 68 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B F0 BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 BF ?? ?? ?? ?? 8B D1 68 ?? ?? ?? ?? C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 ?? ?? ?? ?? E8 C0 09 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEdition117DLLLZMAAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 5A 0A 00 00 8D 9D 40 02 00 00 33 FF E8 ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 EB 09 00 00 89 85 } + +condition: + $a0 at pe.entry_point +} + + +rule PEtitev22 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 } + +condition: + $a0 at pe.entry_point +} + + +rule PEtitev20 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 } + +condition: + $a0 at pe.entry_point +} + + +rule PEtitev21 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 } + +condition: + $a0 at pe.entry_point +} + + +rule ElicenseSystemV4000ViaTechInc +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 63 79 62 00 65 6C 69 63 65 6E 34 30 2E 64 6C 6C 00 00 00 00 } + +condition: + $a0 +} + + +rule VProtectorV10Build20041213testvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 1A 89 40 00 68 56 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 } + +condition: + $a0 at pe.entry_point +} + + +rule Themida18xxOreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 } + $a1 = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule EXEJoinerv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 C6 00 5C 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule MicroJoiner11coban2k +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 0C 70 40 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01FSG10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov200b2200b3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 00 F2 40 00 68 C4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule RAZOR1911encruptor +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC } + +condition: + $a0 at pe.entry_point +} + + +rule tElock051tE +{ + meta: + author="malware-lu" +strings: + $a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 5E 8B FE 68 79 01 00 00 59 EB 01 EB AC 54 E8 03 00 00 00 5C EB 08 8D 64 24 04 FF 64 24 FC 6A 05 D0 2C 24 72 01 E8 01 24 24 5C F7 DC EB 02 CD 20 8D 64 24 FE F7 DC EB 02 CD 20 FE C8 E8 00 00 00 00 32 C1 EB 02 82 0D AA EB 03 82 0D 58 EB 02 1D 7A 49 EB 05 E8 01 00 00 00 7F AE 14 7E A0 77 76 75 74 } + +condition: + $a0 at pe.entry_point +} + + +rule SDProtectorBasicProEdition112RandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 53 00 00 00 51 8B 4C 24 10 89 81 B8 00 00 00 B8 55 01 00 00 89 41 20 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 90 90 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 00 00 00 FF 58 05 7B 03 00 00 03 C8 74 C4 75 C2 E8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E2 } + +condition: + $a0 at pe.entry_point +} + + +rule VxFaxFreeTopo +{ + meta: + author="malware-lu" +strings: + $a0 = { FA 06 33 C0 8E C0 B8 ?? ?? 26 ?? ?? ?? ?? 50 8C C8 26 ?? ?? ?? ?? 50 CC 58 9D 58 26 ?? ?? ?? ?? 58 26 ?? ?? ?? ?? 07 FB } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02MEW11SE10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 } + +condition: + $a0 at pe.entry_point +} + + +rule Joinersignfrompinch250320072010 +{ + meta: + author="malware-lu" +strings: + $a0 = { 81 EC 04 01 00 00 8B F4 68 04 01 00 00 56 6A 00 E8 7C 01 00 00 33 C0 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 56 E8 50 01 00 00 8B D8 6A 00 6A 00 6A 00 6A 02 6A 00 53 E8 44 01 } + +condition: + $a0 at pe.entry_point +} + + +rule VxSK +{ + meta: + author="malware-lu" +strings: + $a0 = { CD 20 B8 03 00 CD 10 51 E8 00 00 5E 83 EE 09 } + +condition: + $a0 at pe.entry_point +} + + +rule PEStubOEPv1x +{ + meta: + author="malware-lu" +strings: + $a0 = { 40 48 BE 00 ?? ?? 00 40 48 60 33 C0 B8 ?? ?? ?? 00 FF E0 C3 C3 } + +condition: + $a0 +} + + +rule MoleBoxV23XMoleStudiocom +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 60 E8 4F 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxHymn1865 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 83 EE 4C FC 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 ?? ?? ?? FB 3B ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 50 06 56 1E 0E 1F B8 00 C5 CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule kkrunchyRyd +{ + meta: + author="malware-lu" +strings: + $a0 = { BD 08 ?? ?? 00 C7 45 00 ?? ?? ?? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?? ?? ?? 00 57 BE ?? ?? ?? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 00 00 00 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 } + +condition: + $a0 at pe.entry_point +} + + +rule PECryptv100v101 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB } + +condition: + $a0 at pe.entry_point +} + + +rule CERBERUSv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 2B ED 8C ?? ?? 8C ?? ?? FA E4 ?? 88 ?? ?? 16 07 BF ?? ?? 8E DD 9B F5 B9 ?? ?? FC F3 A5 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor2117StrongbitSoftCompleteDevelopment +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? ?? ?? B8 00 00 ?? ?? 89 45 FC 89 C2 8B 46 0C 09 C0 0F 84 ?? 00 00 00 01 D0 89 C3 50 FF 15 94 ?? ?? ?? 09 C0 0F 85 0F 00 00 00 53 FF 15 98 ?? ?? ?? 09 C0 0F 84 ?? 00 00 00 89 45 F8 6A 00 8F 45 F4 8B 06 09 C0 8B 55 FC 0F 85 03 00 00 00 8B 46 10 01 } + +condition: + $a0 +} + + +rule WWPACKv303 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 BB ?? ?? 53 } + +condition: + $a0 at pe.entry_point +} + + +rule GHFProtectorpackonlyGPcH +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 61 B9 FC FF FF FF 8B 1C 08 89 99 ?? ?? ?? ?? E2 F5 90 90 BA ?? ?? ?? ?? BE ?? ?? ?? ?? 01 D6 8B 46 0C 85 C0 0F 84 87 00 00 00 01 D0 89 C3 50 B8 ?? ?? ?? ?? FF 10 85 C0 75 08 53 B8 ?? ?? ?? ?? FF 10 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 00 00 00 BA ?? ?? ?? ?? 8B 06 85 C0 75 03 8B 46 10 01 D0 03 05 ?? ?? ?? ?? 8B 18 8B 7E 10 01 D7 03 3D ?? ?? ?? ?? 85 DB 74 2B F7 C3 00 00 00 80 75 04 01 D3 43 43 81 E3 FF FF FF 0F 53 FF 35 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 89 07 83 05 ?? ?? ?? ?? 04 EB AE 83 C6 14 BA ?? ?? ?? ?? E9 6E FF FF FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 8B 15 ?? ?? ?? ?? 52 FF D0 61 BA ?? ?? ?? ?? FF E2 90 C3 } + $a1 = { 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10 68 ?? ?? ?? ?? 50 B8 ?? ?? ?? ?? FF 10 68 00 00 00 00 6A 40 FF D0 89 05 ?? ?? ?? ?? 89 C7 BE ?? ?? ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule yzpackV11UsAr +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 33 C0 8D 48 07 50 E2 FD 8B EC 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C 8B 40 3C 89 45 04 E8 F3 07 00 00 60 8B 5D 04 8B 73 3C 8B 74 33 78 03 F3 56 8B 76 20 03 F3 33 C9 49 92 41 AD 03 C3 52 33 FF 0F B6 10 38 F2 } + +condition: + $a0 at pe.entry_point +} + + +rule VxDanishtiny +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXV194MarkusOberhumerLaszloMolnarJohnReiser +{ + meta: + author="malware-lu" +strings: + $a0 = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 } + +condition: + $a0 +} + + +rule yzpack112UsAr +{ + meta: + author="malware-lu" +strings: + $a0 = { 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 ?? ?? ?? ?? B4 09 BA 00 00 1F CD 21 B8 01 4C CD 21 40 00 00 00 50 45 00 00 4C 01 02 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 E0 00 ?? ?? 0B 01 ?? ?? ?? ?? 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02YodasProtector102Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02PESHiELD025Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 2B 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 CC CC } + +condition: + $a0 at pe.entry_point +} + + +rule NsPacKV34V35LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84 } + +condition: + $a0 at pe.entry_point +} + + +rule DualseXe10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 00 05 00 00 E8 00 00 00 00 5D 81 ED 0E 00 00 00 8D 85 08 03 00 00 89 28 33 FF 8D 85 7D 02 00 00 8D 8D 08 03 00 00 2B C8 8B 9D 58 03 00 00 E8 1C 02 00 00 8D 9D 61 02 00 00 8D B5 7C 02 00 00 46 80 3E 00 74 24 56 FF 95 0A 04 00 00 46 80 3E 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NoodleCryptv200EngNoodleSpa +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 9A E8 76 00 00 00 EB 01 9A E8 65 00 00 00 EB 01 9A E8 7D 00 00 00 EB 01 9A E8 55 00 00 00 EB 01 9A E8 43 04 00 00 EB 01 9A E8 E1 00 00 00 EB 01 9A E8 3D 00 00 00 EB 01 9A E8 EB 01 00 00 EB 01 9A E8 2C 04 00 00 EB 01 9A E8 25 00 00 00 EB 01 9A E8 02 } + +condition: + $a0 at pe.entry_point +} + + +rule SoftComp1xBGSoftPT +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 81 2C 24 3A 10 41 00 5D E8 00 00 00 00 81 2C 24 31 01 00 00 8B 85 2A 0F 41 00 29 04 24 8B 04 24 89 85 2A 0F 41 00 58 8B 85 2A 0F 41 00 } + +condition: + $a0 +} + + +rule Petite13c1998IanLuck +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 } + +condition: + $a0 at pe.entry_point +} + + +rule PENightMarev13 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D B9 ?? ?? ?? ?? 80 31 15 41 81 F9 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillo50DllSiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule ObsidiumV1350ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? ?? ?? ?? EB 01 ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv123RC1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule PUNiSHERv15DEMOFEUERRADERAHTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 } + $a1 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 24 EB 04 64 6B 88 18 89 85 9C C2 41 00 EB 04 64 6B 88 18 58 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 C2 50 00 EB D3 5B F3 68 89 5C 24 48 5C 24 58 FF 8D 5C 24 58 5B 83 C3 4C 75 F4 5A 8D 71 78 75 09 81 F3 EB FF 52 BA 01 00 83 EB FC 4A FF 71 0F 75 19 8B 5C 24 00 00 81 33 50 53 8B 1B 0F FF C6 75 1B 81 F3 EB 87 1C 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 00 00 00 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0 EB FF D0 EB FF 71 0F 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PECompactv140b2v140b4 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 86 11 } + +condition: + $a0 at pe.entry_point +} + + +rule NullsoftInstallSystemv198 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 0C 53 56 57 FF 15 2C 81 40 } + +condition: + $a0 at pe.entry_point +} + + +rule CryptoLockv202EngRyanThian +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 } + $a1 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 } + $a2 = { 60 BE ?? 90 40 00 8D BE ?? ?? FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule vfpexeNcv600WangJianGuo +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 00 00 00 63 58 E8 01 00 00 00 7A 58 2D 0D 10 40 00 8D 90 C1 10 40 00 52 50 8D 80 49 10 40 00 5D 50 8D 85 65 10 40 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 CC } + +condition: + $a0 at pe.entry_point +} + + +rule XPEORv099b +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 } + $a1 = { E8 ?? ?? ?? ?? 5D 8B CD 81 ED 7A 29 40 ?? 89 AD 0F 6D 40 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PEiDBundlev100BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A } + +condition: + $a0 at pe.entry_point +} + + +rule PeCompact2253276BitSumTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 55 53 51 57 56 52 8D 98 C9 11 00 10 8B 53 18 52 8B E8 6A 40 68 00 10 00 00 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 5A 8B F8 50 52 8B 33 8B 43 20 03 C2 8B 08 89 4B 20 8B 43 1C 03 C2 8B 08 89 4B 1C 03 F2 8B 4B 0C 03 CA 8D 43 1C 50 57 56 FF } + +condition: + $a0 +} + + +rule PseudoSigner02CodeLockAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv100Engdulekxt +{ + meta: + author="malware-lu" +strings: + $a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01BorlandDelphi50KOLMCKAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 FF 90 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 EB 04 00 00 00 01 90 90 90 90 90 90 90 00 01 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule FlyCrypter10ut1lz +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 56 57 55 BB 2C ?? ?? 44 BE 00 30 44 44 BF 20 ?? ?? 44 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 44 44 00 74 06 FF 15 58 30 44 44 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 20 30 44 44 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 18 30 44 44 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 2F FA FF FF FF 15 24 30 44 44 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ?? ?? 44 00 74 06 FF 15 10 ?? ?? 44 8B 06 50 E8 51 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 00 00 00 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 44 44 E8 26 FF FF FF C3 } + $a1 = { 55 8B EC 83 C4 F0 53 B8 18 22 44 44 E8 7F F7 FF FF E8 0A F1 FF FF B8 09 00 00 00 E8 5C F1 FF FF 8B D8 85 DB 75 05 E8 85 FD FF FF 83 FB 01 75 05 E8 7B FD FF FF 83 FB 02 75 05 E8 D1 FD FF FF 83 FB 03 75 05 E8 87 FE FF FF 83 FB 04 75 05 E8 5D FD FF FF 83 FB 05 75 05 E8 B3 FD FF FF 83 FB 06 75 05 E8 69 FE FF FF 83 FB 07 75 05 E8 5F FE FF FF 83 FB 08 75 05 E8 95 FD FF FF 83 FB 09 75 05 E8 4B FE FF FF 5B E8 9D F2 FF FF 90 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule MSLRHv032afakePECompact14xemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 2E A8 00 00 C3 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule muckisprotectorIImucki +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 6A 00 E8 85 C0 74 12 64 8B 3D 18 00 00 00 8B 7F 30 0F B6 47 02 85 C0 74 01 C3 C7 04 24 ?? ?? ?? ?? BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule VcasmProtector10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? 00 68 ?? ?? ?? 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 } + +condition: + $a0 at pe.entry_point +} + + +rule NullsoftInstallSystemv20b2v20b3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 00 00 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 00 00 68 ?? ?? ?? 00 57 FF 15 ?? ?? 40 00 57 FF 15 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtectorV10Dvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 CA 31 41 00 68 06 32 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 C7 84 00 58 EB 01 E9 83 C0 07 50 } + +condition: + $a0 at pe.entry_point +} + + +rule GardianAngel10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 8C C8 8E D8 8E C0 FC BF ?? ?? EB } + +condition: + $a0 at pe.entry_point +} + + +rule eXpressorv12CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 } + +condition: + $a0 at pe.entry_point +} + + +rule RSCsProcessPatcherv14 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 E1 01 00 00 80 38 22 75 13 80 38 00 74 2E 80 38 20 75 06 80 78 FF 22 74 18 40 EB ED 80 38 00 74 1B EB 19 40 80 78 FF 20 75 F9 80 38 00 74 0D EB 0B 40 80 38 00 74 05 80 38 22 74 00 8B F8 B8 04 60 40 00 68 00 20 40 00 C7 05 A2 20 40 00 44 00 00 00 68 92 } + +condition: + $a0 +} + + +rule Armadillov190b1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 04 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov190b2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 F0 C1 40 00 68 A4 89 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov190b3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 94 95 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCASM +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ?? ?? 00 EB 02 82 B8 EB 01 10 8D 05 F4 } + +condition: + $a0 at pe.entry_point +} + + +rule Thinstall25xxJtit +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 } + $a1 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D ?? 1A 00 00 B9 ?? 1A 00 00 BA ?? 1B 00 00 BE 00 10 00 00 BF ?? 53 00 00 BD ?? 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? ?? 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 ?? ?? ?? ?? 03 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B F1 7C 04 3B F2 7C 02 89 2E 83 C6 04 3B F7 7C E3 58 50 68 00 00 40 00 68 80 5A } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule hmimysPacker10hmimys +{ + meta: + author="malware-lu" +strings: + $a0 = { 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 } + +condition: + $a0 +} + + +rule ACProtectV20risco +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? C3 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV112V114LZMA430ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? EB ?? 60 } + +condition: + $a0 +} + + +rule JDPack: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 8B D5 81 ED ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? 81 EA 06 ?? ?? ?? 89 95 ?? ?? ?? ?? 83 BD 45 } + +condition: + $a0 at pe.entry_point +} + + +rule PESpinv1304Cyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF } + +condition: + $a0 at pe.entry_point +} + + +rule ScObfuscatorSuperCRacker +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 33 C9 8B 1D ?? ?? ?? ?? 03 1D ?? ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D ?? ?? ?? ?? 75 E7 A1 ?? ?? ?? ?? 01 05 ?? ?? ?? ?? 61 FF 25 ?? ?? ?? ?? 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule tElock098SpecialBuildforgotheXer +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 99 D7 FF FF 00 00 00 ?? ?? ?? ?? AA ?? ?? 00 00 00 00 00 00 00 00 00 CA } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01DEF10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02REALBasicAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 90 90 90 90 90 90 90 90 90 90 50 90 90 90 90 90 00 01 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov260c +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 40 ?? ?? ?? 68 F4 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 F4 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov260a +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 94 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?? ?? ?? 33 D2 8A D4 89 15 B4 } + +condition: + $a0 at pe.entry_point +} + + +rule ThemidaWinLicenseV10XV17XDLLOreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 ?? 89 48 01 61 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressor12CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E } + +condition: + $a0 at pe.entry_point +} + + +rule NeoLitev10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 44 24 04 8D 54 24 FC 23 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? FF 35 ?? ?? ?? ?? 50 FF 25 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeBundlev30standardloader +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 60 BE 00 B0 42 00 8D BE 00 60 FD FF C7 87 B0 E4 02 00 31 3C 4B DF 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB } + +condition: + $a0 at pe.entry_point +} + + +rule ProtectionPlusvxx +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 60 29 C0 64 FF 30 E8 ?? ?? ?? ?? 5D 83 ED 3C 89 E8 89 A5 14 ?? ?? ?? 2B 85 1C ?? ?? ?? 89 85 1C ?? ?? ?? 8D 85 27 03 ?? ?? 50 8B ?? 85 C0 0F 85 C0 ?? ?? ?? 8D BD 5B 03 ?? ?? 8D B5 43 03 ?? ?? E8 DD ?? ?? ?? 89 85 1F 03 ?? ?? 6A 40 68 ?? 10 ?? ?? 8B 85 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptorV22Xsoftcompletecom +{ + meta: + author="malware-lu" +strings: + $a0 = { FF E0 E8 04 00 00 00 FF FF FF FF 5E C3 00 } + +condition: + $a0 +} + + +rule ThinstallVirtualizationSuite30353043ThinstallCompany +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00 00 00 00 58 BB 37 1F 00 00 2B C3 50 68 ?? ?? ?? ?? 68 00 28 00 00 68 04 01 00 00 E8 BA FE FF FF E9 90 FF FF FF CC CC CC CC CC CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01CrunchPEHeuristicAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv120EngdulekxtBorlandC +{ + meta: + author="malware-lu" +strings: + $a0 = { C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEPACKv405v406 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 06 ?? ?? 8E C0 8B 0E ?? ?? 8B F9 4F 8B F7 FD F3 A4 } + +condition: + $a0 at pe.entry_point +} + + +rule PeStubOEPv1x +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 33 C9 33 D2 B8 ?? ?? ?? 00 B9 FF } + $a1 = { E8 05 00 00 00 33 C0 40 48 C3 E8 05 } + +condition: + $a0 or $a1 +} + + +rule EXEShieldv01bv03bv03SMoKE +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 } + +condition: + $a0 at pe.entry_point +} + + +rule PEArmor049Hying +{ + meta: + author="malware-lu" +strings: + $a0 = { 56 52 51 53 55 E8 15 01 00 00 32 ?? ?? 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv14x +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 } + +condition: + $a0 at pe.entry_point +} + + +rule PocketPCSHA +{ + meta: + author="malware-lu" +strings: + $a0 = { 86 2F 96 2F A6 2F B6 2F 22 4F 43 68 53 6B 63 6A 73 69 F0 7F 0B D0 0B 40 09 00 09 D0 B3 65 A3 66 93 67 0B 40 83 64 03 64 04 D0 0B 40 09 00 10 7F 26 4F F6 6B F6 6A F6 69 0B 00 F6 68 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 22 4F F0 7F 0A D0 06 D4 06 D5 0B 40 09 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressorV1451CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?? ?? 00 05 00 ?? ?? 00 A3 08 ?? ?? 00 A1 08 ?? ?? 00 B9 81 ?? ?? 00 2B 48 18 89 0D 0C ?? ?? 00 83 3D } + +condition: + $a0 at pe.entry_point +} + + +rule Thinstall25 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B8 ?? ?? ?? ?? BB ?? ?? ?? ?? 50 E8 00 00 00 00 58 2D A7 1A 00 00 B9 6C 1A 00 00 BA 20 1B 00 00 BE 00 10 00 00 BF B0 53 00 00 BD EC 1A 00 00 03 E8 81 75 00 ?? ?? ?? ?? 81 75 04 ?? ?? ?? ?? 81 75 08 ?? ?? ?? ?? 81 75 0C ?? ?? ?? ?? 81 75 10 } + +condition: + $a0 at pe.entry_point +} + + +rule SuckStopv111 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? ?? ?? BE ?? ?? B4 30 CD 21 EB ?? 9B } + +condition: + $a0 at pe.entry_point +} + + +rule DEFv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 } + $a1 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? 10 40 00 C3 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule UnnamedScrambler251Beta2252p0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 ?? 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? ?? 40 00 E8 ?? EA FF FF 33 C0 55 68 ?? ?? 40 00 64 FF 30 64 89 20 BA ?? ?? 40 00 B8 ?? ?? 40 00 E8 63 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? ?? FF FF BA ?? ?? 40 00 8B C3 8B 0D ?? ?? 40 00 E8 ?? ?? FF FF C7 05 ?? ?? 40 00 0A 00 00 00 BB ?? ?? 40 00 BE ?? ?? 40 00 BF ?? ?? 40 00 B8 ?? ?? 40 00 BA 04 00 00 00 E8 ?? EB FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 0A F3 FF FF 89 03 83 3B 00 0F 84 F7 04 00 00 B8 ?? ?? 40 00 8B 16 E8 ?? E1 FF FF B8 ?? ?? 40 00 E8 ?? E0 FF FF 8B D0 8B 03 8B 0E E8 ?? ?? FF FF 8B C7 A3 ?? ?? 40 00 8D 55 EC 33 C0 E8 ?? D3 FF FF 8B 45 EC B9 ?? ?? 40 00 BA ?? ?? 40 00 E8 8B ED FF FF 3C 01 75 2B A1 } + +condition: + $a0 +} + + +rule Crunchv40 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 E8 00 00 00 00 5D 81 ED 18 00 00 00 8B C5 55 60 9C 2B 85 E9 06 00 00 89 85 E1 06 00 00 FF 74 24 2C E8 BB 01 00 00 0F 82 92 05 00 00 E8 F1 03 00 00 49 0F 88 86 05 00 00 68 6C D9 B2 96 33 C0 50 E8 24 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivateEXEProtector18SetiSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 FF 31 F6 C3 } + +condition: + $a0 +} + + +rule PseudoSigner02Armadillo300Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 } + +condition: + $a0 at pe.entry_point +} + + +rule hmimyssPEPack01hmimys +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5D 83 ED 05 6A 00 FF 95 E1 0E 00 00 89 85 85 0E 00 00 8B 58 3C 03 D8 81 C3 F8 00 00 00 80 AD 89 0E 00 00 01 89 9D 63 0F 00 00 8B 4B 0C 03 8D 85 0E 00 00 8B 53 08 80 BD 89 0E 00 00 00 75 0C 03 8D 91 0E 00 00 2B 95 91 0E 00 00 89 8D 57 0F 00 00 89 95 5B 0F 00 00 8B 5B 10 89 9D 5F 0F 00 00 8B 9D 5F 0F 00 00 8B 85 57 0F 00 00 53 50 E8 B7 0B 00 00 89 85 73 0F 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 95 E9 0E 00 00 89 85 6B 0F 00 00 6A 04 68 00 10 00 00 68 D8 7C 00 00 6A 00 FF 95 E9 0E 00 00 89 85 6F 0F 00 00 8D 85 67 0F 00 00 8B 9D 73 0F 00 00 8B 8D 6B 0F 00 00 8B 95 5B 0F 00 00 83 EA 0E 8B B5 57 0F 00 00 83 C6 0E 8B BD 6F 0F 00 00 50 53 51 52 56 68 D8 7C 00 00 57 E8 01 01 00 00 8B 9D 57 0F 00 00 8B 03 3C 01 75 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv146 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB 60 12 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02XCR011Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEPACKLINKv360v364v365or50121 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8C C0 05 ?? ?? 0E 1F A3 ?? ?? 03 ?? ?? ?? 8E C0 8B ?? ?? ?? 8B ?? 4F 8B F7 FD F3 A4 50 B8 ?? ?? 50 CB } + +condition: + $a0 at pe.entry_point +} + + +rule SpecialEXEPasswordProtectorv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptor15Vaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? ?? EB F3 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeJoiner10Yoda +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 10 40 00 68 04 01 00 00 E8 39 03 00 00 05 00 10 40 00 C6 00 5C 68 04 01 00 00 68 04 11 40 00 6A 00 E8 1A 03 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 68 04 11 40 00 E8 EC 02 00 00 83 F8 FF 0F 84 83 02 00 00 A3 08 12 40 00 6A 00 50 E8 E2 02 00 00 83 F8 FF 0F 84 6D 02 00 00 A3 0C 12 40 00 8B D8 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 E3 02 00 00 6A 00 68 3C 12 40 00 6A 04 68 1E 12 40 00 FF 35 08 12 40 00 E8 C4 02 00 00 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV119DllaPlib043ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 89 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 00 00 EB 0C 8B 85 38 04 00 00 89 85 3C 04 00 00 8D B5 60 04 00 00 8D 9D EB 02 00 00 33 FF E8 52 01 00 00 EB 1B 8B 85 3C 04 00 00 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 00 00 00 74 0E 83 BD 4C 04 00 00 00 74 05 E8 B8 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 D1 03 00 00 89 85 5C 04 00 00 5B FF B5 5C 04 00 00 56 FF D3 83 C4 08 8B B5 5C 04 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 E9 94 00 00 00 56 FF 95 C9 03 00 00 85 C0 0F 84 B4 00 00 00 89 85 54 04 00 00 8B C6 EB 5B 8B 85 58 04 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 58 04 00 00 C7 00 20 20 20 00 EB 06 FF B5 58 04 00 00 FF B5 54 04 00 00 FF 95 CD 03 00 00 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 00 00 EB 01 40 80 38 00 75 FA 40 89 85 58 04 00 00 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 00 00 83 C0 04 89 85 58 04 00 00 80 3E 01 0F 85 63 FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 5C 04 00 00 FF 95 D5 03 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule CrypKeyV56XKenonicControlsLtd +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 F8 00 75 07 6A 00 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule Safe20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 10 53 56 57 E8 C4 01 00 } + +condition: + $a0 +} + + +rule MicrosoftVisualCV80 +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 } + +condition: + $a0 at pe.entry_point +} + + +rule MZ_Crypt10byBrainSt0rm +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 25 14 40 00 8B BD 77 14 40 00 8B 8D 7F 14 40 00 EB 28 83 7F 1C 07 75 1E 8B 77 0C 03 B5 7B 14 40 00 33 C0 EB 0C 50 8A A5 83 14 40 00 30 26 58 40 46 3B 47 10 76 EF 83 C7 28 49 0B C9 75 D4 8B 85 73 14 40 00 89 44 24 1C 61 FF E0 } + +condition: + $a0 +} + + +rule EPWv130 +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 57 1E 56 55 52 51 53 50 2E 8C 06 08 00 8C C0 83 C0 10 2E } + +condition: + $a0 at pe.entry_point +} + + +rule WindofCrypt10byDarkPressure +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC 53 ?? ?? ?? ?? 89 45 EC B8 64 40 00 10 E8 28 EA FF FF 33 C0 55 68 CE 51 00 10 64 ?? ?? ?? ?? 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 33 C0 E8 F6 DB FF FF 8B 45 EC E8 12 E7 FF FF 50 E8 3C EA FF FF 8B D8 83 FB FF 0F 84 A6 00 00 00 6A 00 53 E8 41 EA FF FF 8B F0 81 EE 00 5E 00 00 6A 00 6A 00 68 00 5E 00 00 53 E8 52 EA FF FF B8 F4 97 00 10 8B D6 E8 2E E7 FF FF B8 F8 97 00 10 8B D6 E8 22 E7 FF FF 8B C6 E8 AB D8 FF FF 8B F8 6A 00 68 F0 97 00 10 56 A1 F4 97 00 10 50 53 E8 05 EA FF FF 53 E8 CF E9 FF FF B8 FC 97 00 10 BA E8 51 00 10 E8 74 EA FF FF A1 F4 97 00 10 85 C0 74 05 83 E8 04 8B 00 50 B9 F8 97 00 10 B8 FC 97 00 10 8B 15 F4 97 00 10 E8 D8 EA FF FF B8 FC 97 00 10 E8 5A EB FF FF 8B CE 8B 15 F8 97 00 10 8B C7 E8 EB E9 FF FF 8B C7 85 C0 74 05 E8 E4 EB FF FF 33 C0 5A 59 59 64 89 10 68 D5 51 00 10 8D 45 EC E8 BB E5 FF FF C3 E9 A9 DF FF FF EB F0 5F 5E 5B E8 B7 E4 FF FF 00 00 00 FF FF FF FF 0A 00 00 00 63 5A 6C 56 30 55 6C 6B 70 4D } + +condition: + $a0 at pe.entry_point +} + + +rule NTKrnlPackerAshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 34 10 00 00 28 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 10 00 00 50 10 00 00 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 } + +condition: + $a0 +} + + +rule PseudoSigner01LCCWin321xAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 64 A1 01 00 00 00 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 9A 10 40 90 50 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule NME11Publicbyredlime +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 56 B8 30 35 14 13 E8 9A E6 FF FF 33 C0 55 68 6C 36 14 13 64 FF 30 64 89 20 B8 08 5C 14 13 BA 84 36 14 13 E8 7D E2 FF FF E8 C0 EA FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 04 F8 FF FF 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 F4 F7 FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 2C F9 FF FF A3 F8 5A 14 13 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 17 F9 FF FF A3 FC 5A 14 13 B8 04 5C 14 13 E8 20 FB FF FF 8B D8 85 DB 74 48 B8 00 5B 14 13 8B 15 C4 45 14 13 E8 1E E7 FF FF A1 04 5C 14 13 E8 A8 DA FF FF ?? ?? ?? ?? 5C 14 13 50 8B CE 8B D3 B8 00 5B 14 13 ?? ?? ?? ?? FF 8B C6 E8 DF FB FF FF 8B C6 E8 9C DA FF FF B8 00 5B 14 13 E8 72 E7 FF FF 33 C0 5A 59 59 64 89 10 68 73 36 14 13 C3 E9 0F DF FF FF EB F8 5E 5B E8 7E E0 FF FF 00 00 FF FF FF FF 0C 00 00 00 4E 4D 45 20 31 2E 31 20 53 74 75 62 } + +condition: + $a0 +} + + +rule PEtitev13 +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 } + +condition: + $a0 at pe.entry_point +} + + +rule PEtitev12 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv134v140b1 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 00 80 ?? 40 90 90 01 85 9E 80 ?? 40 BB F8 10 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeMSVC70DLLMethod3emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule PEtitev14 +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 14 8B CC } + $a1 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule SoftProtectSoftProtectbyru +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 60 E8 03 ?? ?? ?? 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 EB 01 83 9C EB 01 D5 EB 08 35 9D EB 01 89 EB 03 0B EB F7 E8 ?? ?? ?? ?? 58 E8 ?? ?? ?? ?? 59 83 01 01 80 39 5C } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02CDCopsIIAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 60 BD 90 90 90 90 8D 45 90 8D 5D 90 E8 00 00 00 00 8D 01 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPack118LZMA430ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A 00 00 FF 34 37 FF 74 37 04 FF D3 61 83 C7 ?? 83 3C 37 00 75 E6 83 BD 0D 0B 00 00 00 74 0E 83 BD 11 0B 00 00 00 74 05 E8 F6 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 FF 95 AA 0A 00 00 89 85 1D 0B 00 00 5B 60 FF B5 F9 0A 00 00 56 FF B5 1D 0B 00 00 FF D3 61 8B B5 1D 0B 00 00 8B C6 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv108xAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02BorlandCDLLMethod2Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule ARMProtector01bySMoKE +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 } + +condition: + $a0 at pe.entry_point +} + + +rule tElock099cPrivateECLIPSEtE +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 3F DF FF FF 00 00 00 ?? ?? ?? ?? 04 ?? ?? 00 00 00 00 00 00 00 00 00 24 ?? ?? 00 14 ?? ?? 00 0C ?? ?? 00 00 00 00 00 00 00 00 00 31 ?? ?? 00 1C ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 3C ?? ?? 00 00 00 00 00 4F ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 } + +condition: + $a0 at pe.entry_point +} + + +rule XPack152164 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B EC FA 33 C0 8E D0 BC ?? ?? 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? EB } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv123RC4build0807dllAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov253b3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 D8 ?? ?? ?? 68 14 ?? ?? ?? 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 58 53 56 57 89 65 E8 FF 15 } + +condition: + $a0 at pe.entry_point +} + + +rule Imploderv104BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 } + +condition: + $a0 at pe.entry_point +} + + +rule PEiDBundlev100v101BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A } + +condition: + $a0 at pe.entry_point +} + + +rule JExeCompressor10byArashVeyskarami +{ + meta: + author="malware-lu" +strings: + $a0 = { 8D 2D D3 4A E5 14 0F BB F7 0F BA E5 73 0F AF D5 8D 0D 0C 9F E6 11 C0 F8 EF F6 DE 80 DC 5B F6 DA 0F A5 C1 0F C1 F1 1C F3 4A 81 E1 8C 1F 66 91 0F BE C6 11 EE 0F C0 E7 33 D9 64 F2 C0 DC 73 0F C0 D5 55 8B EC BA C0 1F 41 00 8B C2 B9 97 00 00 00 80 32 79 50 B8 02 00 00 00 50 03 14 24 58 58 51 2B C9 B9 01 00 00 00 83 EA 01 E2 FB 59 E2 E1 FF E0 } + +condition: + $a0 at pe.entry_point +} + + +rule Alloy4xPGWareLLC +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 6A 04 68 00 10 00 00 68 00 02 00 00 6A 00 FF 95 A8 33 40 00 0B C0 0F 84 F6 01 00 00 89 85 2E 33 40 00 83 BD E8 32 40 00 01 74 0D 83 BD E4 32 40 00 01 74 2A 8B F8 EB 3E 68 } + +condition: + $a0 at pe.entry_point +} + + +rule ThinstallV2403Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 } + $a1 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 57 BF 00 00 80 00 39 79 14 77 36 53 56 8B B1 29 04 00 00 8B 41 0C 8B 59 10 03 DB 8A 14 30 83 E2 01 0B D3 C1 E2 07 40 89 51 10 89 41 0C 0F B6 04 30 C1 61 14 08 D1 E8 09 41 10 39 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule FakeNinjav28AntiDebugSpirit +{ + meta: + author="malware-lu" +strings: + $a0 = { 64 A1 18 00 00 00 EB 02 C3 11 8B 40 30 EB 01 0F 0F B6 40 02 83 F8 01 74 FE EB 01 E8 90 C0 FF FF EB 03 BD F4 B5 64 A1 30 00 00 00 0F B6 40 02 74 01 BA 74 E0 50 00 64 A1 30 00 00 00 83 C0 68 8B 00 EB 00 83 F8 70 74 CF EB 02 EB FE 90 90 90 0F 31 33 C9 03 C8 0F 31 2B C1 3D FF 0F 00 00 73 EA E8 08 00 00 00 C1 3D FF 0F 00 00 74 AA EB 07 E8 8B 40 30 EB 08 EA 64 A1 18 00 00 00 EB F2 90 90 90 BA ?? ?? ?? ?? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 11 00 00 6A 00 6A 00 FF 35 70 11 40 00 FF 35 84 11 40 00 E8 25 11 00 00 FF } + +condition: + $a0 +} + + +rule ExeLockv100 +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 8C C8 8E C0 BE ?? ?? 26 ?? ?? 34 ?? 26 ?? ?? 46 81 ?? ?? ?? 75 ?? 40 B3 ?? B3 ?? F3 } + +condition: + $a0 at pe.entry_point +} + + +rule PEtitevxx +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 } + +condition: + $a0 at pe.entry_point +} + + +rule EnigmaProtector10XSukhovVladimir +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 83 ?? ?? 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 83 C4 04 EB 02 ?? ?? 60 E8 24 00 00 00 00 00 ?? EB 02 ?? ?? 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 ?? ?? 89 C4 61 EB 2E ?? ?? ?? ?? ?? ?? ?? EB 01 ?? 31 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ?? ?? 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 ?? 58 61 EB 01 } + +condition: + $a0 +} + + +rule ThinstallEmbedded27172719Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 C1 FE FF FF E9 97 FF FF FF CC CC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 00 00 00 33 DB BA 00 00 00 80 43 33 C0 E8 19 01 00 00 73 0E 8B 4D F8 E8 27 01 00 00 02 45 F7 AA EB E9 E8 04 01 00 00 0F 82 96 00 00 00 E8 F9 00 00 00 73 5B B9 04 00 00 00 E8 05 01 00 00 48 74 DE 0F 89 C6 00 00 00 E8 DF 00 00 00 73 1B 55 BD 00 01 00 00 E8 DF 00 00 00 88 07 47 4D 75 F5 E8 C7 00 00 00 72 E9 5D EB A2 B9 01 00 00 00 E8 D0 00 00 00 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 00 00 00 88 45 F7 E9 7C FF FF FF B9 07 00 00 00 E8 AA 00 00 00 50 33 C9 B1 02 E8 A0 00 00 00 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 00 00 00 89 45 FC E9 48 FF FF FF E8 87 00 00 00 49 E2 09 8B C3 E8 7D 00 00 00 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 00 00 00 0B C5 5D 8B D8 E8 5F 00 00 00 3D 00 00 01 00 73 14 3D FF 37 00 00 73 0E 3D 7F 02 00 00 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv102bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 } + $a1 = { 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 C5 2B 85 7D 7C 43 ?? 89 85 89 7C 43 ?? 80 BD 74 7C 43 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PEProtect09byCristophGabler1998 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 } + +condition: + $a0 +} + + +rule VxPredator2448 +{ + meta: + author="malware-lu" +strings: + $a0 = { 0E 1F BF ?? ?? B8 ?? ?? B9 ?? ?? 49 ?? ?? ?? ?? 2A C1 4F 4F ?? ?? F9 CC } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeMSVC60DLLemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 5F 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv16dVaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 } + $a1 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? 90 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule Enigmaprotector112VladimirSukhov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00 00 00 00 EB 02 C1 90 58 61 EB 01 3E EB 04 ?? ?? ?? ?? B8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 01 E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 05 F6 01 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 B9 44 1A } + +condition: + $a0 +} + + +rule hyingsPEArmorV076hying +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A ?? E8 A3 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule JDPackV200JDPack +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 ?? ?? ?? E8 01 00 00 00 ?? ?? ?? ?? ?? ?? 05 00 00 00 00 83 C4 0C 5D 60 E8 00 00 00 00 5D 8B D5 64 FF 35 00 00 00 00 EB } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv01xv02xDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 ?? ?? AD 8B F8 95 } + +condition: + $a0 at pe.entry_point +} + + +rule VcasmProtectorV1Xvcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? 5B 56 50 72 6F 74 65 63 74 5D } + +condition: + $a0 at pe.entry_point +} + + +rule kkrunchy023alpha2Ryd +{ + meta: + author="malware-lu" +strings: + $a0 = { BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF } + $a1 = { BD ?? ?? ?? ?? C7 45 00 ?? ?? ?? 00 B8 ?? ?? ?? 00 89 45 04 89 45 54 50 C7 45 10 ?? ?? ?? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 00 00 8D 7D 30 AB AB AB AB BB 00 00 D8 00 BF ?? ?? ?? 01 31 C9 41 8D 74 09 01 B8 CA 8E 2A 2E 99 F7 F6 01 C3 89 D8 C1 E8 15 AB FE C1 75 E8 BE } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PolyEnEV001LennartHedlund +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 6F 6C 79 45 6E 45 00 4D 65 73 73 61 67 65 42 6F 78 41 00 55 53 45 52 33 32 2E 64 6C 6C } + +condition: + $a0 +} + + +rule Winkriptv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C0 8B B8 00 ?? ?? ?? 8B 90 04 ?? ?? ?? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 } + +condition: + $a0 at pe.entry_point +} + + +rule TrainerCreationKitv5Trainer +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 00 68 80 00 00 00 6A 02 6A 00 6A 00 68 00 00 00 40 68 25 45 40 00 E8 3C 02 00 00 50 6A 00 68 40 45 40 00 68 00 10 00 00 68 00 30 40 00 50 E8 54 02 00 00 58 50 E8 17 02 00 00 6A 00 E8 2E 02 00 00 A3 70 45 40 00 68 25 45 40 00 E8 2B 02 00 00 A3 30 45 40 } + +condition: + $a0 +} + + +rule EXEStealthv272 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEStealthv273 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 EB 16 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 60 90 E8 00 00 00 00 5D 81 ED F0 27 40 00 B9 15 00 00 00 83 C1 05 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 } + +condition: + $a0 +} + + +rule PseudoSigner02DEF10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 83 C1 01 } + +condition: + $a0 at pe.entry_point +} + + +rule AHpack01FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 68 54 ?? ?? ?? B8 48 ?? ?? ?? FF 10 68 B3 ?? ?? ?? 50 B8 44 ?? ?? ?? FF 10 68 00 ?? ?? ?? 6A 40 FF D0 89 05 CA ?? ?? ?? 89 C7 BE 00 10 ?? ?? 60 FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEStealthv274 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 00 EB 17 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 60 90 E8 00 00 00 00 5D 81 ED C4 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 } + +condition: + $a0 +} + + +rule ThinstallEmbedded22X2308Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ?? ?? ?? ?? E9 B9 FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 00 00 C7 40 0C 01 00 00 00 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 00 00 00 C2 04 00 8B 44 24 04 C7 41 0C 01 00 00 00 89 81 29 04 00 00 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 00 00 00 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 00 00 00 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PolyCryptorbySMTVersionv3v4 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? 28 50 6F 6C 79 53 63 72 79 70 74 20 ?? ?? ?? 20 62 79 20 53 4D 54 29 } + +condition: + $a0 at pe.entry_point +} + + +rule ProtectSharewareV11eCompservCMS +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 ?? 01 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 34 00 ?? 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 } + +condition: + $a0 +} + + +rule Upackv035alphaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B F2 8B CA 03 4C 19 1C 03 54 1A 20 } + +condition: + $a0 +} + + +rule ASPackv10801AlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D } + $a1 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 ?? BB 10 ?? 44 ?? 03 DD 2B 9D } + $a2 = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule ENIGMAProtectorV11SukhovVladimir +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 83 ?? ?? 81 } + +condition: + $a0 at pe.entry_point +} + + +rule PEncrypt20junkcode +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 25 00 00 F7 BF 00 00 00 00 00 00 00 00 00 00 12 00 E8 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 00 00 E8 00 00 00 00 5D 81 ED 2C 10 40 00 8D B5 14 10 40 00 E8 33 00 00 00 89 85 10 10 40 00 BF 00 00 40 00 8B F7 03 7F 3C 8B 4F 54 51 56 8D 85 } + +condition: + $a0 at pe.entry_point +} + + +rule SimbiOZExtranger +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 60 E8 00 00 00 00 5D 81 ED 07 10 40 00 68 80 0B 00 00 8D 85 1F 10 40 00 50 E8 84 0B 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule InnoSetupModulev304betav306v307 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 B3 70 FF FF E8 1A 85 FF FF E8 25 A7 FF FF E8 6C } + +condition: + $a0 +} + + +rule ASPackv107bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE } + +condition: + $a0 at pe.entry_point +} + + +rule PROPACKv208emphasisonpackedsizelocked +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC ?? 8B EC BE ?? ?? FC E8 ?? ?? 05 ?? ?? 8B C8 E8 ?? ?? 8B } + +condition: + $a0 at pe.entry_point +} + + +rule HACKSTOPv110p1 +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 30 CD 21 86 E0 3D 00 03 73 ?? B4 2F CD 21 B4 2A CD 21 B4 2C CD 21 B0 FF B4 4C CD 21 50 B8 ?? ?? 58 EB } + +condition: + $a0 at pe.entry_point +} + + +rule AdysGlue110 +{ + meta: + author="malware-lu" +strings: + $a0 = { 2E ?? ?? ?? ?? 0E 1F BF ?? ?? 33 DB 33 C0 AC } + +condition: + $a0 at pe.entry_point +} + + +rule VxEddiebased1745 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA ?? 8B E6 81 ?? ?? ?? FB ?? 3B ?? ?? ?? ?? ?? 50 06 ?? 56 1E 8B FE 33 C0 ?? 50 8E D8 } + +condition: + $a0 at pe.entry_point +} + + +rule ASDPackv10asd +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 56 53 E8 5C 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 ?? ?? ?? 00 00 00 00 00 00 00 40 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? 00 00 10 00 00 00 ?? 00 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5B 81 EB E6 1D 40 00 83 7D 0C 01 75 11 55 E8 4F 01 00 00 E8 6A 01 00 00 5D E8 2C 00 00 00 8B B3 1A 1E 40 00 03 B3 FA 1D 40 00 8B 76 0C AD 0B C0 74 0D FF 75 10 FF 75 0C FF 75 08 FF D0 EB EE B8 01 00 00 00 5B 5E C9 C2 0C 00 55 6A 00 FF 93 20 21 40 00 89 83 FA 1D 40 00 6A 40 68 00 10 00 00 FF B3 02 1E 40 00 6A 00 FF 93 2C 21 40 00 89 83 06 1E 40 00 8B 83 F2 1D 40 00 03 83 FA 1D 40 00 50 FF B3 06 1E 40 00 50 E8 6D 01 00 00 5F } + +condition: + $a0 +} + + +rule ORiENV1XV2XFisunAV +{ + meta: + author="malware-lu" +strings: + $a0 = { 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F 74 65 63 74 69 6F 6E 20 73 79 73 74 65 6D } + +condition: + $a0 +} + + +rule StonesPEEncryptorv113 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 ED 97 3B 40 ?? 2B 95 2D 3C 40 ?? 83 EA 0B 89 95 36 3C 40 ?? 01 95 24 3C 40 ?? 01 95 28 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv302v302aExtractable +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 33 C9 B1 ?? 51 06 06 BB ?? ?? 53 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule ARMProtector03bySMoKE +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 13 24 40 00 EB 02 83 09 8D B5 A4 24 40 00 EB 02 83 09 BA 4B 15 00 00 EB 01 00 8D 8D EF 39 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 00 00 00 83 EB 01 00 2A C2 E8 00 00 00 00 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00 00 00 00 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 } + +condition: + $a0 +} + + +rule VxSlowload +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 D6 B4 40 CD 21 B8 02 42 33 D2 33 C9 CD 21 8B D6 B9 78 01 } + +condition: + $a0 at pe.entry_point +} + + +rule AntiDote10BetaSISTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 BB FF FF FF 84 C0 74 2F 68 04 01 00 00 68 C0 23 60 00 6A 00 FF 15 08 10 60 00 E8 40 FF FF FF 50 68 78 11 60 00 68 68 11 60 00 68 C0 23 60 00 E8 AB FD FF FF 83 C4 10 33 C0 C2 10 00 90 90 90 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 66 8B 41 06 89 54 24 14 8D 68 FF 85 ED 7C 37 33 C0 } + +condition: + $a0 at pe.entry_point +} + + +rule DzAPatcherv13Loader +{ + meta: + author="malware-lu" +strings: + $a0 = { BF 00 40 40 00 99 68 48 20 40 00 68 00 20 40 00 52 52 52 52 52 52 52 57 E8 15 01 00 00 85 C0 75 1C 99 52 52 57 52 E8 CB 00 00 00 FF 35 4C 20 40 00 E8 D2 00 00 00 6A 00 E8 BF 00 00 00 99 68 58 20 40 00 52 52 68 63 10 40 00 52 52 E8 DB 00 00 00 6A FF FF 35 } + +condition: + $a0 +} + + +rule CDSSS10beta1CyberDoom +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 4E 40 00 E8 D7 03 00 00 0B C0 0F 84 A9 02 00 00 E8 F9 02 00 00 89 85 94 4E 40 00 8D 85 12 4D 40 00 50 } + +condition: + $a0 at pe.entry_point +} + + +rule y0dasCrypterv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED E7 1A 40 00 E8 A1 00 00 00 E8 D1 00 00 00 E8 85 01 00 00 F7 85 } + +condition: + $a0 at pe.entry_point +} + + +rule y0dasCrypterv11 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 } + +condition: + $a0 at pe.entry_point +} + + +rule NullsoftPiMPInstallSystemv1x +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 0C 53 56 57 FF 15 ?? ?? 40 00 05 E8 03 00 00 BE ?? ?? ?? 00 89 44 24 10 B3 20 FF 15 28 ?? 40 00 68 00 04 00 00 FF 15 ?? ?? 40 00 50 56 FF 15 ?? ?? 40 00 80 3D ?? ?? ?? 00 22 75 08 80 C3 02 BE ?? ?? ?? 00 8A 06 8B 3D ?? ?? 40 00 84 C0 74 ?? 3A C3 74 } + +condition: + $a0 +} + + +rule ExeBundlev30smallloader +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 60 BE 00 F0 40 00 8D BE 00 20 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXAlternativestub +{ + meta: + author="malware-lu" +strings: + $a0 = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B } + +condition: + $a0 at pe.entry_point +} + + +rule EmbedPE113cyclotron +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 00 00 DC 99 F3 57 05 68 B8 5E 2D C6 DA FD 48 63 05 3C 71 B8 5E 97 7C 36 7E 32 7C 08 4F 06 51 64 10 A3 F1 4E CF 25 CB 80 D2 99 54 46 ED E1 D3 46 86 2D 10 68 93 83 5C 46 4D 43 9B 8C D6 7C BB 99 69 97 71 2A 2F A3 38 6B 33 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor2223protectedIAT +{ + meta: + author="malware-lu" +strings: + $a0 = { CC ?? ?? ?? 00 00 00 00 FF FF FF FF 3C ?? ?? ?? B4 ?? ?? ?? 08 ?? ?? ?? 00 00 00 00 FF FF FF FF E8 ?? ?? ?? 04 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4C ?? ?? ?? 60 ?? ?? ?? 70 ?? ?? ?? 84 ?? ?? ?? 94 ?? ?? ?? A4 ?? ?? ?? 00 00 00 00 75 73 65 72 33 32 2E 64 6C 6C 00 00 00 00 4D 65 73 73 61 67 65 42 6F 78 } + +condition: + $a0 +} + + +rule PseudoSigner01Armadillo300Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 2A 00 00 00 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptorvxxxx +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 24 ?? ?? ?? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?? ?? ?? ?? ?? ?? ?? 31 C0 89 41 } + +condition: + $a0 at pe.entry_point +} + + +rule Morphinev33SilentSoftwareSilentShieldc2005 +{ + meta: + author="malware-lu" +strings: + $a0 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 } + $a1 = { 28 ?? ?? ?? 00 00 00 00 00 00 00 00 40 ?? ?? ?? 34 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4C ?? ?? ?? 5C ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 } + +condition: + $a0 or $a1 +} + + +rule DEF10bartxt +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 00 00 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? ?? 40 00 C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv0971v0976 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 C3 9C 60 E8 5D 55 5B 81 ED 8B 85 01 85 66 C7 85 } + +condition: + $a0 at pe.entry_point +} + + +rule PCShrinkv040b +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 BD ?? ?? ?? ?? 01 ?? ?? ?? ?? ?? FF ?? ?? ?? ?? ?? 6A ?? FF ?? ?? ?? ?? ?? 50 50 2D } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakePECrypt102emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 05 50 E8 08 00 00 00 EA FF 58 EB 18 EB 01 0F EB 02 CD 20 EB 03 EA CD 20 58 58 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule ORiENv211212FisunAlexander +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 5D 01 00 00 CE D1 CE ?? 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F } + +condition: + $a0 at pe.entry_point +} + + +rule StonesPEEncruptorv113 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 57 56 52 51 53 E8 ?? ?? ?? ?? 5D 8B D5 81 } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv11MTEc +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 60 E8 1B ?? ?? ?? E9 FC } + +condition: + $a0 at pe.entry_point +} + + +rule CreateInstallStubvxx +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 20 02 00 00 53 56 57 6A 00 FF 15 18 61 40 00 68 00 70 40 00 89 45 08 FF 15 14 61 40 00 85 C0 74 27 6A 00 A1 00 20 40 00 50 FF 15 3C 61 40 00 8B F0 6A 06 56 FF 15 38 61 40 00 6A 03 56 FF 15 38 61 40 00 E9 36 03 00 00 68 02 7F 00 00 33 F6 56 } + +condition: + $a0 at pe.entry_point +} + + +rule WinZip32bitSFXv8xmodule +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 FF 15 ?? ?? ?? 00 B3 22 38 18 74 03 80 C3 FE 8A 48 01 40 33 D2 3A CA 74 0A 3A CB 74 06 8A 48 01 40 EB F2 38 10 74 01 40 ?? ?? ?? ?? FF 15 } + +condition: + $a0 at pe.entry_point +} + + +rule Upxv12MarcusLazlo +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 } + +condition: + $a0 at pe.entry_point +} + + +rule PEPACKv10byANAKiN1998 +{ + meta: + author="malware-lu" +strings: + $a0 = { 74 ?? E9 ?? ?? ?? ?? 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NeoLitev20 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 4E 65 6F 4C 69 74 65 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakeSpalsher1x3xFEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 9C 60 8B 44 24 24 E8 00 00 00 00 5D 81 ED 00 00 00 00 50 E8 ED 02 00 00 8C C0 0F 84 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv10803AlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD } + $a1 = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E } + $a2 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD } + $a3 = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point +} + + +rule VMProtect07x08PolyTech +{ + meta: + author="malware-lu" +strings: + $a0 = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D } + +condition: + $a0 +} + + +rule ExeShieldProtectorV36wwwexeshieldcom +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC } + +condition: + $a0 at pe.entry_point +} + + +rule WerusCrypter10Kas +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 98 11 40 00 6A 00 E8 50 00 00 00 C9 C3 ED B3 FE FF FF 6A 00 E8 0C 00 00 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 A8 10 40 00 FF 25 B0 10 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BB E8 12 40 00 80 33 05 E9 7D FF FF FF } + +condition: + $a0 +} + + +rule Themida10xx1800compressedengineOreansTechnologies +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 } + $a1 = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 5A ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 5A ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 AF 01 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule CHECKPRGc1992 +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressor11CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? 12 00 00 E9 ?? 0C 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 E9 ?? ?? 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxEddie1028 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E FC 83 ?? ?? 81 ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E B8 FE 4B CD 21 81 FF BB 55 ?? ?? 07 ?? ?? ?? 07 B4 49 CD 21 BB FF FF B4 48 CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule PEQuakev006byfORGAT +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 A5 00 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 3D ?? 00 00 2D ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A ?? 00 00 5B ?? 00 00 6E ?? 00 00 00 00 00 00 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 00 00 00 47 65 74 50 72 6F 63 41 64 } + +condition: + $a0 +} + + +rule LTCv13 +{ + meta: + author="malware-lu" +strings: + $a0 = { 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv071b7 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 48 11 00 00 C3 83 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv071b2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 44 11 00 00 C3 83 } + +condition: + $a0 at pe.entry_point +} + + +rule UnknownJoinersignfrompinch260320070212 +{ + meta: + author="malware-lu" +strings: + $a0 = { 44 90 4C 90 B9 DE 00 00 00 BA 00 10 40 00 83 C2 03 44 90 4C B9 07 00 00 00 44 90 4C 33 C9 C7 05 08 30 40 00 00 00 00 00 90 68 00 01 00 00 68 21 30 40 00 6A 00 E8 C5 02 00 00 90 6A 00 68 80 } + +condition: + $a0 at pe.entry_point +} + + +rule DIETv100v100d +{ + meta: + author="malware-lu" +strings: + $a0 = { BF ?? ?? 3B FC 72 ?? B4 4C CD 21 BE ?? ?? B9 ?? ?? FD F3 A5 FC } + +condition: + $a0 at pe.entry_point +} + + +rule APEX_CBLTApex40500mhz +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 } + +condition: + $a0 at pe.entry_point +} + + +rule StealthPEv11 +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? ?? 00 FF E2 BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 03 B8 ?? ?? ?? ?? 89 02 83 C2 FD FF E2 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEdition117DLLAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 } + +condition: + $a0 at pe.entry_point +} + + +rule Anti007V26LiuXingPing +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 57 72 69 74 65 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 } + +condition: + $a0 +} + + +rule AppEncryptorSilentTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 1F 1F 40 00 B9 7B 09 00 00 8D BD 67 1F 40 00 8B F7 AC } + +condition: + $a0 at pe.entry_point +} + + +rule VirogenCryptv075 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 55 E8 EC 00 00 00 87 D5 5D 60 87 D5 80 BD 15 27 40 00 01 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov300a +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv300v301Extractable +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 6A ?? 06 06 8C D3 83 ?? ?? 53 6A ?? FC } + +condition: + $a0 at pe.entry_point +} + + +rule VxUddy2617 +{ + meta: + author="malware-lu" +strings: + $a0 = { 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? ?? ?? 2E ?? ?? ?? 8C C8 8E D8 8C ?? ?? ?? 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? A1 ?? ?? A3 ?? ?? 8C C8 2B ?? ?? ?? 03 ?? ?? ?? A3 ?? ?? B8 AB 9C CD 2F 3D 76 98 } + +condition: + $a0 at pe.entry_point +} + + +rule PLINK8619841985 +{ + meta: + author="malware-lu" +strings: + $a0 = { FA 8C C7 8C D6 8B CC BA ?? ?? 8E C2 26 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv10804AlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 41 06 00 00 EB 41 } + +condition: + $a0 at pe.entry_point +} + + +rule aPackv098m +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E 06 8C C8 8E D8 05 ?? ?? 8E C0 50 BE ?? ?? 33 FF FC B2 ?? BD ?? ?? 33 C9 50 A4 BB ?? ?? 3B F3 76 } + +condition: + $a0 +} + + +rule BamBamv001Bedrock +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 14 E8 9A 05 00 00 8B D8 53 68 FB ?? ?? 00 E8 6C FD FF FF B9 05 00 00 00 8B F3 BF FB ?? ?? 00 53 F3 A5 E8 8D 05 00 00 8B 3D 03 ?? ?? 00 A1 2B ?? ?? 00 66 8B 15 2F ?? ?? 00 B9 80 ?? ?? 00 2B CF 89 45 E8 89 0D 6B ?? ?? 00 66 89 55 EC 8B 41 3C 33 D2 03 C1 } + +condition: + $a0 +} + + +rule PESHiELDv02v02bv02b2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEStealthv27 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 00 60 EB 00 E8 00 00 00 00 5D 81 ED D3 26 40 } + +condition: + $a0 at pe.entry_point +} + + +rule EXEStealthv25 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 90 EB 22 45 78 65 53 74 65 61 6C 74 68 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D E8 00 00 00 00 5D 81 ED 40 1E 40 00 B9 99 09 00 00 8D BD 88 1E 40 00 8B F7 AC } + +condition: + $a0 +} + + +rule VxHaryanto +{ + meta: + author="malware-lu" +strings: + $a0 = { 81 EB 2A 01 8B 0F 1E 5B 03 CB 0E 51 B9 10 01 51 CB } + +condition: + $a0 at pe.entry_point +} + + +rule ASPRStripperv2xunpacked +{ + meta: + author="malware-lu" +strings: + $a0 = { BB ?? ?? ?? ?? E9 ?? ?? ?? ?? 60 9C FC BF ?? ?? ?? ?? B9 ?? ?? ?? ?? F3 AA 9D 61 C3 55 8B EC } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01UPX06Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Shrinker33 +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 55 8B EC 56 57 75 65 68 00 01 00 00 E8 } + +condition: + $a0 +} + + +rule Shrinker32 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 56 57 75 65 68 00 01 00 00 E8 F1 E6 FF FF 83 C4 04 } + +condition: + $a0 +} + + +rule Shrinker34 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 56 57 75 6B 68 00 01 00 00 E8 11 0B 00 00 83 C4 04 } + +condition: + $a0 +} + + +rule PESPinv13Cyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv160v165 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 80 40 ?? 87 DD 8B 85 D2 80 40 ?? 01 85 33 80 40 ?? 66 C7 85 ?? 80 40 ?? 90 90 01 85 CE 80 40 ?? BB BB 12 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressorv120b +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC D4 01 00 00 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?? ?? ?? 00 2B 05 84 ?? ?? 00 A3 ?? ?? ?? 00 83 3D ?? ?? ?? 00 00 74 16 A1 ?? ?? ?? 00 03 05 80 ?? ?? 00 89 85 54 FE FF FF E9 ?? 07 00 00 C7 05 ?? ?? ?? 00 01 00 00 00 68 04 } + +condition: + $a0 +} + + +rule EPWv12 +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 57 1E 56 55 52 51 53 50 2E ?? ?? ?? ?? 8C C0 05 ?? ?? 2E ?? ?? ?? 8E D8 A1 ?? ?? 2E } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv12x +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 68 01 ?? ?? ?? C3 AA } + +condition: + $a0 at pe.entry_point +} + + +rule Packanoidv1Arkanoid +{ + meta: + author="malware-lu" +strings: + $a0 = { BF ?? ?? ?? ?? BE ?? ?? ?? ?? E8 9D 00 00 00 B8 ?? ?? ?? ?? 8B 30 8B 78 04 BB ?? ?? ?? ?? 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 } + +condition: + $a0 at pe.entry_point +} + + +rule EscargotV01Meat +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 04 40 30 2E 31 60 68 61 } + +condition: + $a0 at pe.entry_point +} + + +rule SCObfuscatorSuperCRacker +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 33 C9 8B 1D 00 ?? ?? ?? 03 1D 08 ?? ?? ?? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D 04 ?? ?? ?? 75 E7 A1 08 ?? ?? ?? 01 05 0C ?? ?? ?? 61 FF 25 0C } + +condition: + $a0 +} + + +rule EXEStealth275WebtoolMaster +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PasswordProtectorcMiniSoft1992 +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 0E 0E 07 1F E8 00 00 5B 83 EB 08 BA 27 01 03 D3 E8 3C 02 BA EA } + +condition: + $a0 at pe.entry_point +} + + +rule VxEddie2000 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 81 EE ?? ?? FC 2E ?? ?? ?? ?? 2E ?? ?? ?? ?? 4D 5A ?? ?? FA 8B E6 81 C4 ?? ?? FB 3B ?? ?? ?? ?? ?? 50 06 56 1E 8B FE 33 C0 50 8E D8 C5 ?? ?? ?? B4 30 CD 21 } + +condition: + $a0 at pe.entry_point +} + + +rule VideoLanClientUnknownCompiler +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressorv14CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 34 2E 2E B8 } + $a1 = { 65 58 50 72 2D 76 2E 31 2E 34 2E } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule SkDUndetectablerPro20NoUPXMethodSkD +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40 } + +condition: + $a0 at pe.entry_point +} + + +rule RJcrushv100 +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 FC 8C C8 BA ?? ?? 03 D0 52 BA ?? ?? 52 BA ?? ?? 03 C2 8B D8 05 ?? ?? 8E DB 8E C0 33 F6 33 FF B9 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeShieldv27 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 F4 86 06 00 C3 9C 60 E8 02 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ExeShieldv29 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 0B 20 40 00 B9 EB 08 00 00 8D BD 53 20 40 00 8B F7 AC ?? ?? ?? F8 } + +condition: + $a0 at pe.entry_point +} + + +rule PEiDBundlev102v103BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtMicrosoftVisualC5060 +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?? ?? ?? EB 02 CD 20 EB 01 F8 BE F4 00 00 00 EB } + +condition: + $a0 at pe.entry_point +} + + +rule PUNiSHERV15FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 3F 00 00 80 66 20 ?? 00 7E 20 ?? 00 92 20 ?? 00 A4 20 ?? 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 } + +condition: + $a0 +} + + +rule ExcaliburV103forgot +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 6A 45 E8 A3 00 00 00 68 00 00 00 00 E8 58 61 EB 39 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPack10betaap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 } + $a1 = { 60 E8 00 00 00 00 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 00 00 8D 9D 13 01 00 00 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 F9 01 00 00 89 85 48 02 00 00 5B FF B5 48 02 00 00 56 FF D3 83 C4 08 8B B5 48 02 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 83 C0 04 89 85 44 02 00 00 EB 7A 56 FF 95 F1 01 00 00 89 85 40 02 00 00 8B C6 EB 4F 8B 85 44 02 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 44 02 00 00 C7 00 20 20 20 00 EB 06 FF B5 44 02 00 00 FF B5 40 02 00 00 FF 95 F5 01 00 00 89 07 83 C7 04 8B 85 44 02 00 00 EB 01 40 80 38 00 75 FA 40 89 85 44 02 00 00 80 38 00 75 AC EB 01 46 80 3E 00 75 FA 46 40 8B 38 83 C0 04 89 85 44 02 00 00 80 3E 01 75 81 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 48 02 00 00 FF 95 FD 01 00 00 61 68 ?? ?? ?? ?? C3 60 8B 74 24 24 8B 7C } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule nMacrorecorder10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 5C 6E 6D 72 5F 74 65 6D 70 2E 6E 6D 72 00 00 00 72 62 00 00 58 C7 41 00 10 F8 41 00 11 01 00 00 00 00 00 00 46 E1 00 00 46 E1 00 00 35 00 00 00 F6 88 41 00 } + +condition: + $a0 +} + + +rule PrivateEXEv20a +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 E8 00 00 00 00 5B 8B C3 2D } + $a1 = { 06 60 C8 ?? ?? ?? 0E 68 ?? ?? 9A ?? ?? ?? ?? 3D ?? ?? 0F ?? ?? ?? 50 50 0E 68 ?? ?? 9A ?? ?? ?? ?? 0E } + $a2 = { 53 E8 ?? ?? ?? ?? 5B 8B C3 2D ?? ?? ?? ?? 50 81 ?? ?? ?? ?? ?? 8B } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule PackmanV10BrandonLaCombe +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PEX099Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 00 00 00 55 83 C4 04 E8 01 00 00 00 90 5D 81 FF FF FF 00 01 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule PAKSFXArchive +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 ?? ?? A1 ?? ?? 2E ?? ?? ?? 2E ?? ?? ?? ?? ?? 8C D7 8E C7 8D ?? ?? BE ?? ?? FC AC 3C 0D } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv2xxAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 } + $a1 = { A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule SimbiOZ13Extranger +{ + meta: + author="malware-lu" +strings: + $a0 = { 57 57 8D 7C 24 04 50 B8 00 ?? ?? ?? AB 58 5F C3 } + +condition: + $a0 at pe.entry_point +} + + +rule muckisprotectorImucki +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? ?? ?? B9 ?? ?? ?? ?? 8A 06 F6 D0 88 06 46 E2 F7 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1339ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule LOCK98V10028keenvim +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 E8 00 00 00 00 5D 81 ?? ?? ?? ?? ?? EB 05 E9 ?? ?? ?? ?? EB 08 } + +condition: + $a0 at pe.entry_point +} + + +rule iPBProtectv013 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 FA 33 DB 89 5D F8 6A 02 EB 01 F8 58 5F 5E 5B 64 8B 25 00 00 00 00 64 8F 05 00 00 00 00 58 58 58 5D 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 } + +condition: + $a0 +} + + +rule PrivateEXEProtector197SetiSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F4 FC 53 57 56 8B 74 24 20 8B 7C 24 24 66 81 3E 4A 43 0F 85 A5 02 00 00 83 C6 0A 33 DB BA 00 00 00 80 C7 44 24 14 08 00 00 00 43 8D A4 24 00 00 00 00 8B FF 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 2C 8B 4C 24 10 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 02 44 24 0C 88 07 47 EB C6 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 82 6E 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 83 DC 00 00 00 B9 04 00 00 00 33 C0 8D A4 24 00 00 00 00 8D 64 24 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 48 74 B1 0F 89 EF 01 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 42 BD 00 01 00 00 B9 08 00 00 00 33 C0 8D A4 24 00 00 00 00 05 00 00 00 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 88 07 47 4D 75 D6 } + +condition: + $a0 +} + + +rule ASPackv21AlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv103bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 } + +condition: + $a0 +} + + +rule PseudoSigner01PEIntro10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A E9 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv099SpecialBuildheXerforgot +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 } + $a1 = { E9 5E DF FF FF 00 00 00 ?? ?? ?? ?? E5 ?? ?? 00 00 00 00 00 00 00 00 00 05 ?? ?? 00 F5 ?? ?? 00 ED ?? ?? 00 00 00 00 00 00 00 00 00 12 ?? ?? 00 FD ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 1D ?? ?? 00 00 00 00 00 30 ?? ?? 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule VxBackfont900 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? B4 30 CD 21 3C 03 ?? ?? B8 ?? ?? BA ?? ?? CD 21 81 FA ?? ?? ?? ?? BA ?? ?? 8C C0 48 8E C0 8E D8 80 ?? ?? ?? 5A ?? ?? 03 ?? ?? ?? 40 8E D8 80 ?? ?? ?? 5A ?? ?? 83 } + +condition: + $a0 at pe.entry_point +} + + +rule CrunchPEv20xx +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 E8 ?? ?? ?? ?? 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 55 BB ?? ?? ?? ?? 03 DD 53 64 67 FF 36 ?? ?? 64 67 89 26 } + +condition: + $a0 at pe.entry_point +} + + +rule Litev003a +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 06 FC 1E 07 BE ?? ?? ?? ?? 6A 04 68 ?? 10 ?? ?? 68 } + +condition: + $a0 at pe.entry_point +} + + +rule SimplePack1XMethod2bagie +{ + meta: + author="malware-lu" +strings: + $a0 = { 4D 5A 90 EB 01 00 52 E9 ?? 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule PEncryptv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C BE 00 10 40 00 8B FE B9 28 03 00 00 BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 } + +condition: + $a0 at pe.entry_point +} + + +rule BJFntv12RC +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB } + +condition: + $a0 at pe.entry_point +} + + +rule FishPEShield112116HellFish +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 BD FE FF FF 89 45 DC E8 E1 FD FF FF 8B 00 03 45 DC 89 45 E4 E8 DC FE FF FF 8B D8 BA 8E 4E 0E EC 8B C3 E8 2E FF FF FF 89 45 F4 BA 04 49 32 D3 8B C3 E8 1F FF FF FF 89 45 F8 BA 54 CA AF 91 8B C3 E8 10 FF FF FF 89 45 F0 BA AC 33 06 03 8B C3 E8 01 FF FF FF 89 45 EC BA 1B C6 46 79 8B C3 E8 F2 FE FF FF 89 45 E8 BA AA FC 0D 7C 8B C3 E8 E3 FE FF FF 89 45 FC 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B } + $a1 = { 60 E8 EA FD FF FF FF D0 C3 8D 40 00 ?? 00 00 00 2C 00 00 00 ?? ?? ?? 00 ?? ?? 00 00 ?? ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 00 00 00 00 ?? ?? 00 ?? ?? 00 00 ?? 00 00 00 00 ?? ?? 00 00 10 00 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? ?? 00 00 ?? ?? 00 ?? ?? ?? 00 40 ?? ?? ?? 00 00 ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 40 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule CodeCryptv016bv0163b +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 2E 03 00 00 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F } + +condition: + $a0 at pe.entry_point +} + + +rule VOBProtectCD +{ + meta: + author="malware-lu" +strings: + $a0 = { 5F 81 EF ?? ?? ?? ?? BE ?? ?? 40 ?? 8B 87 ?? ?? ?? ?? 03 C6 57 56 8C A7 ?? ?? ?? ?? FF 10 89 87 ?? ?? ?? ?? 5E 5F } + +condition: + $a0 at pe.entry_point +} + + +rule diProtectorV1XdiProtectorSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 01 00 A0 E3 14 00 00 EB 00 00 20 E0 44 10 9F E5 03 2A A0 E3 40 30 A0 E3 AE 00 00 EB 30 00 8F E5 00 20 A0 E1 3A 0E 8F E2 00 00 80 E2 1C 10 9F E5 20 30 8F E2 0E 00 00 EB 14 00 9F E5 14 10 9F E5 7F 20 A0 E3 C5 00 00 EB 04 C0 8F E2 00 F0 9C E5 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivateexeProtector20SetiSoftTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule AHTeamEPProtector03fakekkryptor9kryptoraFEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 ?? ?? ?? ?? 5E B9 00 00 00 00 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 } + +condition: + $a0 at pe.entry_point +} + + +rule PEBundlev310 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 02 00 00 00 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 00 87 DD ?? ?? ?? ?? 40 00 01 } + +condition: + $a0 +} + + +rule NsPack34NorthStar +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 } + +condition: + $a0 at pe.entry_point +} + + +rule PellesC280290EXEX86CRTLIB +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC ?? 83 EC ?? 53 56 57 89 65 E8 68 00 00 00 ?? E8 ?? ?? ?? ?? 59 A3 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV115V117Dllap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 ?? 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF E8 } + +condition: + $a0 at pe.entry_point +} + + +rule PellesC28x45xPelleOrinius +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 83 EC } + +condition: + $a0 at pe.entry_point +} + + +rule Thinstallv2460Jitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 F4 18 40 00 50 E8 87 FC FF FF 59 59 A1 94 1A 40 00 8B 40 10 03 05 90 1A 40 00 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 00 00 00 76 0C 00 00 D4 0C 00 00 1E } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110Engdulekxt +{ + meta: + author="malware-lu" +strings: + $a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE } + $a1 = { E8 01 00 00 00 ?? ?? E8 ?? 00 00 00 } + $a2 = { EB 01 ?? EB 02 ?? ?? ?? 80 ?? ?? 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule PECompactv2xx +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 } + +condition: + $a0 +} + + +rule ASPackv10802AlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillo440SiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 31 2E 31 2E 34 00 00 00 C2 E0 94 BE 93 FC DE C6 B6 24 83 F7 D2 A4 92 77 40 27 CF EB D8 6F 50 B4 B5 29 24 FA 45 08 04 52 D5 1B D2 8C 8A 1E 6E FF 8C 5F 42 89 F1 83 B1 27 C5 69 57 FC 55 0A DD 44 BE 2A 02 97 6B 65 15 AA 31 E9 28 7D 49 1B DF B5 5D 08 A8 BA A8 } + +condition: + $a0 +} + + +rule Armadillov1xxv2xx +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 } + +condition: + $a0 at pe.entry_point +} + + +rule HACKSTOPv111c +{ + meta: + author="malware-lu" +strings: + $a0 = { B4 30 CD 21 86 E0 3D ?? ?? 73 ?? B4 ?? CD 21 B0 ?? B4 4C CD 21 53 BB ?? ?? 5B EB } + +condition: + $a0 at pe.entry_point +} + + +rule EXEStealth276UnregisteredWebtoolMaster +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 } + +condition: + $a0 +} + + +rule PseudoSigner02LCCWin32DLLAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 90 90 90 FF 75 10 FF 75 0C FF 75 08 A1 } + +condition: + $a0 at pe.entry_point +} + + +rule CDSSSv10Beta1CyberDoomTeamX +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 00 00 0B C0 0F 84 13 03 00 00 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 00 00 00 EB 12 64 A1 30 00 00 00 0F B6 40 02 0A C0 0F 85 E8 02 00 00 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 00 00 0B C0 0F 84 CE 02 00 00 E8 1E 03 00 00 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv041x +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 8B C0 8D 24 24 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 50 8B FE 68 78 01 ?? ?? 59 EB 01 EB AC 54 E8 03 ?? ?? ?? 5C EB 08 } + +condition: + $a0 at pe.entry_point +} + + +rule ZCodeWin32PEProtectorv101 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 12 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E9 FB FF FF FF C3 68 ?? ?? ?? ?? 64 FF 35 } + +condition: + $a0 at pe.entry_point +} + + +rule ABCCryptor10byZloY +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 FF 64 24 F0 68 58 58 58 58 90 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? BF 00 ?? ?? ?? B9 00 ?? ?? ?? 80 37 ?? 47 39 CF 75 F8 } + +condition: + $a0 +} + + +rule FSGv120EngdulekxtMicrosoftVisualC60 +{ + meta: + author="malware-lu" +strings: + $a0 = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 } + +condition: + $a0 at pe.entry_point +} + + +rule SLVc0deProtectorv061SLV +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 } + $a1 = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule FSG131dulekxt +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV112V114aPlib043ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 ?? ?? ?? ?? 8D 9D ?? ?? ?? ?? 33 FF EB 0F FF ?? ?? ?? FF ?? ?? ?? D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB } + +condition: + $a0 +} + + +rule Crypter31SLESH +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 FF 64 24 F0 68 58 58 58 58 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 } + +condition: + $a0 +} + + +rule PseudoSigner01VBOX43MTEAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeBJFNT13emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule FreeCryptor02build002GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { 33 D2 90 1E 68 1B ?? ?? ?? 0F A0 1F 8B 02 90 50 54 8F 02 90 90 8E 64 24 08 FF E2 58 50 33 D2 52 83 F8 01 9B 40 8A 10 89 14 24 90 D9 04 24 90 D9 FA D9 5C 24 FC 8B 5C 24 FC 81 F3 C2 FC 1D 1C 75 E3 74 01 62 FF D0 90 5A 33 C0 8B 54 24 08 90 64 8F 00 90 83 C2 08 52 5C 5A } + +condition: + $a0 +} + + +rule PackItBitchV10archphase +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule nPackv11250BetaNEOx +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 3D 04 ?? ?? ?? 00 75 05 E9 01 00 00 00 C3 E8 46 00 00 00 E8 73 00 00 00 B8 2E ?? ?? ?? 2B 05 08 ?? ?? ?? A3 00 ?? ?? ?? E8 9C 00 00 00 E8 04 02 00 00 E8 FB 06 00 00 E8 1B 06 00 00 A1 00 ?? ?? ?? C7 05 04 ?? ?? ?? 01 00 00 00 01 05 00 ?? ?? ?? FF 35 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UnpackedBSSFXArchivev19 +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E 33 C0 50 B8 ?? ?? 8E D8 FA 8E D0 BC ?? ?? FB B8 ?? ?? CD 21 3C 03 73 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01VideoLanClientAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 90 90 90 90 90 90 90 90 90 90 90 90 90 90 01 FF FF 01 01 01 00 01 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 00 01 00 01 90 90 00 01 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01PECompact14Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 EB 06 68 90 90 90 90 C3 9C 60 E8 02 90 90 90 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01DxPack10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 90 90 90 90 2B B9 00 00 00 00 81 EF 90 90 90 90 83 BD 90 90 90 90 90 0F 84 00 00 00 00 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Splice11byTw1stedL0gic +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 1A 40 00 E8 EE FF FF FF 00 00 00 00 00 00 30 00 00 00 40 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 ?? ?? ?? ?? ?? ?? 50 72 6F 6A 65 63 74 31 00 ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 06 00 00 00 AC 29 40 00 07 00 00 00 BC 28 40 00 07 00 00 00 74 28 40 00 07 00 00 00 2C 28 40 00 07 00 00 00 08 23 40 00 01 00 00 00 38 21 40 00 00 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 8C 21 40 00 08 ?? 40 00 01 00 00 00 AC 19 40 00 00 00 00 00 00 00 00 00 00 00 00 00 AC 19 40 00 4F 00 43 00 50 00 00 00 E7 AF 58 2F 9A 4C 17 4D B7 A9 CA 3E 57 6F F7 76 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv140v145 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 90 90 01 85 9E A0 40 ?? BB C3 11 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillo300aSiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F } + +condition: + $a0 at pe.entry_point +} + + +rule NullsoftInstallSystemv20b4 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 F0 91 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 88 72 40 00 BE 00 D4 42 00 BF 00 04 00 00 56 57 A3 60 6F 42 00 FF 15 C4 70 40 00 E8 9F FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 60 71 40 00 } + $a1 = { 83 EC 14 83 64 24 04 00 53 55 56 57 C6 44 24 13 20 FF 15 30 70 40 00 BE 00 20 7A 00 BD 00 04 00 00 56 55 FF 15 C4 70 40 00 56 E8 7D 2B 00 00 8B 1D 8C 70 40 00 6A 00 56 FF D3 BF 80 92 79 00 56 57 E8 15 26 00 00 85 C0 75 38 68 F8 91 40 00 55 56 FF 15 60 71 } + +condition: + $a0 or $a1 +} + + +rule PESHiELDv01bMTE +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B9 1B 01 ?? ?? D1 } + +condition: + $a0 at pe.entry_point +} + + +rule BeRoEXEPackerV100BeRo +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? ?? ?? 8D B2 ?? ?? ?? ?? 8B 46 ?? 85 C0 74 51 03 C2 8B 7E ?? 8B 1E 85 DB 75 02 8B DF 03 DA 03 FA 52 57 50 FF 15 ?? ?? ?? ?? 5F 5A 85 C0 74 2F 8B C8 8B 03 85 C0 74 22 0F BA F0 1F 72 04 8D 44 ?? ?? 51 52 57 50 51 FF 15 ?? ?? ?? ?? 5F 5A 59 85 C0 74 0B AB 83 C3 04 EB D8 83 C6 14 EB AA 61 C3 } + +condition: + $a0 +} + + +rule MSLRHv32aemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 } + +condition: + $a0 at pe.entry_point +} + + +rule SpecialEXEPaswordProtectorv101EngPavolCerven +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 89 AD 8C 01 00 00 8B C5 2B 85 FE 75 00 00 89 85 3E 77 00 00 8D 95 C6 77 00 00 8D 8D FF 77 00 00 55 68 00 20 00 00 51 52 6A 00 FF 95 04 7A 00 00 5D 6A 00 FF 95 FC 79 00 00 8D 8D 60 78 00 00 8D 95 85 01 00 00 55 68 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv166 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 ?? 87 DD 8B 85 E6 90 40 ?? 01 85 33 90 40 ?? 66 C7 85 ?? 90 40 ?? 90 90 01 85 DA 90 40 ?? 01 85 DE 90 40 ?? 01 85 E2 90 40 ?? BB 5B 11 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv167 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 90 90 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 8B 11 } + +condition: + $a0 at pe.entry_point +} + + +rule VIRUSIWormHybris +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 16 A8 54 ?? ?? 47 41 42 4C 4B 43 47 43 ?? ?? ?? ?? ?? ?? 52 49 53 ?? FC 68 4C 70 40 ?? FF 15 } + +condition: + $a0 +} + + +rule GPInstallv50332 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0 } + +condition: + $a0 +} + + +rule PseudoSigner02PEIntro10Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 04 24 9C 60 E8 14 00 00 00 5D 81 ED 0A 45 40 90 80 BD 67 44 40 90 90 0F 85 48 FF ED 0A } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov410SiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 D0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 7C A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 78 A5 4C 00 C1 E1 08 03 CA 89 0D 74 A5 4C 00 C1 E8 10 A3 70 A5 } + +condition: + $a0 at pe.entry_point +} + + +rule AverCryptor102betaos1r1s +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 0C 17 40 00 8B BD 33 18 40 00 8B 8D 3B 18 40 00 B8 51 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 37 18 40 00 33 C0 51 33 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 37 18 40 00 8B 85 3F 18 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 8B F1 E8 27 00 00 00 8B C8 5F B8 51 18 40 00 03 C5 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 2F 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv131 +{ + meta: + author="malware-lu" +strings: + $a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv133 +{ + meta: + author="malware-lu" +strings: + $a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 } + +condition: + $a0 at pe.entry_point +} + + +rule HidePE101BGCorp +{ + meta: + author="malware-lu" +strings: + $a0 = { BA ?? ?? ?? 00 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 04 B8 ?? ?? ?? ?? 89 02 83 C2 F8 FF E2 0D 0A 2D 3D 5B 20 48 69 64 65 50 45 20 62 79 20 42 47 43 6F 72 70 20 5D 3D 2D } + +condition: + $a0 at pe.entry_point +} + + +rule EXEStealthv11 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED FB 1D 40 00 B9 7B 09 00 00 8B F7 AC } + +condition: + $a0 at pe.entry_point +} + + +rule Thinstallvxx +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidium1200ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 3F 1E 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivatePersonalPackerPPP103ConquestOfTroycom +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 19 00 00 00 90 90 E8 68 00 00 00 FF 35 2C 37 00 10 E8 ED 01 00 00 6A 00 E8 2E 04 00 00 E8 41 04 00 00 A3 74 37 00 10 6A 64 E8 5F 04 00 00 E8 30 04 00 00 A3 78 37 00 10 6A 64 E8 4E 04 00 00 E8 1F 04 00 00 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 00 00 00 73 07 6A 00 E8 D9 03 00 00 C3 6A 0A 6A 07 6A 00 E8 D3 03 00 00 A3 20 37 00 10 50 6A 00 E8 DE 03 00 00 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 00 00 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 00 00 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 } + +condition: + $a0 at pe.entry_point +} + + +rule VIRUSIWormBagle +{ + meta: + author="malware-lu" +strings: + $a0 = { 6A 00 E8 95 01 00 00 E8 9F E6 FF FF 83 3D 03 50 40 00 00 75 14 68 C8 AF 00 00 E8 01 E1 FF FF 05 88 13 00 00 A3 03 50 40 00 68 5C 57 40 00 68 F6 30 40 00 FF 35 03 50 40 00 E8 B0 EA FF FF E8 3A FC FF FF 83 3D 54 57 40 00 00 74 05 E8 F3 FA FF FF 68 E8 03 00 } + +condition: + $a0 +} + + +rule RLPackv118BasicLZMAAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 21 0B 00 00 8D 9D FF 02 00 00 33 FF E8 9F 01 00 00 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 AA 0A 00 00 89 85 F9 0A 00 00 EB 14 60 FF B5 F9 0A } + +condition: + $a0 at pe.entry_point +} + + +rule StonesPEEncryptorv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 51 52 56 57 55 E8 ?? ?? ?? ?? 5D 81 ED 42 30 40 ?? FF 95 32 35 40 ?? B8 37 30 40 ?? 03 C5 2B 85 1B 34 40 ?? 89 85 27 34 40 ?? 83 } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv029betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? ?? ?? 42 79 44 77 69 6E 67 40 00 00 00 50 45 00 00 4C 01 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 29 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02BJFNT11bAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 90 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXScramblerRCv1x +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF } + +condition: + $a0 at pe.entry_point +} + + +rule PECrypt15BitShapeSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 55 20 40 00 B9 7B 09 00 00 8D BD 9D 20 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 CC } + +condition: + $a0 at pe.entry_point +} + + +rule Upackv021BetaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 88 01 ?? ?? AD 8B F8 ?? ?? ?? ?? 33 } + +condition: + $a0 at pe.entry_point +} + + +rule UPXFreakV01HMX0101 +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UnnamedScrambler20p0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 0A 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 1C 2F 40 00 E8 C8 F1 FF FF 33 C0 55 68 FB 33 40 00 64 FF 30 64 89 20 BA 0C 34 40 00 B8 E4 54 40 00 E8 EF FE FF FF 8B D8 85 DB 75 07 6A 00 E8 5A F2 FF FF BA E8 54 40 00 8B C3 8B 0D E4 54 40 00 E8 74 E2 FF FF C7 05 20 6B 40 00 09 00 00 00 BB 98 69 40 00 C7 45 EC E8 54 40 00 C7 45 E8 31 57 40 00 C7 45 E4 43 60 40 00 BE D3 6A 40 00 BF E0 6A 40 00 83 7B 04 00 75 0B 83 3B 00 0F 86 AA 03 00 00 EB 06 0F 8E A2 03 00 00 8B 03 8B D0 B8 0C 6B 40 00 E8 C1 EE FF FF B8 0C 6B 40 00 E8 6F EE FF FF 8B D0 8B 45 EC 8B 0B E8 0B E2 FF FF 6A 00 6A 1E 6A 00 6A 2C A1 0C 6B 40 00 E8 25 ED FF FF 8D 55 E0 E8 15 FE FF FF 8B 55 E0 B9 10 6B 40 00 A1 0C 6B 40 00 } + +condition: + $a0 +} + + +rule HACKSTOPv100 +{ + meta: + author="malware-lu" +strings: + $a0 = { FA BD ?? ?? FF E5 6A 49 48 0C ?? E4 ?? 3F 98 3F } + +condition: + $a0 at pe.entry_point +} + + +rule ExeShield36wwwexeshieldcom +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC E9 FB C8 4F 1B 22 7C B4 C8 0D BD 71 A9 C8 1F 5F B1 29 8F 11 73 8F 00 D1 88 87 A9 3F 4D 00 6C 3C BF C0 80 F7 AD 35 23 EB 84 82 6F } + +condition: + $a0 at pe.entry_point +} + + +rule Pe123v200644 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B C0 EB 01 34 60 EB 01 2A 9C EB 02 EA C8 E8 0F 00 00 00 EB 03 3D 23 23 EB 01 4A EB 01 5B C3 8D 40 00 53 EB 01 6C EB 01 7E EB 01 8F E8 15 01 00 00 50 E8 67 04 00 00 EB 01 9A 8B D8 FF D3 5B C3 8B C0 E8 00 00 00 00 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 } + +condition: + $a0 at pe.entry_point +} + + +rule SDProtectorV11xRandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 } + +condition: + $a0 at pe.entry_point +} + + +rule BobPackv100BoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 } + +condition: + $a0 at pe.entry_point +} + + +rule DBPEv210 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?? ?? ?? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 01 E8 79 E0 7A 01 75 83 C4 04 9D EB 01 75 68 5F 20 40 ?? E8 B0 EF FF FF 72 03 73 01 75 BE } + +condition: + $a0 at pe.entry_point +} + + +rule NsPackv31NorthStar +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 } + $a1 = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 } + +condition: + $a0 at pe.entry_point or $a1 +} + + +rule SVKProtectorV13XPavolCerven +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 EB 05 B8 ?? ?? 42 00 64 A0 23 00 00 00 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 00 00 00 8D B5 C5 02 00 00 56 80 06 44 46 E2 FA 8B 8D C1 02 00 00 5E 55 51 6A 00 56 FF 95 0C 61 00 00 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 00 00 89 85 B9 02 00 00 80 BD B4 02 00 00 01 75 06 8B 8D 0C 61 00 00 89 8D B5 02 00 00 8D 85 0E 03 00 00 8B DD FF E0 55 68 10 10 00 00 8D 85 B4 00 00 00 50 8D 85 B4 01 00 00 50 6A 00 FF 95 18 61 00 00 5D 6A FF FF 95 10 61 00 00 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakePECrypt102FEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 E8 00 00 00 00 5B 83 EB 05 EB 04 52 4E 44 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02WATCOMCCEXEAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 00 00 00 00 90 90 90 90 57 41 } + +condition: + $a0 at pe.entry_point +} + + +rule PENinja: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule UpackV036Dwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 0B 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 18 10 00 00 10 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 02 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 14 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 FF 76 08 FF 76 0C BE 1C 01 } + $a1 = { BE ?? ?? ?? ?? FF 36 E9 C3 00 00 00 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule yodasProtectorv101AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 53 56 57 E8 03 00 00 00 EB 01 ?? E8 86 00 00 00 E8 03 00 00 00 EB 01 ?? E8 79 00 00 00 E8 03 00 00 00 EB 01 ?? E8 A4 00 00 00 E8 03 00 00 00 EB 01 ?? E8 97 00 00 00 E8 03 00 00 00 EB 01 ?? E8 2D 00 00 00 E8 03 00 00 00 EB 01 ?? 60 E8 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule UPX050070 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 58 83 E8 3D } + +condition: + $a0 at pe.entry_point +} + + +rule VxVCLencrypted +{ + meta: + author="malware-lu" +strings: + $a0 = { 01 B9 ?? ?? 81 34 ?? ?? 46 46 E2 F8 C3 } + $a1 = { 01 B9 ?? ?? 81 35 ?? ?? 47 47 E2 F8 C3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule VxXRCV1015 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 83 ?? ?? 53 51 1E 06 B4 99 CD 21 80 FC 21 ?? ?? ?? ?? ?? 33 C0 50 8C D8 48 8E C0 1F A1 ?? ?? 8B } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackv118BasicDLLaPLibAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 00 00 00 00 8B 2C 24 83 C4 04 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 } + +condition: + $a0 at pe.entry_point +} + + +rule PellesC290300400DLLX86CRTLIB +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 BF 01 00 00 00 85 DB 75 10 83 3D ?? ?? ?? ?? 00 75 07 31 C0 E9 ?? ?? ?? ?? 83 FB 01 74 05 83 FB 02 75 ?? 85 FF 74 } + +condition: + $a0 at pe.entry_point +} + + +rule UnnamedScrambler13Bp0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 08 00 00 00 6A 00 6A 00 49 75 F9 53 56 57 B8 98 56 00 10 E8 48 EB FF FF 33 C0 55 68 AC 5D 00 10 64 FF 30 64 89 20 6A 00 68 BC 5D 00 10 68 C4 5D 00 10 6A 00 E8 23 EC FF FF E8 C6 CE FF FF 6A 00 68 BC 5D 00 10 68 ?? ?? ?? ?? 6A 00 E8 0B EC FF FF E8 F2 F4 FF FF B8 08 BC 00 10 33 C9 BA 04 01 00 00 E8 C1 D2 FF FF 6A 00 68 BC 5D 00 10 68 E4 5D 00 10 6A 00 E8 E2 EB FF FF 68 04 01 00 00 68 08 BC 00 10 6A 00 FF 15 68 77 00 10 6A 00 68 BC 5D 00 10 68 FC 5D 00 10 6A 00 E8 BD EB FF FF BA 10 5E 00 10 B8 70 77 00 10 E8 CA F3 FF FF 85 C0 0F 84 F7 05 00 00 BA 74 77 00 10 8B 0D 70 77 00 10 E8 FE CD FF FF 6A 00 } + +condition: + $a0 at pe.entry_point +} + + +rule HyingsPEArmor075exeHyingCCG +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 ?? ?? 00 00 00 00 00 00 ?? ?? 01 00 00 00 00 00 00 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 74 ?? ?? ?? 00 00 00 00 00 } + +condition: + $a0 +} + + +rule SimbiOZPolyCryptorvxxExtranger +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 68 ?? ?? ?? ?? 50 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule AVPACKv120 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 1E 0E 1F 16 07 33 F6 8B FE B9 ?? ?? FC F3 A5 06 BB ?? ?? 53 CB } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov220 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 10 12 41 00 68 F4 A0 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule XPack167 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 8C D3 15 33 75 81 3E E8 0F 00 9A E8 F9 FF 9A 9C EB 01 9A 59 80 CD 01 51 9D EB } + +condition: + $a0 at pe.entry_point +} + + +rule NullsoftInstallSystemv1xx +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 EC 2C 53 56 33 F6 57 56 89 75 DC 89 75 F4 BB A4 9E 40 00 FF 15 60 70 40 00 BF C0 B2 40 00 68 04 01 00 00 57 50 A3 AC B2 40 00 FF 15 4C 70 40 00 56 56 6A 03 56 6A 01 68 00 00 00 80 57 FF 15 9C 70 40 00 8B F8 83 FF FF 89 7D EC 0F 84 C3 00 00 00 } + $a1 = { 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 00 00 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 00 00 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule BobSoftMiniDelphiBoBBobSoft +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 } + $a1 = { 55 8B EC 83 C4 F0 53 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 ?? ?? ?? ?? E8 } + $a2 = { 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point +} + + +rule UltraProV10SafeNet +{ + meta: + author="malware-lu" +strings: + $a0 = { A1 ?? ?? ?? ?? 85 C0 0F 85 3B 06 00 00 55 56 C7 05 ?? ?? ?? ?? 01 00 00 00 FF 15 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv1242v1243 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 09 } + +condition: + $a0 at pe.entry_point +} + + +rule SimplePack121build0909Method2bagie +{ + meta: + author="malware-lu" +strings: + $a0 = { 4D 5A 90 EB 01 00 52 E9 8A 01 00 00 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 0F 03 0B 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C 00 00 00 00 ?? ?? ?? 00 10 00 00 00 02 00 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 } + +condition: + $a0 +} + + +rule Obsidium13037ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxPhoenix927 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 5E 81 C6 ?? ?? BF 00 01 B9 04 00 F3 A4 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule Petite14c199899IanLuck +{ + meta: + author="malware-lu" +strings: + $a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressorV10CGSoftLabs +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 35 14 00 00 E9 31 13 00 00 E9 98 12 00 00 E9 EF 0C 00 00 E9 42 13 00 00 E9 E9 02 00 00 E9 EF 0B 00 00 E9 1B 0D 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RECryptv07xCruddRETh2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B 17 33 55 58 89 17 83 C7 04 83 C1 FC EB EC 8B } + +condition: + $a0 at pe.entry_point +} + + +rule PassEXEv20 +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 1E 0E 0E 07 1F BE ?? ?? B9 ?? ?? 87 14 81 ?? ?? ?? EB ?? C7 ?? ?? ?? 84 00 87 ?? ?? ?? FB 1F 58 4A } + +condition: + $a0 at pe.entry_point +} + + +rule RECryptv07xCruddRETh1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 61 60 E8 00 00 00 00 5D 55 81 04 24 0A 00 00 00 C3 8B F5 81 C5 ?? ?? 00 00 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 00 00 00 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B } + +condition: + $a0 at pe.entry_point +} + + +rule WIBUKeyV410Ahttpwibucomus +{ + meta: + author="malware-lu" +strings: + $a0 = { F7 05 ?? ?? ?? ?? FF 00 00 00 75 12 } + +condition: + $a0 at pe.entry_point +} + + +rule Mew501NorthFoxHCC +{ + meta: + author="malware-lu" +strings: + $a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01ExeSmasherAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C FE 03 90 60 BE 90 90 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 FE 0B E9 } + +condition: + $a0 at pe.entry_point +} + + +rule UnnamedScrambler12C12Dp0ke +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC B9 05 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? 3A ?? ?? E8 ?? EC FF FF 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 E8 ?? D7 FF FF E8 ?? ?? FF FF B8 20 ?? ?? ?? 33 C9 BA 04 01 00 00 E8 ?? DB FF FF 68 04 01 00 00 68 20 ?? ?? ?? 6A 00 FF 15 10 ?? ?? ?? BA ?? ?? ?? ?? B8 14 ?? ?? ?? E8 ?? ?? FF FF 85 C0 0F 84 ?? 04 00 00 BA 18 ?? ?? ?? 8B 0D 14 ?? ?? ?? E8 ?? ?? FF FF 8B 05 88 ?? ?? ?? 8B D0 B8 54 ?? ?? ?? E8 ?? E3 FF FF B8 54 ?? ?? ?? E8 ?? E2 FF FF 8B D0 B8 18 ?? ?? ?? 8B 0D 88 ?? ?? ?? E8 ?? D6 FF FF FF 35 34 ?? ?? ?? FF 35 30 ?? ?? ?? FF 35 3C ?? ?? ?? FF 35 38 ?? ?? ?? 8D 55 E8 A1 88 ?? ?? ?? E8 ?? F0 FF FF 8B 55 E8 B9 54 } + +condition: + $a0 +} + + +rule AlexProtectorv04beta1byAlex +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 01 00 00 00 C7 83 C4 04 33 C9 E8 01 00 00 00 68 83 C4 04 E8 01 00 00 00 68 83 C4 04 B9 ?? 00 00 00 E8 01 00 00 00 68 83 C4 04 E8 00 00 00 00 E8 01 00 00 00 C7 83 C4 04 8B 2C 24 83 C4 04 E8 01 00 00 00 A9 83 C4 04 81 ED 3C 13 40 00 E8 01 00 00 00 68 } + +condition: + $a0 +} + + +rule UG2002Cruncherv03b3 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 } + +condition: + $a0 at pe.entry_point +} + + +rule FishPEShield101HellFish +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 AD FF FF FF 89 45 DC E8 C1 FE FF FF 8B 10 03 55 DC 89 55 E4 83 C0 04 8B 10 89 55 FC 83 C0 04 8B 10 89 55 F4 83 C0 04 8B 10 89 55 F8 83 C0 04 8B 10 89 55 F0 83 C0 04 8B 10 89 55 EC 83 C0 04 8B 00 89 45 E8 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B 46 C7 45 E0 00 00 00 00 83 7B 04 00 74 14 } + $a1 = { 60 E8 12 FE FF FF C3 90 09 00 00 00 2C 00 00 00 ?? ?? ?? ?? C4 03 00 00 BC A0 00 00 00 40 01 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 99 00 00 00 00 8A 00 00 00 10 00 00 28 88 00 00 40 ?? 4B 00 00 00 02 00 00 00 A0 00 00 18 01 00 00 40 ?? 4C 00 00 00 0C 00 00 00 B0 00 00 38 0A 00 00 40 ?? 4E 00 00 00 00 00 00 00 C0 00 00 40 39 00 00 40 ?? 4E 00 00 00 08 00 00 00 00 01 00 C8 06 00 00 40 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule PseudoSigner01Neolite20Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 A6 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule PEIntrov10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B 04 24 9C 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 45 40 ?? 80 BD 67 44 40 ?? ?? 0F 85 48 } + +condition: + $a0 at pe.entry_point +} + + +rule Obsidiumv1250ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule DevC4992BloodshedSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 89 E5 83 EC 08 C7 04 24 01 00 00 00 FF 15 ?? ?? ?? 00 E8 C8 FE FF FF 90 8D B4 26 00 00 00 00 55 89 E5 83 EC 08 C7 04 24 02 00 00 00 FF 15 ?? ?? ?? 00 E8 A8 FE FF FF 90 8D B4 26 00 00 00 00 55 8B 0D ?? ?? ?? 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackV119DllLZMA430ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 C7 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 00 00 EB 0C 8B 85 45 0B 00 00 89 85 49 0B 00 00 8D B5 6D 0B 00 00 8D 9D 2F 03 00 00 33 FF 6A 40 68 00 10 00 00 68 00 20 0C 00 6A 00 FF 95 DA 0A 00 00 89 85 41 0B 00 00 E8 76 01 00 00 EB 20 60 8B 85 49 0B 00 00 FF B5 41 0B 00 00 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 00 00 00 74 0E 83 BD 59 0B 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A 40 68 00 10 00 00 68 ?? ?? ?? ?? 6A 00 FF 95 DA 0A 00 00 89 85 69 0B 00 00 5B 60 FF B5 41 0B 00 00 56 FF B5 69 0B 00 00 FF D3 61 8B B5 69 0B 00 00 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 E9 98 00 00 00 56 FF 95 D2 0A 00 00 89 85 61 0B 00 00 85 C0 0F 84 C8 00 00 00 8B C6 EB 5F 8B 85 65 0B 00 00 8B 00 A9 00 00 00 80 74 14 35 00 00 00 80 50 8B 85 65 0B 00 00 C7 00 20 20 20 00 EB 06 FF B5 65 0B 00 00 FF B5 61 0B 00 00 FF 95 D6 0A 00 00 85 C0 0F 84 87 00 00 00 89 07 83 C7 04 8B 85 65 0B 00 00 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 00 00 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 00 00 83 C0 04 89 85 65 0B 00 00 80 3E 01 0F 85 5F FF FF FF 68 00 40 00 00 68 ?? ?? ?? ?? FF B5 69 0B 00 00 FF 95 DE 0A 00 00 68 00 40 00 00 68 00 20 0C 00 FF B5 41 0B 00 00 FF 95 DE 0A 00 00 E8 3D 00 00 00 E8 24 01 00 00 61 E9 ?? ?? ?? ?? 61 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule XJXPALLiNSoN +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? 40 00 68 ?? ?? 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 44 53 56 57 66 9C } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov220b1 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 30 12 41 00 68 A4 A5 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptor20Vaska +{ + meta: + author="malware-lu" +strings: + $a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? ?? ?? ?? F7 D1 83 F1 FF } + +condition: + $a0 at pe.entry_point +} + + +rule SentinelSuperProAutomaticProtectionv641Safenet +{ + meta: + author="malware-lu" +strings: + $a0 = { A1 ?? ?? ?? ?? 55 8B ?? ?? ?? 85 C0 74 ?? 85 ED 75 ?? A1 ?? ?? ?? ?? 50 55 FF 15 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 55 51 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 15 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 6A 00 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 00 5D C2 0C 00 } + +condition: + $a0 at pe.entry_point +} + + +rule TMTPascalv040 +{ + meta: + author="malware-lu" +strings: + $a0 = { 0E 1F 06 8C 06 ?? ?? 26 A1 ?? ?? A3 ?? ?? 8E C0 66 33 FF 66 33 C9 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02CrunchPEHeuristicAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 E8 0E 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? ?? ?? 2B 85 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeMSVCDLLMethod4emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 56 57 BF 01 00 00 00 8B 75 0C 85 F6 5F 5E 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule VcAsmProtectorV10XVcAsm +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 E8 03 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VBOXv42MTE +{ + meta: + author="malware-lu" +strings: + $a0 = { 8C E0 0B C5 8C E0 0B C4 03 C5 74 00 74 00 8B C5 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeUPX0896102105124emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualC +{ + meta: + author="malware-lu" +strings: + $a0 = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 } + $a1 = { C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ?? ?? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule VxHafen809 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 1C ?? 81 EE ?? ?? 50 1E 06 8C C8 8E D8 06 33 C0 8E C0 26 ?? ?? ?? 07 3D } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEdition117LZMAAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 73 26 00 00 8D 9D 58 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01LTC13Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 54 E8 00 00 00 00 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule ACProtectv141 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 76 03 77 01 7B 74 03 75 01 78 47 87 EE E8 01 00 00 00 76 83 C4 04 85 EE EB 01 7F 85 F2 EB 01 79 0F 86 01 00 00 00 FC EB 01 78 79 02 87 F2 61 51 8F 05 19 38 01 01 60 EB 01 E9 E9 01 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasProtectorV1031AshkbizDanehkar +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 2E E8 03 00 00 00 EB 01 ?? C3 60 E8 00 00 00 00 5D 81 ED 74 72 42 00 8B D5 81 C2 C3 72 42 00 52 E8 01 00 00 00 C3 C3 E8 03 00 00 00 EB 01 ?? E8 0E 00 00 00 E8 D1 FF FF FF C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 00 00 00 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 00 00 00 EB 01 ?? 33 DB B9 3F A9 42 00 81 E9 6E 73 42 00 8B D5 81 C2 6E 73 42 00 8D 3A 8B F7 33 C0 E8 03 00 00 00 EB 01 ?? E8 17 00 00 00 90 90 90 E9 98 2E 00 00 33 C0 64 FF 30 64 89 20 43 CC C3 } + +condition: + $a0 at pe.entry_point +} + + +rule tElock096tE +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 59 E4 FF FF 00 00 00 00 00 00 00 ?? ?? ?? ?? EE ?? ?? 00 00 00 00 00 00 00 00 00 0E ?? ?? 00 FE ?? ?? 00 F6 ?? ?? 00 00 00 00 00 00 00 00 00 1B ?? ?? 00 06 ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 26 ?? ?? 00 00 00 00 00 39 ?? ?? 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C } + +condition: + $a0 at pe.entry_point +} + + +rule WerusCrypter10byKas +{ + meta: + author="malware-lu" +strings: + $a0 = { BB E8 12 40 00 80 33 05 E9 7D FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule HEALTHv51byMuslimMPolyak +{ + meta: + author="malware-lu" +strings: + $a0 = { 1E E8 ?? ?? 2E 8C 06 ?? ?? 2E 89 3E ?? ?? 8B D7 B8 ?? ?? CD 21 8B D8 0E 1F E8 ?? ?? 06 57 A1 ?? ?? 26 } + +condition: + $a0 at pe.entry_point +} + + +rule PCGuardv303dv305d +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 50 E8 ?? ?? ?? ?? 5D EB 01 E3 60 E8 03 ?? ?? ?? D2 EB 0B 58 EB 01 48 40 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule VxNovember17768 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 81 EE ?? ?? 50 33 C0 8E D8 80 3E ?? ?? ?? 0E 1F ?? ?? FC } + +condition: + $a0 at pe.entry_point +} + + +rule BeRoTinyPascalBeRo +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? ?? ?? 20 43 6F 6D 70 69 6C 65 64 20 62 79 3A 20 42 65 52 6F 54 69 6E 79 50 61 73 63 61 6C 20 2D 20 28 43 29 20 43 6F 70 79 72 69 67 68 74 20 32 30 30 36 2C 20 42 65 6E 6A 61 6D 69 6E 20 27 42 65 52 6F 27 20 52 6F 73 73 65 61 75 78 20 } + +condition: + $a0 at pe.entry_point +} + + +rule PrivateexeProtector21522XSetiSoftTeam +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 00 00 00 00 } + +condition: + $a0 +} + + +rule Protectorv1111DDeMPEEnginev09DDeMCIv092 +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 51 56 E8 00 00 00 00 5B 81 EB 08 10 00 00 8D B3 34 10 00 00 B9 F3 03 00 00 BA 63 17 2A EE 31 16 83 C6 04 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01XCR011Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Trivial173bySMTSMF +{ + meta: + author="malware-lu" +strings: + $a0 = { EB ?? ?? 28 54 72 69 76 69 61 6C 31 37 33 20 62 79 20 53 4D 54 2F 53 4D 46 29 } + +condition: + $a0 at pe.entry_point +} + + +rule ASProtectv11MTE +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule WARNINGTROJANRobinPE +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 6A 00 6A 20 6A 02 6A 00 6A 03 68 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule PiCryptor10byScofield +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 } + $a1 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 00 00 6A 00 6A 00 68 AC 26 00 00 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 00 00 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 5A 59 59 64 89 10 68 3D 1F 06 00 8D 45 EC E8 C3 F6 FF FF C3 } + $a2 = { 89 55 F8 BB 01 00 00 00 8A 04 1F 24 0F 8B 55 FC 8A 14 32 80 E2 0F 32 C2 8A 14 1F 80 E2 F0 02 D0 88 14 1F 46 8D 45 F4 8B 55 FC E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B F0 7E 05 BE 01 00 00 00 43 FF 4D F8 75 C2 ?? ?? ?? ?? 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? C3 E9 } + +condition: + $a0 or $a1 at pe.entry_point or $a2 +} + + +rule PseudoSigner02MacromediaFlashProjector60Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeWWPack321xemadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 20 64 65 63 6F 6D 70 72 65 73 73 69 6F 6E 20 72 6F 75 74 69 6E 65 20 76 65 72 73 69 6F 6E 20 31 2E 31 32 0D 0A 28 63 29 20 31 39 39 38 20 50 69 6F 74 72 20 57 61 72 65 7A 61 6B 20 61 6E 64 20 52 61 66 61 6C 20 57 69 65 72 7A 62 69 63 6B 69 0D 0A 0D 0A 5D 5B 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule PEArmor07600765hying +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 00 00 08 00 00 00 00 00 00 00 60 E8 00 00 00 00 } + +condition: + $a0 +} + + +rule PECryptv102 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? ?? ?? 5B 83 EB 05 EB 04 52 4E 44 } + +condition: + $a0 at pe.entry_point +} + + +rule ILUCRYPTv4015exe +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B EC FA C7 46 F7 ?? ?? 42 81 FA ?? ?? 75 F9 FF 66 F7 } + +condition: + $a0 at pe.entry_point +} + + +rule NJoy13NEX +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 B8 48 36 40 00 E8 54 EE FF FF 6A 00 68 D8 2B 40 00 6A 0A 6A 00 E8 2C EF FF FF E8 23 E7 FF FF 8D 40 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VBOXv43v46 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 } + $a1 = { 90 03 C4 33 C4 33 C5 2B C5 33 C5 8B C5 ?? ?? 2B C5 48 ?? ?? 0B C0 86 E0 8C E0 ?? ?? 8C E0 86 E0 03 C4 40 } + +condition: + $a0 or $a1 +} + + +rule CodeLockvxx +{ + meta: + author="malware-lu" +strings: + $a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 } + +condition: + $a0 at pe.entry_point +} + + +rule CipherWallSelfExtratorDecryptorGUIv15 +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 61 BE 00 10 42 00 8D BE 00 00 FE FF C7 87 C0 20 02 00 F9 89 C7 6A 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 } + +condition: + $a0 at pe.entry_point +} + + +rule ARMProtectorv01bySMoKE +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 04 00 00 00 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00 00 00 00 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 00 00 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 00 00 00 83 EB 01 00 8B FE E8 00 00 00 00 58 83 C0 } + +condition: + $a0 +} + + +rule Upackv037betaDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 } + $a1 = { BE B0 11 ?? ?? AD 50 FF 76 34 EB 7C 48 01 ?? ?? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 18 10 00 00 10 00 00 00 00 ?? ?? ?? 00 00 ?? ?? 00 10 00 00 00 02 00 00 04 00 00 00 00 00 37 00 04 00 00 00 00 00 00 00 00 ?? ?? ?? 00 02 00 00 00 00 00 00 ?? 00 00 ?? 00 00 ?? 00 00 ?? ?? 00 00 00 10 00 00 10 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 EE ?? ?? ?? 14 00 00 00 00 ?? ?? ?? ?? ?? ?? 00 FF 76 38 AD 50 8B 3E BE F0 ?? ?? ?? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 ?? ?? ?? ?? ?? 00 00 00 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ?? ?? ?? ?? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 8E FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule PrivateExeProtector1xsetisoft +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? B9 ?? 90 01 ?? BE ?? 10 40 ?? 68 50 91 41 ?? 68 01 ?? ?? ?? C3 } + +condition: + $a0 at pe.entry_point +} + + +rule Petitev14 +{ + meta: + author="malware-lu" +strings: + $a0 = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 } + +condition: + $a0 at pe.entry_point +} + + +rule NullsoftInstallSystemv20a0 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 0C 53 56 57 FF 15 B4 10 40 00 05 E8 03 00 00 BE E0 E3 41 00 89 44 24 10 B3 20 FF 15 28 10 40 00 68 00 04 00 00 FF 15 14 11 40 00 50 56 FF 15 10 11 40 00 80 3D E0 E3 41 00 22 75 08 80 C3 02 BE E1 E3 41 00 8A 06 8B 3D 14 12 40 00 84 C0 74 19 3A C3 74 } + +condition: + $a0 +} + + +rule Obsidium1332ObsidiumSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule modifiedHACKSTOPv111f +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 B4 30 CD 21 52 FA ?? FB 3D ?? ?? EB ?? CD 20 0E 1F B4 09 E8 } + +condition: + $a0 at pe.entry_point +} + + +rule VxKuku886 +{ + meta: + author="malware-lu" +strings: + $a0 = { 06 1E 50 8C C8 8E D8 BA 70 03 B8 24 25 CD 21 ?? ?? ?? ?? ?? 90 B4 2F CD 21 53 } + +condition: + $a0 at pe.entry_point +} + + +rule VxCIHVersion12TTITWIN95CIH +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8D ?? ?? ?? 33 DB 64 87 03 E8 ?? ?? ?? ?? 5B 8D } + +condition: + $a0 at pe.entry_point +} + + +rule ShegerdDongleV478MSCo +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 32 00 00 00 B8 ?? ?? ?? ?? 8B 18 C1 CB 05 89 DA 36 8B 4C 24 0C } + +condition: + $a0 at pe.entry_point +} + + +rule SDProtectRandyLi +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 88 88 88 08 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 58 64 A3 00 00 00 00 58 58 58 58 8B E8 E8 3B 00 00 00 E8 01 00 00 00 FF 58 05 } + +condition: + $a0 at pe.entry_point +} + + +rule SmokesCryptv12 +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 } + +condition: + $a0 at pe.entry_point +} + + +rule PEncryptv31 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 ?? ?? ?? 00 F0 0F C6 } + +condition: + $a0 at pe.entry_point +} + + +rule PEncryptv30 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 00 00 00 00 5D 81 ED 05 10 40 00 8D B5 24 10 40 00 8B FE B9 0F 00 00 00 BB ?? ?? ?? ?? AD 33 C3 E2 FA } + +condition: + $a0 at pe.entry_point +} + + +rule RJoiner12byVaska250320071658 +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC 0C 02 00 00 8D 85 F4 FD FF FF 56 50 68 04 01 00 00 FF 15 14 10 40 00 90 8D 85 F4 FD FF FF 50 FF 15 10 10 40 00 90 BE 00 20 40 00 90 83 3E FF 0F 84 84 00 00 00 53 57 33 FF 8D 46 } + +condition: + $a0 at pe.entry_point +} + + +rule Minke101byCodius +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 F0 53 ?? ?? ?? ?? ?? 10 E8 7A F6 FF FF BE 68 66 00 10 33 C0 55 68 DB 40 00 10 64 FF 30 64 89 20 E8 FA F8 FF FF BA EC 40 00 10 8B C6 E8 F2 FA FF FF 8B D8 B8 6C 66 00 10 8B 16 E8 88 F2 FF FF B8 6C 66 00 10 E8 76 F2 FF FF 8B D0 8B C3 8B 0E E8 E3 E4 FF FF E8 2A F9 FF FF E8 C1 F8 FF FF B8 6C 66 00 10 8B 16 E8 6D FA FF FF E8 14 F9 FF FF E8 AB F8 FF FF 8B 06 E8 B8 E3 FF FF 8B D8 B8 6C 66 00 10 E8 38 F2 FF FF 8B D3 8B 0E E8 A7 E4 FF ?? ?? ?? ?? C4 FB FF FF E8 E7 F8 FF FF 8B C3 E8 B0 E3 FF FF E8 DB F8 FF FF 33 C0 5A 59 59 64 89 10 68 E2 40 00 10 C3 E9 50 EB FF FF EB F8 5E 5B E8 BB EF FF FF 00 00 00 43 41 31 38 } + +condition: + $a0 at pe.entry_point +} + + +rule CrypWrapvxx +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 B8 ?? ?? ?? E8 90 02 ?? ?? 83 F8 ?? 75 07 6A ?? E8 ?? ?? ?? ?? FF 15 49 8F 40 ?? A9 ?? ?? ?? 80 74 0E } + +condition: + $a0 at pe.entry_point +} + + +rule WarningmaybeSimbyOZpolycryptorby3xpl01tver2xx250320072200 +{ + meta: + author="malware-lu" +strings: + $a0 = { 57 57 8D 7C 24 04 50 B8 00 D0 17 13 AB 58 5F C3 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule WARNINGTROJANHuiGeZi +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 C4 ?? FE FF FF 53 56 57 33 C0 89 85 ?? FE FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeyodascryptor12emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC 90 2C 8A C0 C0 78 90 04 62 EB 01 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } + +condition: + $a0 at pe.entry_point +} + + +rule EPv10 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ?? ?? ?? ?? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 } + +condition: + $a0 at pe.entry_point +} + + +rule D1S1Gv11betaD1N +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 0A 00 00 00 18 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 02 00 00 00 88 00 00 80 38 00 00 80 96 00 00 80 50 00 00 80 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 68 00 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 01 00 00 00 00 00 78 00 00 00 B0 ?? ?? 00 10 00 00 00 00 00 00 00 00 00 00 00 C0 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00 00 00 } + +condition: + $a0 +} + + +rule PROPACKv208 +{ + meta: + author="malware-lu" +strings: + $a0 = { 8C D3 8E C3 8C CA 8E DA 8B 0E ?? ?? 8B F1 83 ?? ?? 8B FE D1 ?? FD F3 A5 53 } + +condition: + $a0 at pe.entry_point +} + + +rule BlackEnergyDDoSBotCrypter +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 ?? ?? 81 EC 1C 01 00 00 53 56 57 6A 04 BE 00 30 00 00 56 FF 35 00 20 11 13 6A 00 E8 ?? 03 00 00 ?? ?? 83 C4 10 ?? FF 89 7D F4 0F } + +condition: + $a0 at pe.entry_point +} + + +rule HACKSTOPv113 +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 B8 ?? ?? 1E CD 21 86 E0 3D ?? ?? 73 ?? CD 20 0E 1F B4 09 E8 ?? ?? 24 ?? EA } + +condition: + $a0 at pe.entry_point +} + + +rule FreeJoiner151GlOFF +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 87 FF 90 90 B9 2B 00 00 00 BA 07 10 40 00 83 C2 03 90 87 FF 90 90 B9 04 00 00 00 90 87 FF 90 33 C9 C7 05 09 30 40 00 00 00 00 00 68 00 01 00 00 68 21 30 40 00 6A 00 E8 B7 02 00 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 68 21 30 40 00 E8 8F 02 00 00 A3 19 30 40 00 90 87 FF 90 8B 15 09 30 40 00 81 C2 04 01 00 00 F7 DA 6A 02 6A 00 52 } + +condition: + $a0 at pe.entry_point +} + + +rule PeXv099EngbartCrackPl +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 F5 00 00 00 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 } + +condition: + $a0 at pe.entry_point +} + + +rule HACKSTOPv119 +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? D6 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB } + +condition: + $a0 at pe.entry_point +} + + +rule HACKSTOPv118 +{ + meta: + author="malware-lu" +strings: + $a0 = { 52 BA ?? ?? 5A EB ?? 9A ?? ?? ?? ?? 30 CD 21 ?? ?? ?? FD 02 ?? ?? CD 20 0E 1F 52 BA ?? ?? 5A EB } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv200b +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 B8 ?? ?? BA ?? ?? 05 ?? ?? 3B 06 02 00 72 ?? B4 09 BA ?? ?? CD 21 B8 01 4C CD 21 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 2D ?? ?? 8E D0 51 2D ?? ?? 8E C0 50 B9 } + +condition: + $a0 at pe.entry_point +} + + +rule PKLITEv200c +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 B8 ?? ?? BA ?? ?? 3B C4 73 ?? 8B C4 2D ?? ?? 25 ?? ?? 8B F8 B9 ?? ?? BE ?? ?? FC } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv032afakeNeolite20emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 A6 00 00 00 B0 7B 40 00 78 60 40 00 7C 60 40 00 00 00 00 00 B0 3F 00 00 12 62 40 00 4E 65 6F 4C 69 74 65 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 43 6F 6D 70 72 65 73 73 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 2C 31 39 39 39 20 4E 65 6F 57 6F 72 78 20 49 6E 63 0D 0A 50 6F 72 74 69 6F 6E 73 20 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 37 2D 31 39 39 39 20 4C 65 65 20 48 61 73 69 75 6B 0D 0A 41 6C 6C 20 52 69 67 68 74 73 20 52 65 73 65 72 76 65 64 2E 00 00 00 00 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv300v301Relocationspack +{ + meta: + author="malware-lu" +strings: + $a0 = { BE ?? ?? BA ?? ?? BF ?? ?? B9 ?? ?? 8C CD 8E DD 81 ED ?? ?? 06 06 8B DD 2B DA 8B D3 FC } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02CodeSafe20Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner02ZCode101Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E9 FB FF FF FF C3 68 00 00 00 00 64 FF 35 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VxCaz1204 +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 5E 83 EE 03 1E 06 B8 FF FF CD 2F 3C 10 } + +condition: + $a0 at pe.entry_point +} + + +rule ZealPack10Zeal +{ + meta: + author="malware-lu" +strings: + $a0 = { C7 45 F4 00 00 40 00 C7 45 F0 ?? ?? ?? ?? 8B 45 F4 05 ?? ?? ?? ?? 89 45 F4 C7 45 FC 00 00 00 00 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 F0 7D 22 8B 45 F4 03 45 FC 8A 08 88 4D F8 0F BE 55 F8 83 F2 0F 88 55 F8 8B 45 F4 03 45 FC 8A 4D F8 88 08 EB CD FF 65 F4 } + +condition: + $a0 at pe.entry_point +} + + +rule CPAV: Packer PEiD +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 ?? ?? 4D 5A B1 01 93 01 00 00 02 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEdition117iBoxLZMAAp0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 8B 2C 24 83 C4 04 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D B5 67 30 00 00 8D 9D 66 03 00 00 33 FF ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 40 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A } + +condition: + $a0 at pe.entry_point +} + + +rule INCrypter03INinYbyz3e_NiFe +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 64 A1 30 00 00 00 8B 40 0C 8B 40 0C 8D 58 20 C7 03 00 00 00 00 E8 00 00 00 00 5D 81 ED 4D 16 40 00 8B 9D 0E 17 40 00 64 A1 18 00 00 00 8B 40 30 0F B6 40 02 83 F8 01 75 05 03 DB C1 CB 10 8B 8D 12 17 40 00 8B B5 06 17 40 00 51 81 3E 2E 72 73 72 74 65 8B 85 16 17 40 00 E8 23 00 00 00 8B 85 1A 17 40 00 E8 18 00 00 00 8B 85 1E 17 40 00 E8 0D 00 00 00 8B 85 22 17 40 00 E8 02 00 00 00 EB 18 8B D6 3B 46 0C 72 0A 83 F9 01 74 0B 3B 46 34 72 06 BA 00 00 00 00 C3 58 83 FA 00 75 1A 8B 4E 10 8B 7E 0C 03 BD 02 17 40 00 83 F9 00 74 09 F6 17 31 0F 31 1F 47 E2 F7 59 83 C6 28 49 83 F9 00 75 88 8B 85 0A 17 40 00 89 44 24 1C 61 50 C3 } + +condition: + $a0 +} + + +rule MorphineV27Holy_FatherRatter29A +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 00 00 47 65 74 50 72 6F 63 41 64 64 72 } + +condition: + $a0 +} + + +rule nBinderv361 +{ + meta: + author="malware-lu" +strings: + $a0 = { 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C 00 5C 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C } + +condition: + $a0 +} + + +rule MatrixDongleTDiGmbH +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 E8 B6 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? E8 00 00 00 00 5B 2B D9 8B F8 8B 4C 24 2C 33 C0 2B CF F2 AA 8B 3C 24 8B 0A 2B CF 89 5C 24 20 80 37 A2 47 49 75 F9 8D 64 24 04 FF 64 24 FC 60 C7 42 08 ?? ?? ?? ?? E8 C5 FF FF FF C3 C2 F7 29 4E 29 5A 29 E6 86 8A 89 63 5C A2 65 E2 A3 A2 } + $a1 = { E8 00 00 00 00 E8 00 00 00 00 59 5A 2B CA 2B D1 E8 1A FF FF FF } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule NullsoftInstallSystemv20RC2 +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 70 92 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 00 00 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 00 00 56 FF 15 5C 71 40 00 } + +condition: + $a0 +} + + +rule UnoPiX075BaGiE +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 07 00 00 00 61 68 ?? ?? 40 00 C3 83 04 24 18 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 61 } + +condition: + $a0 at pe.entry_point +} + + +rule WWPACKv305c4UnextractablePasswordchecking +{ + meta: + author="malware-lu" +strings: + $a0 = { 03 05 80 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 } + +condition: + $a0 at pe.entry_point +} + + +rule FSGv110EngdulekxtBorlandDelphi20 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 56 E8 02 00 00 00 B2 D9 59 68 80 ?? 41 00 E8 02 00 00 00 65 32 59 5E EB 02 CD 20 BB } + +condition: + $a0 at pe.entry_point +} + + +rule Reg2Exe225byJanVorel +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 68 00 00 00 68 00 00 00 00 68 70 7D 40 00 E8 AE 20 00 00 83 C4 0C 68 00 00 00 00 E8 AF 52 00 00 A3 74 7D 40 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 9C 52 00 00 A3 70 7D 40 00 E8 24 50 00 00 E8 E2 48 00 00 E8 44 34 00 00 E8 54 28 00 00 E8 98 27 00 00 E8 93 20 00 00 68 01 00 00 00 68 D0 7D 40 00 68 00 00 00 00 8B 15 D0 7D 40 00 E8 89 8F 00 00 B8 00 00 10 00 68 01 00 00 00 E8 9A 8F 00 00 FF 35 A4 7F 40 00 68 00 01 00 00 E8 3A 23 00 00 8D 0D A8 7D 40 00 5A E8 5E 1F 00 00 FF 35 A8 7D 40 00 68 00 01 00 00 E8 2A 52 00 00 A3 B4 7D 40 00 FF 35 A4 7F 40 00 FF 35 B4 7D 40 00 FF 35 A8 7D 40 00 E8 5C 0C 00 00 8D 0D A0 7D 40 00 5A E8 26 1F 00 00 FF 35 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov420SiliconRealmsToolworks +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 F0 EA 49 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 84 A5 4C 00 8B C8 81 E1 FF 00 00 00 89 0D 80 A5 4C 00 C1 E1 08 03 CA 89 0D 7C A5 4C 00 C1 E8 10 A3 78 A5 } + +condition: + $a0 at pe.entry_point +} + + +rule DalKrypt10byDalKiT +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 00 10 40 00 58 68 ?? ?? ?? 00 5F 33 DB EB 0D 8A 14 03 80 EA 07 80 F2 04 88 14 03 43 81 FB ?? ?? ?? 00 72 EB FF E7 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv15Vaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 83 2C 24 4F 68 ?? ?? ?? ?? FF 54 24 04 83 44 24 04 4F } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor239compressedresources +{ + meta: + author="malware-lu" +strings: + $a0 = { 51 68 ?? ?? ?? ?? 59 81 F1 12 3C CB 98 E9 53 2C 00 00 F7 D7 E9 EB 60 00 00 83 45 F8 02 E9 E3 36 00 00 F6 45 F8 20 0F 84 1E 21 00 00 55 E9 80 62 00 00 87 0C 24 8B E9 ?? ?? ?? ?? 00 00 23 C1 81 E9 ?? ?? ?? ?? 57 E9 ED 00 00 00 0F 88 ?? ?? ?? ?? E9 2C 0D 00 00 81 ED BB 43 CB 79 C1 E0 1C E9 9E 14 00 00 0B 15 ?? ?? ?? ?? 81 E2 2A 70 7F 49 81 C2 9D 83 12 3B E8 0C 50 00 00 E9 A0 16 00 00 59 5B C3 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 E8 41 42 00 00 E9 93 33 00 00 31 DB 89 D8 59 5B C3 A1 ?? ?? ?? ?? 8A 00 2C 99 E9 82 30 00 00 0F 8A ?? ?? ?? ?? B8 01 00 00 00 31 D2 0F A2 25 FF 0F 00 00 E9 72 21 00 00 0F 86 57 0B 00 00 E9 ?? ?? ?? ?? C1 C0 03 E8 F0 36 00 00 E9 41 0A 00 00 81 F7 B3 6E 85 EA 81 C7 ?? ?? ?? ?? 87 3C 24 E9 74 52 00 00 0F 8E ?? ?? ?? ?? E8 5E 37 00 00 68 B1 74 96 13 5A E9 A1 04 00 00 81 D1 49 C0 12 27 E9 50 4E 00 00 C1 C8 1B 1B C3 81 E1 96 36 E5 } + +condition: + $a0 at pe.entry_point +} + + +rule GameGuardv20065xxexesignbyhot_UNP +{ + meta: + author="malware-lu" +strings: + $a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 00 00 00 80 7C 24 08 01 E9 00 00 00 00 60 BE 00 } + +condition: + $a0 at pe.entry_point +} + + +rule EnigmaProtectorv112LITE +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 83 ED 06 81 ED ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 9A 83 C4 04 EB 02 FF 35 60 E8 24 00 00 00 00 00 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 00 00 00 03 31 } + +condition: + $a0 at pe.entry_point +} + + +rule MSLRHv01emadicius +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 } + $a1 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 00 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 } + +condition: + $a0 or $a1 at pe.entry_point +} + + +rule Apex_cbeta500mhz +{ + meta: + author="malware-lu" +strings: + $a0 = { 68 ?? ?? ?? ?? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 00 00 00 8B 34 24 80 36 FD 46 E2 FA C3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule VProtector11A12vcasm +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 00 00 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F 32 30 30 35 5F 33 5F 31 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 F6 E8 10 00 00 00 8B 64 24 08 64 8F 05 00 00 00 00 58 EB 13 C7 83 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 00 00 00 E8 1F 00 00 00 EB FA E8 16 00 00 00 E9 EB F8 00 00 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 00 00 00 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 } + +condition: + $a0 +} + + +rule codeCrypter031 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 58 53 5B 90 BB ?? ?? 40 00 FF E3 90 CC CC CC 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC } + +condition: + $a0 +} + + +rule PKTINYv10withTINYPROGv38 +{ + meta: + author="malware-lu" +strings: + $a0 = { 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83 } + +condition: + $a0 at pe.entry_point +} + + +rule AHTeamEPProtector03fakePESHiELD2xFEUERRADER +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 00 00 00 00 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPackFullEditionV11Xap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 10 } + +condition: + $a0 +} + + +rule Excalibur103forgot +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 00 00 00 00 60 E8 14 00 00 00 5D 81 ED 00 00 00 00 } + +condition: + $a0 at pe.entry_point +} + + +rule RLPack118DllaPlib043ap0x +{ + meta: + author="malware-lu" +strings: + $a0 = { 80 7C 24 08 01 0F 85 5C 01 00 00 60 E8 00 00 00 00 8B 2C 24 83 C4 ?? 8D B5 1A 04 00 00 8D 9D C1 02 00 00 33 FF E8 61 01 00 00 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 00 00 00 74 0E 83 BD 0A 04 00 00 00 74 05 E8 D7 01 00 00 8D 74 37 04 53 6A ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A ?? FF 95 A7 03 00 00 89 85 16 04 00 00 5B FF B5 16 04 00 00 56 FF D3 83 C4 ?? 8B B5 16 04 00 00 8B C6 EB 01 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01MicrosoftVisualC50MFCAnorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule Pohernah101byKas +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 00 00 00 00 5D 81 ED F1 26 40 00 8B BD 18 28 40 00 8B 8D 20 28 40 00 B8 38 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 00 00 00 75 62 8B 57 0C 03 95 1C 28 40 00 31 C0 51 31 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 1C 28 40 00 8B 85 24 28 40 00 83 F8 02 75 06 81 C2 00 02 00 00 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 00 00 57 BF C8 00 00 00 89 CE E8 27 00 00 00 89 C1 5F B8 38 28 40 00 01 E8 E8 24 00 00 00 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 14 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 00 00 00 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 00 00 00 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 } + +condition: + $a0 at pe.entry_point +} + + +rule Armadillov25xv26x +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 6A FF 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?? ?? ?? 33 D2 8A D4 89 15 EC } + +condition: + $a0 at pe.entry_point +} + + +rule PESpinv11Cyberbob +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF } + +condition: + $a0 at pe.entry_point +} + + +rule Escargot01byueMeat +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 08 28 65 73 63 30 2E 31 29 60 68 2B ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 B8 5C ?? ?? ?? 8B 00 FF D0 50 BE 00 10 ?? ?? B9 00 ?? ?? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ?? ?? ?? ?? E9 AC 00 00 00 8B 46 0C BB 00 00 ?? ?? 03 C3 50 50 B8 54 ?? ?? ?? 8B 00 FF D0 5F 80 3F 00 74 06 C6 07 00 47 EB F5 33 FF 8B 16 0B D2 75 03 8B 56 10 03 D3 03 D7 8B 0A C7 02 00 00 00 00 0B C9 74 4B F7 C1 00 00 00 80 74 14 81 E1 FF FF 00 00 50 51 50 B8 50 } + +condition: + $a0 +} + + +rule EncryptPE2200461622006630WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 7A 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 } + +condition: + $a0 at pe.entry_point +} + + +rule tElockv060 +{ + meta: + author="malware-lu" +strings: + $a0 = { E9 00 00 00 00 60 E8 00 00 00 00 58 83 C0 08 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01BorlandDelphi30Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 83 C4 90 90 90 90 68 ?? ?? ?? ?? 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 } + +condition: + $a0 at pe.entry_point +} + + +rule ActiveMARKTMR5311140Trymedia +{ + meta: + author="malware-lu" +strings: + $a0 = { 79 11 7F AB 9A 4A 83 B5 C9 6B 1A 48 F9 27 B4 25 } + +condition: + $a0 at pe.entry_point +} + + +rule PEBundlev244 +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ?? ?? 40 ?? 87 DD 83 BD } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv120v1201 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 9A 70 40 } + +condition: + $a0 at pe.entry_point +} + + +rule ASPackv104bAlexeySolodovnikov +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D } + +condition: + $a0 at pe.entry_point +} + + +rule MESSv120 +{ + meta: + author="malware-lu" +strings: + $a0 = { FA B9 ?? ?? F3 ?? ?? E3 ?? EB ?? EB ?? B6 } + +condition: + $a0 at pe.entry_point +} + + +rule RCryptorv13v14Vaska +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 } + $a1 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ?? ?? ?? ?? FF D0 58 59 50 B8 ?? ?? ?? ?? 3D ?? ?? ?? ?? 74 06 80 30 ?? 40 EB F3 } + +condition: + $a0 at pe.entry_point or $a1 at pe.entry_point +} + + +rule ThinstallV27XJitit +{ + meta: + author="malware-lu" +strings: + $a0 = { 9C 60 E8 00 00 00 00 58 BB ?? ?? ?? ?? 2B C3 50 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? E9 } + +condition: + $a0 at pe.entry_point +} + + +rule eXPressor120BetaPEPacker +{ + meta: + author="malware-lu" +strings: + $a0 = { 55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 EB ?? 45 78 50 72 2D 76 2E 31 2E 32 2E 2E } + +condition: + $a0 at pe.entry_point +} + + +rule Packanoid10ackanoid +{ + meta: + author="malware-lu" +strings: + $a0 = { BF 00 ?? 40 00 BE ?? ?? ?? 00 E8 9D 00 00 00 B8 ?? ?? ?? 00 8B 30 8B 78 04 BB ?? ?? ?? 00 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 5E EB DB B9 ?? ?? 00 00 BE 00 ?? ?? 00 EB 01 00 BF ?? ?? ?? 00 } + +condition: + $a0 at pe.entry_point +} + + +rule EncryptPE1200331812003518WFS +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 9C 64 FF 35 00 00 00 00 E8 79 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 00 00 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 00 00 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv09781 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 49 87 40 ?? 87 DD 8B 85 CE 87 } + +condition: + $a0 at pe.entry_point +} + + +rule PECompactv09782 +{ + meta: + author="malware-lu" +strings: + $a0 = { EB 06 68 ?? ?? ?? ?? C3 9C 60 E8 02 ?? ?? ?? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D1 84 40 ?? 87 DD 8B 85 56 85 } + +condition: + $a0 at pe.entry_point +} + + +rule PseudoSigner01Gleam100Anorganix +{ + meta: + author="malware-lu" +strings: + $a0 = { 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF E9 } + +condition: + $a0 at pe.entry_point +} + + +rule UPackAltStubDwing +{ + meta: + author="malware-lu" +strings: + $a0 = { 60 E8 09 00 00 00 C3 F6 00 00 E9 06 02 00 00 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD } + +condition: + $a0 at pe.entry_point +} + + +rule VxModificationofHi924 +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 53 51 52 1E 06 9C B8 21 35 CD 21 53 BB ?? ?? 26 ?? ?? 49 48 5B } + +condition: + $a0 at pe.entry_point +} + + +rule EXECryptor226DLLminimumprotection +{ + meta: + author="malware-lu" +strings: + $a0 = { 50 8B C6 87 04 24 68 ?? ?? ?? ?? 5E E9 ?? ?? ?? ?? 85 C8 E9 ?? ?? ?? ?? 81 C3 ?? ?? ?? ?? 0F 81 ?? ?? ?? 00 81 FA ?? ?? ?? ?? 33 D0 E9 ?? ?? ?? 00 0F 8D ?? ?? ?? 00 81 D5 ?? ?? ?? ?? F7 D1 0B 15 ?? ?? ?? ?? C1 C2 ?? 81 C2 ?? ?? ?? ?? 9D E9 ?? ?? ?? ?? C1 E2 ?? C1 E8 ?? 81 EA ?? ?? ?? ?? 13 DA 81 E9 ?? ?? ?? ?? 87 04 24 8B C8 E9 ?? ?? ?? ?? 55 8B EC 83 C4 F8 89 45 FC 8B 45 FC 89 45 F8 8B 45 08 E9 ?? ?? ?? ?? 8B 45 E0 C6 00 00 FF 45 E4 E9 ?? ?? ?? ?? FF 45 E4 E9 ?? ?? ?? 00 F7 D3 0F 81 ?? ?? ?? ?? E9 ?? ?? ?? ?? 87 34 24 5E 8B 45 F4 E8 ?? ?? ?? 00 8B 45 F4 8B E5 5D C3 E9 } + +condition: + $a0 at pe.entry_point +} + + +rule yodasProtector102AshkibizDanehlar +{ + meta: + author="malware-lu" +strings: + $a0 = { E8 03 00 00 00 EB 01 ?? BB 55 00 00 00 E8 03 00 00 00 EB 01 ?? E8 8F 00 00 00 E8 03 00 00 00 EB 01 ?? E8 82 00 00 00 E8 03 00 00 00 EB 01 ?? E8 B8 00 00 00 E8 03 00 00 00 EB 01 ?? E8 AB 00 00 00 E8 03 00 00 00 EB 01 ?? 83 FB 55 E8 03 00 00 00 EB 01 ?? 75 } + +condition: + $a0 at pe.entry_point +} + + +rule ACProtectv135riscosoftwareIncAnticrackSoftware +{ + meta: + author="malware-lu" +strings: + $a0 = { 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 55 53 45 52 33 32 2E 44 4C 4C 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 47 65 74 50 72 6F 63 } + +condition: + $a0 +} + + +rule upx_0_80_to_1_24 : Packer +{ + meta: + author="Kevin Falcoz" + date_create="25/02/2013" + description="UPX 0.80 to 1.24" + + strings: + $str1={6A 60 68 60 02 4B 00 E8 8B 04 00 00 83 65 FC 00 8D 45 90 50 FF 15 8C F1 48 00 C7 45 FC FE FF FF FF BF 94 00 00 00 57} + + condition: + $str1 at pe.entry_point +} + +rule upx_1_00_to_1_07 : Packer +{ + meta: + author="Kevin Falcoz" + date_create="19/03/2013" + description="UPX 1.00 to 1.07" + + strings: + $str1={60 BE 00 ?0 4? 00 8D BE 00 B0 F? FF ?7 8? [3] ?0 9? [0-9] 90 90 90 90 [0-2] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0} + + condition: + $str1 at pe.entry_point +} + +rule upx_3 : Packer +{ + meta: + author="Kevin Falcoz" + date_create="25/02/2013" + description="UPX 3.X" + + strings: + $str1={60 BE 00 [2] 00 8D BE 00 [2] FF [1-12] EB 1? 90 90 90 90 90 [1-3] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01} + + condition: + $str1 at pe.entry_point +} + +rule obsidium : Packer +{ + meta: + author="Kevin Falcoz" + date_create="21/01/2013" + last_edit="17/03/2013" + description="Obsidium" + + strings: + $str1={EB 02 [2] E8 25 00 00 00 EB 04 [4] EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 [2] C3 EB 02 [2] EB 04} /*EntryPoint*/ + + condition: + $str1 at pe.entry_point +} + +rule pecompact2 : Packer +{ + meta: + author="Kevin Falcoz" + date_create="25/02/2013" + description="PECompact" + + strings: + $str1={B8 [3] 00 50 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 33 C0 89 08 50 45 43} /*EntryPoint*/ + + condition: + $str1 at pe.entry_point +} + +rule aspack : Packer +{ + meta: + author="Kevin Falcoz" + date_create="25/02/2013" + description="ASPack" + + strings: + $str1={60 E8 00 00 00 00 5D 81 ED 5D 3B 40 00 64 A1 30 00 00 00 0F B6 40 02 0A C0 74 04 33 C0 87 00 B9 ?? ?? 00 00 8D BD B7 3B 40 00 8B F7 AC} /*EntryPoint*/ + + condition: + $str1 at pe.entry_point +} + +rule execryptor : Protector +{ + meta: + author="Kevin Falcoz" + date_create="25/02/2013" + description="EXECryptor" + + strings: + $str1={E8 24 00 00 00 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00 00 00 00 00 00 00 31 C0 89 41 14 89 41 18 80 A1 C1 00 00 00 FE C3 31 C0 64 FF 30 64 89 20 64 8F 05 00 00 00 00} /*EntryPoint*/ + + condition: + $str1 at pe.entry_point +} + +rule winrar_sfx : Packer +{ + meta: + author="Kevin Falcoz" + date_create="18/03/2013" + description="Winrar SFX Archive" + + strings: + $signature1={00 00 53 6F 66 74 77 61 72 65 5C 57 69 6E 52 41 52 20 53 46 58 00} + + condition: + $signature1 +} + +rule mpress_2_xx_x86 : Packer +{ + meta: + author="Kevin Falcoz" + date_create="19/03/2013" + last_edit="24/03/2013" + description="MPRESS v2.XX x86 - no .NET" + + strings: + $signature1={60 E8 00 00 00 00 58 05 [2] 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6} + + condition: + $signature1 at pe.entry_point +} + +rule mpress_2_xx_x64 : Packer +{ + meta: + author="Kevin Falcoz" + date_create="19/03/2013" + last_edit="24/03/2013" + description="MPRESS v2.XX x64 - no .NET" + + strings: + $signature1={57 56 53 51 52 41 50 48 8D 05 DE 0A 00 00 48 8B 30 48 03 F0 48 2B C0 48 8B FE 66 AD C1 E0 0C 48 8B C8 50 AD 2B C8 48 03 F1 8B C8 57 44 8B C1 FF C9 8A 44 39 06 88 04 31} + + condition: + $signature1 at pe.entry_point +} + +rule mpress_2_xx_net : Packer +{ + meta: + author="Kevin Falcoz" + date_create="24/03/2013" + description="MPRESS v2.XX .NET" + + strings: + $signature1={21 46 00 69 00 6C 00 65 00 20 00 69 00 73 00 20 00 69 00 6E 00 76 00 61 00 6C 00 69 00 64 00 2E 00 00 0D 4D 00 50 00 52 00 45 00 53 00 53 00 00 00 00 00 2D 2D 93 6B 35 04 2E 43 85 EF} + + condition: + $signature1 +} + +rule rpx_1_xx : Packer +{ + meta: + author="Kevin Falcoz" + date_create="24/03/2013" + description="RPX v1.XX" + + strings: + $signature1= "RPX 1." + $signature2= "Copyright 20" + + condition: + $signature1 and $signature2 +} + +rule mew_11_xx : Packer +{ + meta: + author="Kevin Falcoz" + date_create="25/03/2013" + description="MEW 11" + + strings: + $signature1={50 72 6F 63 41 64 64 72 65 73 73 00 E9 [6-7] 00 00 00 00 00 00 00 00 00 [7] 00} + $signature2="MEW" + + condition: + $signature1 and $signature2 +} + +rule yoda_crypter_1_2 : Crypter +{ + meta: + author="Kevin Falcoz" + date_create="15/04/2013" + description="Yoda Crypter 1.2" + + strings: + $signature1={60 E8 00 00 00 00 5D 81 ED F3 1D 40 00 B9 7B 09 00 00 8D BD 3B 1E 40 00 8B F7 AC [19] EB 01 [27] AA E2 CC} + + condition: + $signature1 at pe.entry_point +} + +rule yoda_crypter_1_3 : Crypter +{ + meta: + author="Kevin Falcoz" + date_create="15/04/2013" + description="Yoda Crypter 1.3" + + strings: + $signature1={55 8B EC 53 56 57 60 E8 00 00 00 00 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC} + + condition: + $signature1 at pe.entry_point +} + +rule dotfuscator : packer +{ + meta: + author = "Jean-Philippe Teissier / @Jipe_" + description = "Dotfuscator" + date = "2013-02-01" + filetype = "memory" + version = "1.0" + + strings: + $a = "Obfuscated with Dotfuscator" + + condition: + $a +} + +rule AutoIt_2 : packer +{ + meta: + author = "Jean-Philippe Teissier / @Jipe_" + description = "AutoIT packer" + date = "2013-02-01" + filetype = "memory" + version = "1.0" + + strings: + $a = "This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support." + + condition: + $a +} + +rule mumblehard_packer +{ + meta: + description = "Mumblehard i386 assembly code responsible for decrypting Perl code" + author = "Marc-Etienne M.Leveille" + date = "2015-04-07" + reference = "http://www.welivesecurity.com" + version = "1" + + strings: + + $decrypt = { 31 db [1-10] ba ?? 00 00 00 [0-6] (56 5f | 89 F7) 39 d3 75 13 81 fa ?? 00 00 00 75 02 31 d2 81 c2 ?? 00 00 00 31 db 43 ac 30 d8 aa 43 e2 e2 } + + condition: + $decrypt +} diff --git a/yara_sigs/file/suspicious.yar b/yara_sigs/file/suspicious.yar new file mode 100644 index 0000000..a1ad607 --- /dev/null +++ b/yara_sigs/file/suspicious.yar @@ -0,0 +1,558 @@ +/* + This file is part of Manalyze. + + Manalyze is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + Manalyze is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with Manalyze. If not, see . +*/ + + +rule Obfuscated_Strings : SuspiciousStrings +{ + meta: + description = "Contains obfuscated function names" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $a0 = { (46 | 66) 64 75 (51 | 71) 73 6E 62 (40 | 60) 65 65 73 64 72 72 } // [Gg]et[Pp]roc[Aa]ddress XOR 0x01 + $a1 = { (45 | 65) 67 76 (52 | 72) 70 6D 61 (43 | 63) 66 66 70 67 71 71 } // GetProcAddress XOR 0x02 + $a2 = { (44 | 64) 66 77 (53 | 73) 71 6C 60 (42 | 62) 67 67 71 66 70 70 } // etc... + $a3 = { (43 | 63) 61 70 (54 | 74) 76 6B 67 (45 | 65) 60 60 76 61 77 77 } + $a4 = { (42 | 62) 60 71 (55 | 75) 77 6A 66 (44 | 64) 61 61 77 60 76 76 } + $a5 = { (41 | 61) 63 72 (56 | 76) 74 69 65 (47 | 67) 62 62 74 63 75 75 } + $a6 = { (40 | 60) 62 73 (57 | 77) 75 68 64 (46 | 66) 63 63 75 62 74 74 } + $a7 = { (4F | 6F) 6D 7C (58 | 78) 7A 67 6B (49 | 69) 6C 6C 7A 6D 7B 7B } + $a8 = { (4E | 6E) 6C 7D (59 | 79) 7B 66 6A (48 | 68) 6D 6D 7B 6C 7A 7A } + $a9 = { (4D | 6D) 6F 7E (5A | 7A) 78 65 69 (4B | 6B) 6E 6E 78 6F 79 79 } + $a10 = { (4C | 6C) 6E 7F (5B | 7B) 79 64 68 (4A | 6A) 6F 6F 79 6E 78 78 } + $a11 = { (4B | 6B) 69 78 (5C | 7C) 7E 63 6F (4D | 6D) 68 68 7E 69 7F 7F } + $a12 = { (4A | 6A) 68 79 (5D | 7D) 7F 62 6E (4C | 6C) 69 69 7F 68 7E 7E } + $a13 = { (49 | 69) 6B 7A (5E | 7E) 7C 61 6D (4F | 6F) 6A 6A 7C 6B 7D 7D } + $a14 = { (48 | 68) 6A 7B (5F | 7F) 7D 60 6C (4E | 6E) 6B 6B 7D 6A 7C 7C } + $a15 = { (57 | 77) 75 64 (40 | 60) 62 7F 73 (51 | 71) 74 74 62 75 63 63 } + $a16 = { (56 | 76) 74 65 (41 | 61) 63 7E 72 (50 | 70) 75 75 63 74 62 62 } + $a17 = { (55 | 75) 77 66 (42 | 62) 60 7D 71 (53 | 73) 76 76 60 77 61 61 } + $a18 = { (54 | 74) 76 67 (43 | 63) 61 7C 70 (52 | 72) 77 77 61 76 60 60 } + $a19 = { (53 | 73) 71 60 (44 | 64) 66 7B 77 (55 | 75) 70 70 66 71 67 67 } + $a20 = { (52 | 72) 70 61 (45 | 65) 67 7A 76 (54 | 74) 71 71 67 70 66 66 } + $a21 = { (51 | 71) 73 62 (46 | 66) 64 79 75 (57 | 77) 72 72 64 73 65 65 } + $a22 = { (50 | 70) 72 63 (47 | 67) 65 78 74 (56 | 76) 73 73 65 72 64 64 } + $a23 = { (5F | 7F) 7D 6C (48 | 68) 6A 77 7B (59 | 79) 7C 7C 6A 7D 6B 6B } + $a24 = { (5E | 7E) 7C 6D (49 | 69) 6B 76 7A (58 | 78) 7D 7D 6B 7C 6A 6A } + $a25 = { (5D | 7D) 7F 6E (4A | 6A) 68 75 79 (5B | 7B) 7E 7E 68 7F 69 69 } + $a26 = { (5C | 7C) 7E 6F (4B | 6B) 69 74 78 (5A | 7A) 7F 7F 69 7E 68 68 } + $a27 = { (5B | 7B) 79 68 (4C | 6C) 6E 73 7F (5D | 7D) 78 78 6E 79 6F 6F } + $a28 = { (5A | 7A) 78 69 (4D | 6D) 6F 72 7E (5C | 7C) 79 79 6F 78 6E 6E } + $a29 = { (59 | 79) 7B 6A (4E | 6E) 6C 71 7D (5F | 7F) 7A 7A 6C 7B 6D 6D } + $a30 = { (58 | 78) 7A 6B (4F | 6F) 6D 70 7C (5E | 7E) 7B 7B 6D 7A 6C 6C } + // XOR 0x20 removed because it toggles capitalization and causes [Gg]ET[Pp]ROC[Aa]DDRESS to match. + $a32 = { (66 | 46) 44 55 (71 | 51) 53 4E 42 (60 | 40) 45 45 53 44 52 52 } + $a33 = { (65 | 45) 47 56 (72 | 52) 50 4D 41 (63 | 43) 46 46 50 47 51 51 } + $a34 = { (64 | 44) 46 57 (73 | 53) 51 4C 40 (62 | 42) 47 47 51 46 50 50 } + $a35 = { (63 | 43) 41 50 (74 | 54) 56 4B 47 (65 | 45) 40 40 56 41 57 57 } + $a36 = { (62 | 42) 40 51 (75 | 55) 57 4A 46 (64 | 44) 41 41 57 40 56 56 } + $a37 = { (61 | 41) 43 52 (76 | 56) 54 49 45 (67 | 47) 42 42 54 43 55 55 } + $a38 = { (60 | 40) 42 53 (77 | 57) 55 48 44 (66 | 46) 43 43 55 42 54 54 } + $a39 = { (6F | 4F) 4D 5C (78 | 58) 5A 47 4B (69 | 49) 4C 4C 5A 4D 5B 5B } + $a40 = { (6E | 4E) 4C 5D (79 | 59) 5B 46 4A (68 | 48) 4D 4D 5B 4C 5A 5A } + $a41 = { (6D | 4D) 4F 5E (7A | 5A) 58 45 49 (6B | 4B) 4E 4E 58 4F 59 59 } + $a42 = { (6C | 4C) 4E 5F (7B | 5B) 59 44 48 (6A | 4A) 4F 4F 59 4E 58 58 } + $a43 = { (6B | 4B) 49 58 (7C | 5C) 5E 43 4F (6D | 4D) 48 48 5E 49 5F 5F } + $a44 = { (6A | 4A) 48 59 (7D | 5D) 5F 42 4E (6C | 4C) 49 49 5F 48 5E 5E } + $a45 = { (69 | 49) 4B 5A (7E | 5E) 5C 41 4D (6F | 4F) 4A 4A 5C 4B 5D 5D } + $a46 = { (68 | 48) 4A 5B (7F | 5F) 5D 40 4C (6E | 4E) 4B 4B 5D 4A 5C 5C } + $a47 = { (77 | 57) 55 44 (60 | 40) 42 5F 53 (71 | 51) 54 54 42 55 43 43 } + $a48 = { (76 | 56) 54 45 (61 | 41) 43 5E 52 (70 | 50) 55 55 43 54 42 42 } + $a49 = { (75 | 55) 57 46 (62 | 42) 40 5D 51 (73 | 53) 56 56 40 57 41 41 } + $a50 = { (74 | 54) 56 47 (63 | 43) 41 5C 50 (72 | 52) 57 57 41 56 40 40 } + $a51 = { (73 | 53) 51 40 (64 | 44) 46 5B 57 (75 | 55) 50 50 46 51 47 47 } + $a52 = { (72 | 52) 50 41 (65 | 45) 47 5A 56 (74 | 54) 51 51 47 50 46 46 } + $a53 = { (71 | 51) 53 42 (66 | 46) 44 59 55 (77 | 57) 52 52 44 53 45 45 } + $a54 = { (70 | 50) 52 43 (67 | 47) 45 58 54 (76 | 56) 53 53 45 52 44 44 } + $a55 = { (7F | 5F) 5D 4C (68 | 48) 4A 57 5B (79 | 59) 5C 5C 4A 5D 4B 4B } + $a56 = { (7E | 5E) 5C 4D (69 | 49) 4B 56 5A (78 | 58) 5D 5D 4B 5C 4A 4A } + $a57 = { (7D | 5D) 5F 4E (6A | 4A) 48 55 59 (7B | 5B) 5E 5E 48 5F 49 49 } + $a58 = { (7C | 5C) 5E 4F (6B | 4B) 49 54 58 (7A | 5A) 5F 5F 49 5E 48 48 } + $a59 = { (7B | 5B) 59 48 (6C | 4C) 4E 53 5F (7D | 5D) 58 58 4E 59 4F 4F } + $a60 = { (7A | 5A) 58 49 (6D | 4D) 4F 52 5E (7C | 5C) 59 59 4F 58 4E 4E } + $a61 = { (79 | 59) 5B 4A (6E | 4E) 4C 51 5D (7F | 5F) 5A 5A 4C 5B 4D 4D } + $a62 = { (78 | 58) 5A 4B (6F | 4F) 4D 50 5C (7E | 5E) 5B 5B 4D 5A 4C 4C } + $a63 = { (07 | 27) 25 34 (10 | 30) 32 2F 23 (01 | 21) 24 24 32 25 33 33 } + $a64 = { (06 | 26) 24 35 (11 | 31) 33 2E 22 (00 | 20) 25 25 33 24 32 32 } + $a65 = { (05 | 25) 27 36 (12 | 32) 30 2D 21 (03 | 23) 26 26 30 27 31 31 } + $a66 = { (04 | 24) 26 37 (13 | 33) 31 2C 20 (02 | 22) 27 27 31 26 30 30 } + $a67 = { (03 | 23) 21 30 (14 | 34) 36 2B 27 (05 | 25) 20 20 36 21 37 37 } + $a68 = { (02 | 22) 20 31 (15 | 35) 37 2A 26 (04 | 24) 21 21 37 20 36 36 } + $a69 = { (01 | 21) 23 32 (16 | 36) 34 29 25 (07 | 27) 22 22 34 23 35 35 } + $a70 = { (00 | 20) 22 33 (17 | 37) 35 28 24 (06 | 26) 23 23 35 22 34 34 } + $a71 = { (0F | 2F) 2D 3C (18 | 38) 3A 27 2B (09 | 29) 2C 2C 3A 2D 3B 3B } + $a72 = { (0E | 2E) 2C 3D (19 | 39) 3B 26 2A (08 | 28) 2D 2D 3B 2C 3A 3A } + $a73 = { (0D | 2D) 2F 3E (1A | 3A) 38 25 29 (0B | 2B) 2E 2E 38 2F 39 39 } + $a74 = { (0C | 2C) 2E 3F (1B | 3B) 39 24 28 (0A | 2A) 2F 2F 39 2E 38 38 } + $a75 = { (0B | 2B) 29 38 (1C | 3C) 3E 23 2F (0D | 2D) 28 28 3E 29 3F 3F } + $a76 = { (0A | 2A) 28 39 (1D | 3D) 3F 22 2E (0C | 2C) 29 29 3F 28 3E 3E } + $a77 = { (09 | 29) 2B 3A (1E | 3E) 3C 21 2D (0F | 2F) 2A 2A 3C 2B 3D 3D } + $a78 = { (08 | 28) 2A 3B (1F | 3F) 3D 20 2C (0E | 2E) 2B 2B 3D 2A 3C 3C } + $a79 = { (17 | 37) 35 24 (00 | 20) 22 3F 33 (11 | 31) 34 34 22 35 23 23 } + $a80 = { (16 | 36) 34 25 (01 | 21) 23 3E 32 (10 | 30) 35 35 23 34 22 22 } + $a81 = { (15 | 35) 37 26 (02 | 22) 20 3D 31 (13 | 33) 36 36 20 37 21 21 } + $a82 = { (14 | 34) 36 27 (03 | 23) 21 3C 30 (12 | 32) 37 37 21 36 20 20 } + $a83 = { (13 | 33) 31 20 (04 | 24) 26 3B 37 (15 | 35) 30 30 26 31 27 27 } + $a84 = { (12 | 32) 30 21 (05 | 25) 27 3A 36 (14 | 34) 31 31 27 30 26 26 } + $a85 = { (11 | 31) 33 22 (06 | 26) 24 39 35 (17 | 37) 32 32 24 33 25 25 } + $a86 = { (10 | 30) 32 23 (07 | 27) 25 38 34 (16 | 36) 33 33 25 32 24 24 } + $a87 = { (1F | 3F) 3D 2C (08 | 28) 2A 37 3B (19 | 39) 3C 3C 2A 3D 2B 2B } + $a88 = { (1E | 3E) 3C 2D (09 | 29) 2B 36 3A (18 | 38) 3D 3D 2B 3C 2A 2A } + $a89 = { (1D | 3D) 3F 2E (0A | 2A) 28 35 39 (1B | 3B) 3E 3E 28 3F 29 29 } + $a90 = { (1C | 3C) 3E 2F (0B | 2B) 29 34 38 (1A | 3A) 3F 3F 29 3E 28 28 } + $a91 = { (1B | 3B) 39 28 (0C | 2C) 2E 33 3F (1D | 3D) 38 38 2E 39 2F 2F } + $a92 = { (1A | 3A) 38 29 (0D | 2D) 2F 32 3E (1C | 3C) 39 39 2F 38 2E 2E } + $a93 = { (19 | 39) 3B 2A (0E | 2E) 2C 31 3D (1F | 3F) 3A 3A 2C 3B 2D 2D } + $a94 = { (18 | 38) 3A 2B (0F | 2F) 2D 30 3C (1E | 3E) 3B 3B 2D 3A 2C 2C } + $a95 = { (27 | 07) 05 14 (30 | 10) 12 0F 03 (21 | 01) 04 04 12 05 13 13 } + $a96 = { (26 | 06) 04 15 (31 | 11) 13 0E 02 (20 | 00) 05 05 13 04 12 12 } + $a97 = { (25 | 05) 07 16 (32 | 12) 10 0D 01 (23 | 03) 06 06 10 07 11 11 } + $a98 = { (24 | 04) 06 17 (33 | 13) 11 0C 00 (22 | 02) 07 07 11 06 10 10 } + $a99 = { (23 | 03) 01 10 (34 | 14) 16 0B 07 (25 | 05) 00 00 16 01 17 17 } + $a100 = { (22 | 02) 00 11 (35 | 15) 17 0A 06 (24 | 04) 01 01 17 00 16 16 } + $a101 = { (21 | 01) 03 12 (36 | 16) 14 09 05 (27 | 07) 02 02 14 03 15 15 } + $a102 = { (20 | 00) 02 13 (37 | 17) 15 08 04 (26 | 06) 03 03 15 02 14 14 } + $a103 = { (2F | 0F) 0D 1C (38 | 18) 1A 07 0B (29 | 09) 0C 0C 1A 0D 1B 1B } + $a104 = { (2E | 0E) 0C 1D (39 | 19) 1B 06 0A (28 | 08) 0D 0D 1B 0C 1A 1A } + $a105 = { (2D | 0D) 0F 1E (3A | 1A) 18 05 09 (2B | 0B) 0E 0E 18 0F 19 19 } + $a106 = { (2C | 0C) 0E 1F (3B | 1B) 19 04 08 (2A | 0A) 0F 0F 19 0E 18 18 } + $a107 = { (2B | 0B) 09 18 (3C | 1C) 1E 03 0F (2D | 0D) 08 08 1E 09 1F 1F } + $a108 = { (2A | 0A) 08 19 (3D | 1D) 1F 02 0E (2C | 0C) 09 09 1F 08 1E 1E } + $a109 = { (29 | 09) 0B 1A (3E | 1E) 1C 01 0D (2F | 0F) 0A 0A 1C 0B 1D 1D } + $a110 = { (28 | 08) 0A 1B (3F | 1F) 1D 00 0C (2E | 0E) 0B 0B 1D 0A 1C 1C } + $a111 = { (37 | 17) 15 04 (20 | 00) 02 1F 13 (31 | 11) 14 14 02 15 03 03 } + $a112 = { (36 | 16) 14 05 (21 | 01) 03 1E 12 (30 | 10) 15 15 03 14 02 02 } + $a113 = { (35 | 15) 17 06 (22 | 02) 00 1D 11 (33 | 13) 16 16 00 17 01 01 } + $a114 = { (34 | 14) 16 07 (23 | 03) 01 1C 10 (32 | 12) 17 17 01 16 00 00 } + $a115 = { (33 | 13) 11 00 (24 | 04) 06 1B 17 (35 | 15) 10 10 06 11 07 07 } + $a116 = { (32 | 12) 10 01 (25 | 05) 07 1A 16 (34 | 14) 11 11 07 10 06 06 } + $a117 = { (31 | 11) 13 02 (26 | 06) 04 19 15 (37 | 17) 12 12 04 13 05 05 } + $a118 = { (30 | 10) 12 03 (27 | 07) 05 18 14 (36 | 16) 13 13 05 12 04 04 } + $a119 = { (3F | 1F) 1D 0C (28 | 08) 0A 17 1B (39 | 19) 1C 1C 0A 1D 0B 0B } + $a120 = { (3E | 1E) 1C 0D (29 | 09) 0B 16 1A (38 | 18) 1D 1D 0B 1C 0A 0A } + $a121 = { (3D | 1D) 1F 0E (2A | 0A) 08 15 19 (3B | 1B) 1E 1E 08 1F 09 09 } + $a122 = { (3C | 1C) 1E 0F (2B | 0B) 09 14 18 (3A | 1A) 1F 1F 09 1E 08 08 } + $a123 = { (3B | 1B) 19 08 (2C | 0C) 0E 13 1F (3D | 1D) 18 18 0E 19 0F 0F } + $a124 = { (3A | 1A) 18 09 (2D | 0D) 0F 12 1E (3C | 1C) 19 19 0F 18 0E 0E } + $a125 = { (39 | 19) 1B 0A (2E | 0E) 0C 11 1D (3F | 1F) 1A 1A 0C 1B 0D 0D } + $a126 = { (38 | 18) 1A 0B (2F | 0F) 0D 10 1C (3E | 1E) 1B 1B 0D 1A 0C 0C } + $a127 = { (C7 | E7) E5 F4 (D0 | F0) F2 EF E3 (C1 | E1) E4 E4 F2 E5 F3 F3 } + $a128 = { (C6 | E6) E4 F5 (D1 | F1) F3 EE E2 (C0 | E0) E5 E5 F3 E4 F2 F2 } + $a129 = { (C5 | E5) E7 F6 (D2 | F2) F0 ED E1 (C3 | E3) E6 E6 F0 E7 F1 F1 } + $a130 = { (C4 | E4) E6 F7 (D3 | F3) F1 EC E0 (C2 | E2) E7 E7 F1 E6 F0 F0 } + $a131 = { (C3 | E3) E1 F0 (D4 | F4) F6 EB E7 (C5 | E5) E0 E0 F6 E1 F7 F7 } + $a132 = { (C2 | E2) E0 F1 (D5 | F5) F7 EA E6 (C4 | E4) E1 E1 F7 E0 F6 F6 } + $a133 = { (C1 | E1) E3 F2 (D6 | F6) F4 E9 E5 (C7 | E7) E2 E2 F4 E3 F5 F5 } + $a134 = { (C0 | E0) E2 F3 (D7 | F7) F5 E8 E4 (C6 | E6) E3 E3 F5 E2 F4 F4 } + $a135 = { (CF | EF) ED FC (D8 | F8) FA E7 EB (C9 | E9) EC EC FA ED FB FB } + $a136 = { (CE | EE) EC FD (D9 | F9) FB E6 EA (C8 | E8) ED ED FB EC FA FA } + $a137 = { (CD | ED) EF FE (DA | FA) F8 E5 E9 (CB | EB) EE EE F8 EF F9 F9 } + $a138 = { (CC | EC) EE FF (DB | FB) F9 E4 E8 (CA | EA) EF EF F9 EE F8 F8 } + $a139 = { (CB | EB) E9 F8 (DC | FC) FE E3 EF (CD | ED) E8 E8 FE E9 FF FF } + $a140 = { (CA | EA) E8 F9 (DD | FD) FF E2 EE (CC | EC) E9 E9 FF E8 FE FE } + $a141 = { (C9 | E9) EB FA (DE | FE) FC E1 ED (CF | EF) EA EA FC EB FD FD } + $a142 = { (C8 | E8) EA FB (DF | FF) FD E0 EC (CE | EE) EB EB FD EA FC FC } + $a143 = { (D7 | F7) F5 E4 (C0 | E0) E2 FF F3 (D1 | F1) F4 F4 E2 F5 E3 E3 } + $a144 = { (D6 | F6) F4 E5 (C1 | E1) E3 FE F2 (D0 | F0) F5 F5 E3 F4 E2 E2 } + $a145 = { (D5 | F5) F7 E6 (C2 | E2) E0 FD F1 (D3 | F3) F6 F6 E0 F7 E1 E1 } + $a146 = { (D4 | F4) F6 E7 (C3 | E3) E1 FC F0 (D2 | F2) F7 F7 E1 F6 E0 E0 } + $a147 = { (D3 | F3) F1 E0 (C4 | E4) E6 FB F7 (D5 | F5) F0 F0 E6 F1 E7 E7 } + $a148 = { (D2 | F2) F0 E1 (C5 | E5) E7 FA F6 (D4 | F4) F1 F1 E7 F0 E6 E6 } + $a149 = { (D1 | F1) F3 E2 (C6 | E6) E4 F9 F5 (D7 | F7) F2 F2 E4 F3 E5 E5 } + $a150 = { (D0 | F0) F2 E3 (C7 | E7) E5 F8 F4 (D6 | F6) F3 F3 E5 F2 E4 E4 } + $a151 = { (DF | FF) FD EC (C8 | E8) EA F7 FB (D9 | F9) FC FC EA FD EB EB } + $a152 = { (DE | FE) FC ED (C9 | E9) EB F6 FA (D8 | F8) FD FD EB FC EA EA } + $a153 = { (DD | FD) FF EE (CA | EA) E8 F5 F9 (DB | FB) FE FE E8 FF E9 E9 } + $a154 = { (DC | FC) FE EF (CB | EB) E9 F4 F8 (DA | FA) FF FF E9 FE E8 E8 } + $a155 = { (DB | FB) F9 E8 (CC | EC) EE F3 FF (DD | FD) F8 F8 EE F9 EF EF } + $a156 = { (DA | FA) F8 E9 (CD | ED) EF F2 FE (DC | FC) F9 F9 EF F8 EE EE } + $a157 = { (D9 | F9) FB EA (CE | EE) EC F1 FD (DF | FF) FA FA EC FB ED ED } + $a158 = { (D8 | F8) FA EB (CF | EF) ED F0 FC (DE | FE) FB FB ED FA EC EC } + $a159 = { (E7 | C7) C5 D4 (F0 | D0) D2 CF C3 (E1 | C1) C4 C4 D2 C5 D3 D3 } + $a160 = { (E6 | C6) C4 D5 (F1 | D1) D3 CE C2 (E0 | C0) C5 C5 D3 C4 D2 D2 } + $a161 = { (E5 | C5) C7 D6 (F2 | D2) D0 CD C1 (E3 | C3) C6 C6 D0 C7 D1 D1 } + $a162 = { (E4 | C4) C6 D7 (F3 | D3) D1 CC C0 (E2 | C2) C7 C7 D1 C6 D0 D0 } + $a163 = { (E3 | C3) C1 D0 (F4 | D4) D6 CB C7 (E5 | C5) C0 C0 D6 C1 D7 D7 } + $a164 = { (E2 | C2) C0 D1 (F5 | D5) D7 CA C6 (E4 | C4) C1 C1 D7 C0 D6 D6 } + $a165 = { (E1 | C1) C3 D2 (F6 | D6) D4 C9 C5 (E7 | C7) C2 C2 D4 C3 D5 D5 } + $a166 = { (E0 | C0) C2 D3 (F7 | D7) D5 C8 C4 (E6 | C6) C3 C3 D5 C2 D4 D4 } + $a167 = { (EF | CF) CD DC (F8 | D8) DA C7 CB (E9 | C9) CC CC DA CD DB DB } + $a168 = { (EE | CE) CC DD (F9 | D9) DB C6 CA (E8 | C8) CD CD DB CC DA DA } + $a169 = { (ED | CD) CF DE (FA | DA) D8 C5 C9 (EB | CB) CE CE D8 CF D9 D9 } + $a170 = { (EC | CC) CE DF (FB | DB) D9 C4 C8 (EA | CA) CF CF D9 CE D8 D8 } + $a171 = { (EB | CB) C9 D8 (FC | DC) DE C3 CF (ED | CD) C8 C8 DE C9 DF DF } + $a172 = { (EA | CA) C8 D9 (FD | DD) DF C2 CE (EC | CC) C9 C9 DF C8 DE DE } + $a173 = { (E9 | C9) CB DA (FE | DE) DC C1 CD (EF | CF) CA CA DC CB DD DD } + $a174 = { (E8 | C8) CA DB (FF | DF) DD C0 CC (EE | CE) CB CB DD CA DC DC } + $a175 = { (F7 | D7) D5 C4 (E0 | C0) C2 DF D3 (F1 | D1) D4 D4 C2 D5 C3 C3 } + $a176 = { (F6 | D6) D4 C5 (E1 | C1) C3 DE D2 (F0 | D0) D5 D5 C3 D4 C2 C2 } + $a177 = { (F5 | D5) D7 C6 (E2 | C2) C0 DD D1 (F3 | D3) D6 D6 C0 D7 C1 C1 } + $a178 = { (F4 | D4) D6 C7 (E3 | C3) C1 DC D0 (F2 | D2) D7 D7 C1 D6 C0 C0 } + $a179 = { (F3 | D3) D1 C0 (E4 | C4) C6 DB D7 (F5 | D5) D0 D0 C6 D1 C7 C7 } + $a180 = { (F2 | D2) D0 C1 (E5 | C5) C7 DA D6 (F4 | D4) D1 D1 C7 D0 C6 C6 } + $a181 = { (F1 | D1) D3 C2 (E6 | C6) C4 D9 D5 (F7 | D7) D2 D2 C4 D3 C5 C5 } + $a182 = { (F0 | D0) D2 C3 (E7 | C7) C5 D8 D4 (F6 | D6) D3 D3 C5 D2 C4 C4 } + $a183 = { (FF | DF) DD CC (E8 | C8) CA D7 DB (F9 | D9) DC DC CA DD CB CB } + $a184 = { (FE | DE) DC CD (E9 | C9) CB D6 DA (F8 | D8) DD DD CB DC CA CA } + $a185 = { (FD | DD) DF CE (EA | CA) C8 D5 D9 (FB | DB) DE DE C8 DF C9 C9 } + $a186 = { (FC | DC) DE CF (EB | CB) C9 D4 D8 (FA | DA) DF DF C9 DE C8 C8 } + $a187 = { (FB | DB) D9 C8 (EC | CC) CE D3 DF (FD | DD) D8 D8 CE D9 CF CF } + $a188 = { (FA | DA) D8 C9 (ED | CD) CF D2 DE (FC | DC) D9 D9 CF D8 CE CE } + $a189 = { (F9 | D9) DB CA (EE | CE) CC D1 DD (FF | DF) DA DA CC DB CD CD } + $a190 = { (F8 | D8) DA CB (EF | CF) CD D0 DC (FE | DE) DB DB CD DA CC CC } + $a191 = { (87 | A7) A5 B4 (90 | B0) B2 AF A3 (81 | A1) A4 A4 B2 A5 B3 B3 } + $a192 = { (86 | A6) A4 B5 (91 | B1) B3 AE A2 (80 | A0) A5 A5 B3 A4 B2 B2 } + $a193 = { (85 | A5) A7 B6 (92 | B2) B0 AD A1 (83 | A3) A6 A6 B0 A7 B1 B1 } + $a194 = { (84 | A4) A6 B7 (93 | B3) B1 AC A0 (82 | A2) A7 A7 B1 A6 B0 B0 } + $a195 = { (83 | A3) A1 B0 (94 | B4) B6 AB A7 (85 | A5) A0 A0 B6 A1 B7 B7 } + $a196 = { (82 | A2) A0 B1 (95 | B5) B7 AA A6 (84 | A4) A1 A1 B7 A0 B6 B6 } + $a197 = { (81 | A1) A3 B2 (96 | B6) B4 A9 A5 (87 | A7) A2 A2 B4 A3 B5 B5 } + $a198 = { (80 | A0) A2 B3 (97 | B7) B5 A8 A4 (86 | A6) A3 A3 B5 A2 B4 B4 } + $a199 = { (8F | AF) AD BC (98 | B8) BA A7 AB (89 | A9) AC AC BA AD BB BB } + $a200 = { (8E | AE) AC BD (99 | B9) BB A6 AA (88 | A8) AD AD BB AC BA BA } + $a201 = { (8D | AD) AF BE (9A | BA) B8 A5 A9 (8B | AB) AE AE B8 AF B9 B9 } + $a202 = { (8C | AC) AE BF (9B | BB) B9 A4 A8 (8A | AA) AF AF B9 AE B8 B8 } + $a203 = { (8B | AB) A9 B8 (9C | BC) BE A3 AF (8D | AD) A8 A8 BE A9 BF BF } + $a204 = { (8A | AA) A8 B9 (9D | BD) BF A2 AE (8C | AC) A9 A9 BF A8 BE BE } + $a205 = { (89 | A9) AB BA (9E | BE) BC A1 AD (8F | AF) AA AA BC AB BD BD } + $a206 = { (88 | A8) AA BB (9F | BF) BD A0 AC (8E | AE) AB AB BD AA BC BC } + $a207 = { (97 | B7) B5 A4 (80 | A0) A2 BF B3 (91 | B1) B4 B4 A2 B5 A3 A3 } + $a208 = { (96 | B6) B4 A5 (81 | A1) A3 BE B2 (90 | B0) B5 B5 A3 B4 A2 A2 } + $a209 = { (95 | B5) B7 A6 (82 | A2) A0 BD B1 (93 | B3) B6 B6 A0 B7 A1 A1 } + $a210 = { (94 | B4) B6 A7 (83 | A3) A1 BC B0 (92 | B2) B7 B7 A1 B6 A0 A0 } + $a211 = { (93 | B3) B1 A0 (84 | A4) A6 BB B7 (95 | B5) B0 B0 A6 B1 A7 A7 } + $a212 = { (92 | B2) B0 A1 (85 | A5) A7 BA B6 (94 | B4) B1 B1 A7 B0 A6 A6 } + $a213 = { (91 | B1) B3 A2 (86 | A6) A4 B9 B5 (97 | B7) B2 B2 A4 B3 A5 A5 } + $a214 = { (90 | B0) B2 A3 (87 | A7) A5 B8 B4 (96 | B6) B3 B3 A5 B2 A4 A4 } + $a215 = { (9F | BF) BD AC (88 | A8) AA B7 BB (99 | B9) BC BC AA BD AB AB } + $a216 = { (9E | BE) BC AD (89 | A9) AB B6 BA (98 | B8) BD BD AB BC AA AA } + $a217 = { (9D | BD) BF AE (8A | AA) A8 B5 B9 (9B | BB) BE BE A8 BF A9 A9 } + $a218 = { (9C | BC) BE AF (8B | AB) A9 B4 B8 (9A | BA) BF BF A9 BE A8 A8 } + $a219 = { (9B | BB) B9 A8 (8C | AC) AE B3 BF (9D | BD) B8 B8 AE B9 AF AF } + $a220 = { (9A | BA) B8 A9 (8D | AD) AF B2 BE (9C | BC) B9 B9 AF B8 AE AE } + $a221 = { (99 | B9) BB AA (8E | AE) AC B1 BD (9F | BF) BA BA AC BB AD AD } + $a222 = { (98 | B8) BA AB (8F | AF) AD B0 BC (9E | BE) BB BB AD BA AC AC } + $a223 = { (A7 | 87) 85 94 (B0 | 90) 92 8F 83 (A1 | 81) 84 84 92 85 93 93 } + $a224 = { (A6 | 86) 84 95 (B1 | 91) 93 8E 82 (A0 | 80) 85 85 93 84 92 92 } + $a225 = { (A5 | 85) 87 96 (B2 | 92) 90 8D 81 (A3 | 83) 86 86 90 87 91 91 } + $a226 = { (A4 | 84) 86 97 (B3 | 93) 91 8C 80 (A2 | 82) 87 87 91 86 90 90 } + $a227 = { (A3 | 83) 81 90 (B4 | 94) 96 8B 87 (A5 | 85) 80 80 96 81 97 97 } + $a228 = { (A2 | 82) 80 91 (B5 | 95) 97 8A 86 (A4 | 84) 81 81 97 80 96 96 } + $a229 = { (A1 | 81) 83 92 (B6 | 96) 94 89 85 (A7 | 87) 82 82 94 83 95 95 } + $a230 = { (A0 | 80) 82 93 (B7 | 97) 95 88 84 (A6 | 86) 83 83 95 82 94 94 } + $a231 = { (AF | 8F) 8D 9C (B8 | 98) 9A 87 8B (A9 | 89) 8C 8C 9A 8D 9B 9B } + $a232 = { (AE | 8E) 8C 9D (B9 | 99) 9B 86 8A (A8 | 88) 8D 8D 9B 8C 9A 9A } + $a233 = { (AD | 8D) 8F 9E (BA | 9A) 98 85 89 (AB | 8B) 8E 8E 98 8F 99 99 } + $a234 = { (AC | 8C) 8E 9F (BB | 9B) 99 84 88 (AA | 8A) 8F 8F 99 8E 98 98 } + $a235 = { (AB | 8B) 89 98 (BC | 9C) 9E 83 8F (AD | 8D) 88 88 9E 89 9F 9F } + $a236 = { (AA | 8A) 88 99 (BD | 9D) 9F 82 8E (AC | 8C) 89 89 9F 88 9E 9E } + $a237 = { (A9 | 89) 8B 9A (BE | 9E) 9C 81 8D (AF | 8F) 8A 8A 9C 8B 9D 9D } + $a238 = { (A8 | 88) 8A 9B (BF | 9F) 9D 80 8C (AE | 8E) 8B 8B 9D 8A 9C 9C } + $a239 = { (B7 | 97) 95 84 (A0 | 80) 82 9F 93 (B1 | 91) 94 94 82 95 83 83 } + $a240 = { (B6 | 96) 94 85 (A1 | 81) 83 9E 92 (B0 | 90) 95 95 83 94 82 82 } + $a241 = { (B5 | 95) 97 86 (A2 | 82) 80 9D 91 (B3 | 93) 96 96 80 97 81 81 } + $a242 = { (B4 | 94) 96 87 (A3 | 83) 81 9C 90 (B2 | 92) 97 97 81 96 80 80 } + $a243 = { (B3 | 93) 91 80 (A4 | 84) 86 9B 97 (B5 | 95) 90 90 86 91 87 87 } + $a244 = { (B2 | 92) 90 81 (A5 | 85) 87 9A 96 (B4 | 94) 91 91 87 90 86 86 } + $a245 = { (B1 | 91) 93 82 (A6 | 86) 84 99 95 (B7 | 97) 92 92 84 93 85 85 } + $a246 = { (B0 | 90) 92 83 (A7 | 87) 85 98 94 (B6 | 96) 93 93 85 92 84 84 } + $a247 = { (BF | 9F) 9D 8C (A8 | 88) 8A 97 9B (B9 | 99) 9C 9C 8A 9D 8B 8B } + $a248 = { (BE | 9E) 9C 8D (A9 | 89) 8B 96 9A (B8 | 98) 9D 9D 8B 9C 8A 8A } + $a249 = { (BD | 9D) 9F 8E (AA | 8A) 88 95 99 (BB | 9B) 9E 9E 88 9F 89 89 } + $a250 = { (BC | 9C) 9E 8F (AB | 8B) 89 94 98 (BA | 9A) 9F 9F 89 9E 88 88 } + $a251 = { (BB | 9B) 99 88 (AC | 8C) 8E 93 9F (BD | 9D) 98 98 8E 99 8F 8F } + $a252 = { (BA | 9A) 98 89 (AD | 8D) 8F 92 9E (BC | 9C) 99 99 8F 98 8E 8E } + $a253 = { (B9 | 99) 9B 8A (AE | 8E) 8C 91 9D (BF | 9F) 9A 9A 8C 9B 8D 8D } + $a254 = { (4D | 6D) 6E 60 65 (4D | 6D) 68 63 73 60 73 78 } // "LoadLibrary" XOR 0x01 + $a255 = { (4E | 6E) 6D 63 66 (4E | 6E) 6B 60 70 63 70 7B } // "LoadLibrary" XOR 0x02 + $a256 = { (4F | 6F) 6C 62 67 (4F | 6F) 6A 61 71 62 71 7A } // etc... + $a257 = { (48 | 68) 6B 65 60 (48 | 68) 6D 66 76 65 76 7D } + $a258 = { (49 | 69) 6A 64 61 (49 | 69) 6C 67 77 64 77 7C } + $a259 = { (4A | 6A) 69 67 62 (4A | 6A) 6F 64 74 67 74 7F } + $a260 = { (4B | 6B) 68 66 63 (4B | 6B) 6E 65 75 66 75 7E } + $a261 = { (44 | 64) 67 69 6C (44 | 64) 61 6A 7A 69 7A 71 } + $a262 = { (45 | 65) 66 68 6D (45 | 65) 60 6B 7B 68 7B 70 } + $a263 = { (46 | 66) 65 6B 6E (46 | 66) 63 68 78 6B 78 73 } + $a264 = { (47 | 67) 64 6A 6F (47 | 67) 62 69 79 6A 79 72 } + $a265 = { (40 | 60) 63 6D 68 (40 | 60) 65 6E 7E 6D 7E 75 } + $a266 = { (41 | 61) 62 6C 69 (41 | 61) 64 6F 7F 6C 7F 74 } + $a267 = { (42 | 62) 61 6F 6A (42 | 62) 67 6C 7C 6F 7C 77 } + $a268 = { (43 | 63) 60 6E 6B (43 | 63) 66 6D 7D 6E 7D 76 } + $a269 = { (5C | 7C) 7F 71 74 (5C | 7C) 79 72 62 71 62 69 } + $a270 = { (5D | 7D) 7E 70 75 (5D | 7D) 78 73 63 70 63 68 } + $a271 = { (5E | 7E) 7D 73 76 (5E | 7E) 7B 70 60 73 60 6B } + $a272 = { (5F | 7F) 7C 72 77 (5F | 7F) 7A 71 61 72 61 6A } + $a273 = { (58 | 78) 7B 75 70 (58 | 78) 7D 76 66 75 66 6D } + $a274 = { (59 | 79) 7A 74 71 (59 | 79) 7C 77 67 74 67 6C } + $a275 = { (5A | 7A) 79 77 72 (5A | 7A) 7F 74 64 77 64 6F } + $a276 = { (5B | 7B) 78 76 73 (5B | 7B) 7E 75 65 76 65 6E } + $a277 = { (54 | 74) 77 79 7C (54 | 74) 71 7A 6A 79 6A 61 } + $a278 = { (55 | 75) 76 78 7D (55 | 75) 70 7B 6B 78 6B 60 } + $a279 = { (56 | 76) 75 7B 7E (56 | 76) 73 78 68 7B 68 63 } + $a280 = { (57 | 77) 74 7A 7F (57 | 77) 72 79 69 7A 69 62 } + $a281 = { (50 | 70) 73 7D 78 (50 | 70) 75 7E 6E 7D 6E 65 } + $a282 = { (51 | 71) 72 7C 79 (51 | 71) 74 7F 6F 7C 6F 64 } + $a283 = { (52 | 72) 71 7F 7A (52 | 72) 77 7C 6C 7F 6C 67 } + $a284 = { (53 | 73) 70 7E 7B (53 | 73) 76 7D 6D 7E 6D 66 } + // XOR 0x20 removed because it toggles capitalization and causes [lL]OAD[Ll]IBRARY to match. + $a286 = { (6D | 4D) 4E 40 45 (6D | 4D) 48 43 53 40 53 58 } + $a287 = { (6E | 4E) 4D 43 46 (6E | 4E) 4B 40 50 43 50 5B } + $a288 = { (6F | 4F) 4C 42 47 (6F | 4F) 4A 41 51 42 51 5A } + $a289 = { (68 | 48) 4B 45 40 (68 | 48) 4D 46 56 45 56 5D } + $a290 = { (69 | 49) 4A 44 41 (69 | 49) 4C 47 57 44 57 5C } + $a291 = { (6A | 4A) 49 47 42 (6A | 4A) 4F 44 54 47 54 5F } + $a292 = { (6B | 4B) 48 46 43 (6B | 4B) 4E 45 55 46 55 5E } + $a293 = { (64 | 44) 47 49 4C (64 | 44) 41 4A 5A 49 5A 51 } + $a294 = { (65 | 45) 46 48 4D (65 | 45) 40 4B 5B 48 5B 50 } + $a295 = { (66 | 46) 45 4B 4E (66 | 46) 43 48 58 4B 58 53 } + $a296 = { (67 | 47) 44 4A 4F (67 | 47) 42 49 59 4A 59 52 } + $a297 = { (60 | 40) 43 4D 48 (60 | 40) 45 4E 5E 4D 5E 55 } + $a298 = { (61 | 41) 42 4C 49 (61 | 41) 44 4F 5F 4C 5F 54 } + $a299 = { (62 | 42) 41 4F 4A (62 | 42) 47 4C 5C 4F 5C 57 } + $a300 = { (63 | 43) 40 4E 4B (63 | 43) 46 4D 5D 4E 5D 56 } + $a301 = { (7C | 5C) 5F 51 54 (7C | 5C) 59 52 42 51 42 49 } + $a302 = { (7D | 5D) 5E 50 55 (7D | 5D) 58 53 43 50 43 48 } + $a303 = { (7E | 5E) 5D 53 56 (7E | 5E) 5B 50 40 53 40 4B } + $a304 = { (7F | 5F) 5C 52 57 (7F | 5F) 5A 51 41 52 41 4A } + $a305 = { (78 | 58) 5B 55 50 (78 | 58) 5D 56 46 55 46 4D } + $a306 = { (79 | 59) 5A 54 51 (79 | 59) 5C 57 47 54 47 4C } + $a307 = { (7A | 5A) 59 57 52 (7A | 5A) 5F 54 44 57 44 4F } + $a308 = { (7B | 5B) 58 56 53 (7B | 5B) 5E 55 45 56 45 4E } + $a309 = { (74 | 54) 57 59 5C (74 | 54) 51 5A 4A 59 4A 41 } + $a310 = { (75 | 55) 56 58 5D (75 | 55) 50 5B 4B 58 4B 40 } + $a311 = { (76 | 56) 55 5B 5E (76 | 56) 53 58 48 5B 48 43 } + $a312 = { (77 | 57) 54 5A 5F (77 | 57) 52 59 49 5A 49 42 } + $a313 = { (70 | 50) 53 5D 58 (70 | 50) 55 5E 4E 5D 4E 45 } + $a314 = { (71 | 51) 52 5C 59 (71 | 51) 54 5F 4F 5C 4F 44 } + $a315 = { (72 | 52) 51 5F 5A (72 | 52) 57 5C 4C 5F 4C 47 } + $a316 = { (73 | 53) 50 5E 5B (73 | 53) 56 5D 4D 5E 4D 46 } + $a317 = { (0C | 2C) 2F 21 24 (0C | 2C) 29 22 32 21 32 39 } + $a318 = { (0D | 2D) 2E 20 25 (0D | 2D) 28 23 33 20 33 38 } + $a319 = { (0E | 2E) 2D 23 26 (0E | 2E) 2B 20 30 23 30 3B } + $a320 = { (0F | 2F) 2C 22 27 (0F | 2F) 2A 21 31 22 31 3A } + $a321 = { (08 | 28) 2B 25 20 (08 | 28) 2D 26 36 25 36 3D } + $a322 = { (09 | 29) 2A 24 21 (09 | 29) 2C 27 37 24 37 3C } + $a323 = { (0A | 2A) 29 27 22 (0A | 2A) 2F 24 34 27 34 3F } + $a324 = { (0B | 2B) 28 26 23 (0B | 2B) 2E 25 35 26 35 3E } + $a325 = { (04 | 24) 27 29 2C (04 | 24) 21 2A 3A 29 3A 31 } + $a326 = { (05 | 25) 26 28 2D (05 | 25) 20 2B 3B 28 3B 30 } + $a327 = { (06 | 26) 25 2B 2E (06 | 26) 23 28 38 2B 38 33 } + $a328 = { (07 | 27) 24 2A 2F (07 | 27) 22 29 39 2A 39 32 } + $a329 = { (00 | 20) 23 2D 28 (00 | 20) 25 2E 3E 2D 3E 35 } + $a330 = { (01 | 21) 22 2C 29 (01 | 21) 24 2F 3F 2C 3F 34 } + $a331 = { (02 | 22) 21 2F 2A (02 | 22) 27 2C 3C 2F 3C 37 } + $a332 = { (03 | 23) 20 2E 2B (03 | 23) 26 2D 3D 2E 3D 36 } + $a333 = { (1C | 3C) 3F 31 34 (1C | 3C) 39 32 22 31 22 29 } + $a334 = { (1D | 3D) 3E 30 35 (1D | 3D) 38 33 23 30 23 28 } + $a335 = { (1E | 3E) 3D 33 36 (1E | 3E) 3B 30 20 33 20 2B } + $a336 = { (1F | 3F) 3C 32 37 (1F | 3F) 3A 31 21 32 21 2A } + $a337 = { (18 | 38) 3B 35 30 (18 | 38) 3D 36 26 35 26 2D } + $a338 = { (19 | 39) 3A 34 31 (19 | 39) 3C 37 27 34 27 2C } + $a339 = { (1A | 3A) 39 37 32 (1A | 3A) 3F 34 24 37 24 2F } + $a340 = { (1B | 3B) 38 36 33 (1B | 3B) 3E 35 25 36 25 2E } + $a341 = { (14 | 34) 37 39 3C (14 | 34) 31 3A 2A 39 2A 21 } + $a342 = { (15 | 35) 36 38 3D (15 | 35) 30 3B 2B 38 2B 20 } + $a343 = { (16 | 36) 35 3B 3E (16 | 36) 33 38 28 3B 28 23 } + $a344 = { (17 | 37) 34 3A 3F (17 | 37) 32 39 29 3A 29 22 } + $a345 = { (10 | 30) 33 3D 38 (10 | 30) 35 3E 2E 3D 2E 25 } + $a346 = { (11 | 31) 32 3C 39 (11 | 31) 34 3F 2F 3C 2F 24 } + $a347 = { (12 | 32) 31 3F 3A (12 | 32) 37 3C 2C 3F 2C 27 } + $a348 = { (13 | 33) 30 3E 3B (13 | 33) 36 3D 2D 3E 2D 26 } + $a349 = { (2C | 0C) 0F 01 04 (2C | 0C) 09 02 12 01 12 19 } + $a350 = { (2D | 0D) 0E 00 05 (2D | 0D) 08 03 13 00 13 18 } + $a351 = { (2E | 0E) 0D 03 06 (2E | 0E) 0B 00 10 03 10 1B } + $a352 = { (2F | 0F) 0C 02 07 (2F | 0F) 0A 01 11 02 11 1A } + $a353 = { (28 | 08) 0B 05 00 (28 | 08) 0D 06 16 05 16 1D } + $a354 = { (29 | 09) 0A 04 01 (29 | 09) 0C 07 17 04 17 1C } + $a355 = { (2A | 0A) 09 07 02 (2A | 0A) 0F 04 14 07 14 1F } + $a356 = { (2B | 0B) 08 06 03 (2B | 0B) 0E 05 15 06 15 1E } + $a357 = { (24 | 04) 07 09 0C (24 | 04) 01 0A 1A 09 1A 11 } + $a358 = { (25 | 05) 06 08 0D (25 | 05) 00 0B 1B 08 1B 10 } + $a359 = { (26 | 06) 05 0B 0E (26 | 06) 03 08 18 0B 18 13 } + $a360 = { (27 | 07) 04 0A 0F (27 | 07) 02 09 19 0A 19 12 } + $a361 = { (20 | 00) 03 0D 08 (20 | 00) 05 0E 1E 0D 1E 15 } + $a362 = { (21 | 01) 02 0C 09 (21 | 01) 04 0F 1F 0C 1F 14 } + $a363 = { (22 | 02) 01 0F 0A (22 | 02) 07 0C 1C 0F 1C 17 } + $a364 = { (23 | 03) 00 0E 0B (23 | 03) 06 0D 1D 0E 1D 16 } + $a365 = { (3C | 1C) 1F 11 14 (3C | 1C) 19 12 02 11 02 09 } + $a366 = { (3D | 1D) 1E 10 15 (3D | 1D) 18 13 03 10 03 08 } + $a367 = { (3E | 1E) 1D 13 16 (3E | 1E) 1B 10 00 13 00 0B } + $a368 = { (3F | 1F) 1C 12 17 (3F | 1F) 1A 11 01 12 01 0A } + $a369 = { (38 | 18) 1B 15 10 (38 | 18) 1D 16 06 15 06 0D } + $a370 = { (39 | 19) 1A 14 11 (39 | 19) 1C 17 07 14 07 0C } + $a371 = { (3A | 1A) 19 17 12 (3A | 1A) 1F 14 04 17 04 0F } + $a372 = { (3B | 1B) 18 16 13 (3B | 1B) 1E 15 05 16 05 0E } + $a373 = { (34 | 14) 17 19 1C (34 | 14) 11 1A 0A 19 0A 01 } + $a374 = { (35 | 15) 16 18 1D (35 | 15) 10 1B 0B 18 0B 00 } + $a375 = { (36 | 16) 15 1B 1E (36 | 16) 13 18 08 1B 08 03 } + $a376 = { (37 | 17) 14 1A 1F (37 | 17) 12 19 09 1A 09 02 } + $a377 = { (30 | 10) 13 1D 18 (30 | 10) 15 1E 0E 1D 0E 05 } + $a378 = { (31 | 11) 12 1C 19 (31 | 11) 14 1F 0F 1C 0F 04 } + $a379 = { (32 | 12) 11 1F 1A (32 | 12) 17 1C 0C 1F 0C 07 } + $a380 = { (33 | 13) 10 1E 1B (33 | 13) 16 1D 0D 1E 0D 06 } + $a381 = { (CC | EC) EF E1 E4 (CC | EC) E9 E2 F2 E1 F2 F9 } + $a382 = { (CD | ED) EE E0 E5 (CD | ED) E8 E3 F3 E0 F3 F8 } + $a383 = { (CE | EE) ED E3 E6 (CE | EE) EB E0 F0 E3 F0 FB } + $a384 = { (CF | EF) EC E2 E7 (CF | EF) EA E1 F1 E2 F1 FA } + $a385 = { (C8 | E8) EB E5 E0 (C8 | E8) ED E6 F6 E5 F6 FD } + $a386 = { (C9 | E9) EA E4 E1 (C9 | E9) EC E7 F7 E4 F7 FC } + $a387 = { (CA | EA) E9 E7 E2 (CA | EA) EF E4 F4 E7 F4 FF } + $a388 = { (CB | EB) E8 E6 E3 (CB | EB) EE E5 F5 E6 F5 FE } + $a389 = { (C4 | E4) E7 E9 EC (C4 | E4) E1 EA FA E9 FA F1 } + $a390 = { (C5 | E5) E6 E8 ED (C5 | E5) E0 EB FB E8 FB F0 } + $a391 = { (C6 | E6) E5 EB EE (C6 | E6) E3 E8 F8 EB F8 F3 } + $a392 = { (C7 | E7) E4 EA EF (C7 | E7) E2 E9 F9 EA F9 F2 } + $a393 = { (C0 | E0) E3 ED E8 (C0 | E0) E5 EE FE ED FE F5 } + $a394 = { (C1 | E1) E2 EC E9 (C1 | E1) E4 EF FF EC FF F4 } + $a395 = { (C2 | E2) E1 EF EA (C2 | E2) E7 EC FC EF FC F7 } + $a396 = { (C3 | E3) E0 EE EB (C3 | E3) E6 ED FD EE FD F6 } + $a397 = { (DC | FC) FF F1 F4 (DC | FC) F9 F2 E2 F1 E2 E9 } + $a398 = { (DD | FD) FE F0 F5 (DD | FD) F8 F3 E3 F0 E3 E8 } + $a399 = { (DE | FE) FD F3 F6 (DE | FE) FB F0 E0 F3 E0 EB } + $a400 = { (DF | FF) FC F2 F7 (DF | FF) FA F1 E1 F2 E1 EA } + $a401 = { (D8 | F8) FB F5 F0 (D8 | F8) FD F6 E6 F5 E6 ED } + $a402 = { (D9 | F9) FA F4 F1 (D9 | F9) FC F7 E7 F4 E7 EC } + $a403 = { (DA | FA) F9 F7 F2 (DA | FA) FF F4 E4 F7 E4 EF } + $a404 = { (DB | FB) F8 F6 F3 (DB | FB) FE F5 E5 F6 E5 EE } + $a405 = { (D4 | F4) F7 F9 FC (D4 | F4) F1 FA EA F9 EA E1 } + $a406 = { (D5 | F5) F6 F8 FD (D5 | F5) F0 FB EB F8 EB E0 } + $a407 = { (D6 | F6) F5 FB FE (D6 | F6) F3 F8 E8 FB E8 E3 } + $a408 = { (D7 | F7) F4 FA FF (D7 | F7) F2 F9 E9 FA E9 E2 } + $a409 = { (D0 | F0) F3 FD F8 (D0 | F0) F5 FE EE FD EE E5 } + $a410 = { (D1 | F1) F2 FC F9 (D1 | F1) F4 FF EF FC EF E4 } + $a411 = { (D2 | F2) F1 FF FA (D2 | F2) F7 FC EC FF EC E7 } + $a412 = { (D3 | F3) F0 FE FB (D3 | F3) F6 FD ED FE ED E6 } + $a413 = { (EC | CC) CF C1 C4 (EC | CC) C9 C2 D2 C1 D2 D9 } + $a414 = { (ED | CD) CE C0 C5 (ED | CD) C8 C3 D3 C0 D3 D8 } + $a415 = { (EE | CE) CD C3 C6 (EE | CE) CB C0 D0 C3 D0 DB } + $a416 = { (EF | CF) CC C2 C7 (EF | CF) CA C1 D1 C2 D1 DA } + $a417 = { (E8 | C8) CB C5 C0 (E8 | C8) CD C6 D6 C5 D6 DD } + $a418 = { (E9 | C9) CA C4 C1 (E9 | C9) CC C7 D7 C4 D7 DC } + $a419 = { (EA | CA) C9 C7 C2 (EA | CA) CF C4 D4 C7 D4 DF } + $a420 = { (EB | CB) C8 C6 C3 (EB | CB) CE C5 D5 C6 D5 DE } + $a421 = { (E4 | C4) C7 C9 CC (E4 | C4) C1 CA DA C9 DA D1 } + $a422 = { (E5 | C5) C6 C8 CD (E5 | C5) C0 CB DB C8 DB D0 } + $a423 = { (E6 | C6) C5 CB CE (E6 | C6) C3 C8 D8 CB D8 D3 } + $a424 = { (E7 | C7) C4 CA CF (E7 | C7) C2 C9 D9 CA D9 D2 } + $a425 = { (E0 | C0) C3 CD C8 (E0 | C0) C5 CE DE CD DE D5 } + $a426 = { (E1 | C1) C2 CC C9 (E1 | C1) C4 CF DF CC DF D4 } + $a427 = { (E2 | C2) C1 CF CA (E2 | C2) C7 CC DC CF DC D7 } + $a428 = { (E3 | C3) C0 CE CB (E3 | C3) C6 CD DD CE DD D6 } + $a429 = { (FC | DC) DF D1 D4 (FC | DC) D9 D2 C2 D1 C2 C9 } + $a430 = { (FD | DD) DE D0 D5 (FD | DD) D8 D3 C3 D0 C3 C8 } + $a431 = { (FE | DE) DD D3 D6 (FE | DE) DB D0 C0 D3 C0 CB } + $a432 = { (FF | DF) DC D2 D7 (FF | DF) DA D1 C1 D2 C1 CA } + $a433 = { (F8 | D8) DB D5 D0 (F8 | D8) DD D6 C6 D5 C6 CD } + $a434 = { (F9 | D9) DA D4 D1 (F9 | D9) DC D7 C7 D4 C7 CC } + $a435 = { (FA | DA) D9 D7 D2 (FA | DA) DF D4 C4 D7 C4 CF } + $a436 = { (FB | DB) D8 D6 D3 (FB | DB) DE D5 C5 D6 C5 CE } + $a437 = { (F4 | D4) D7 D9 DC (F4 | D4) D1 DA CA D9 CA C1 } + $a438 = { (F5 | D5) D6 D8 DD (F5 | D5) D0 DB CB D8 CB C0 } + $a439 = { (F6 | D6) D5 DB DE (F6 | D6) D3 D8 C8 DB C8 C3 } + $a440 = { (F7 | D7) D4 DA DF (F7 | D7) D2 D9 C9 DA C9 C2 } + $a441 = { (F0 | D0) D3 DD D8 (F0 | D0) D5 DE CE DD CE C5 } + $a442 = { (F1 | D1) D2 DC D9 (F1 | D1) D4 DF CF DC CF C4 } + $a443 = { (F2 | D2) D1 DF DA (F2 | D2) D7 DC CC DF CC C7 } + $a444 = { (F3 | D3) D0 DE DB (F3 | D3) D6 DD CD DE CD C6 } + $a445 = { (8C | AC) AF A1 A4 (8C | AC) A9 A2 B2 A1 B2 B9 } + $a446 = { (8D | AD) AE A0 A5 (8D | AD) A8 A3 B3 A0 B3 B8 } + $a447 = { (8E | AE) AD A3 A6 (8E | AE) AB A0 B0 A3 B0 BB } + $a448 = { (8F | AF) AC A2 A7 (8F | AF) AA A1 B1 A2 B1 BA } + $a449 = { (88 | A8) AB A5 A0 (88 | A8) AD A6 B6 A5 B6 BD } + $a450 = { (89 | A9) AA A4 A1 (89 | A9) AC A7 B7 A4 B7 BC } + $a451 = { (8A | AA) A9 A7 A2 (8A | AA) AF A4 B4 A7 B4 BF } + $a452 = { (8B | AB) A8 A6 A3 (8B | AB) AE A5 B5 A6 B5 BE } + $a453 = { (84 | A4) A7 A9 AC (84 | A4) A1 AA BA A9 BA B1 } + $a454 = { (85 | A5) A6 A8 AD (85 | A5) A0 AB BB A8 BB B0 } + $a455 = { (86 | A6) A5 AB AE (86 | A6) A3 A8 B8 AB B8 B3 } + $a456 = { (87 | A7) A4 AA AF (87 | A7) A2 A9 B9 AA B9 B2 } + $a457 = { (80 | A0) A3 AD A8 (80 | A0) A5 AE BE AD BE B5 } + $a458 = { (81 | A1) A2 AC A9 (81 | A1) A4 AF BF AC BF B4 } + $a459 = { (82 | A2) A1 AF AA (82 | A2) A7 AC BC AF BC B7 } + $a460 = { (83 | A3) A0 AE AB (83 | A3) A6 AD BD AE BD B6 } + $a461 = { (9C | BC) BF B1 B4 (9C | BC) B9 B2 A2 B1 A2 A9 } + $a462 = { (9D | BD) BE B0 B5 (9D | BD) B8 B3 A3 B0 A3 A8 } + $a463 = { (9E | BE) BD B3 B6 (9E | BE) BB B0 A0 B3 A0 AB } + $a464 = { (9F | BF) BC B2 B7 (9F | BF) BA B1 A1 B2 A1 AA } + $a465 = { (98 | B8) BB B5 B0 (98 | B8) BD B6 A6 B5 A6 AD } + $a466 = { (99 | B9) BA B4 B1 (99 | B9) BC B7 A7 B4 A7 AC } + $a467 = { (9A | BA) B9 B7 B2 (9A | BA) BF B4 A4 B7 A4 AF } + $a468 = { (9B | BB) B8 B6 B3 (9B | BB) BE B5 A5 B6 A5 AE } + $a469 = { (94 | B4) B7 B9 BC (94 | B4) B1 BA AA B9 AA A1 } + $a470 = { (95 | B5) B6 B8 BD (95 | B5) B0 BB AB B8 AB A0 } + $a471 = { (96 | B6) B5 BB BE (96 | B6) B3 B8 A8 BB A8 A3 } + $a472 = { (97 | B7) B4 BA BF (97 | B7) B2 B9 A9 BA A9 A2 } + $a473 = { (90 | B0) B3 BD B8 (90 | B0) B5 BE AE BD AE A5 } + $a474 = { (91 | B1) B2 BC B9 (91 | B1) B4 BF AF BC AF A4 } + $a475 = { (92 | B2) B1 BF BA (92 | B2) B7 BC AC BF AC A7 } + $a476 = { (93 | B3) B0 BE BB (93 | B3) B6 BD AD BE AD A6 } + $a477 = { (AC | 8C) 8F 81 84 (AC | 8C) 89 82 92 81 92 99 } + $a478 = { (AD | 8D) 8E 80 85 (AD | 8D) 88 83 93 80 93 98 } + $a479 = { (AE | 8E) 8D 83 86 (AE | 8E) 8B 80 90 83 90 9B } + $a480 = { (AF | 8F) 8C 82 87 (AF | 8F) 8A 81 91 82 91 9A } + $a481 = { (A8 | 88) 8B 85 80 (A8 | 88) 8D 86 96 85 96 9D } + $a482 = { (A9 | 89) 8A 84 81 (A9 | 89) 8C 87 97 84 97 9C } + $a483 = { (AA | 8A) 89 87 82 (AA | 8A) 8F 84 94 87 94 9F } + $a484 = { (AB | 8B) 88 86 83 (AB | 8B) 8E 85 95 86 95 9E } + $a485 = { (A4 | 84) 87 89 8C (A4 | 84) 81 8A 9A 89 9A 91 } + $a486 = { (A5 | 85) 86 88 8D (A5 | 85) 80 8B 9B 88 9B 90 } + $a487 = { (A6 | 86) 85 8B 8E (A6 | 86) 83 88 98 8B 98 93 } + $a488 = { (A7 | 87) 84 8A 8F (A7 | 87) 82 89 99 8A 99 92 } + $a489 = { (A0 | 80) 83 8D 88 (A0 | 80) 85 8E 9E 8D 9E 95 } + $a490 = { (A1 | 81) 82 8C 89 (A1 | 81) 84 8F 9F 8C 9F 94 } + $a491 = { (A2 | 82) 81 8F 8A (A2 | 82) 87 8C 9C 8F 9C 97 } + $a492 = { (A3 | 83) 80 8E 8B (A3 | 83) 86 8D 9D 8E 9D 96 } + $a493 = { (BC | 9C) 9F 91 94 (BC | 9C) 99 92 82 91 82 89 } + $a494 = { (BD | 9D) 9E 90 95 (BD | 9D) 98 93 83 90 83 88 } + $a495 = { (BE | 9E) 9D 93 96 (BE | 9E) 9B 90 80 93 80 8B } + $a496 = { (BF | 9F) 9C 92 97 (BF | 9F) 9A 91 81 92 81 8A } + $a497 = { (B8 | 98) 9B 95 90 (B8 | 98) 9D 96 86 95 86 8D } + $a498 = { (B9 | 99) 9A 94 91 (B9 | 99) 9C 97 87 94 87 8C } + $a499 = { (BA | 9A) 99 97 92 (BA | 9A) 9F 94 84 97 84 8F } + $a500 = { (BB | 9B) 98 96 93 (BB | 9B) 9E 95 85 96 85 8E } + $a501 = { (B4 | 94) 97 99 9C (B4 | 94) 91 9A 8A 99 8A 81 } + $a502 = { (B5 | 95) 96 98 9D (B5 | 95) 90 9B 8B 98 8B 80 } + $a503 = { (B6 | 96) 95 9B 9E (B6 | 96) 93 98 88 9B 88 83 } + $a504 = { (B7 | 97) 94 9A 9F (B7 | 97) 92 99 89 9A 89 82 } + $a505 = { (B0 | 90) 93 9D 98 (B0 | 90) 95 9E 8E 9D 8E 85 } + $a506 = { (B1 | 91) 92 9C 99 (B1 | 91) 94 9F 8F 9C 8F 84 } + $a507 = { (B2 | 92) 91 9F 9A (B2 | 92) 97 9C 8C 9F 8C 87 } + condition: + any of them +} + + +rule BITS_CLSID : SuspiciousStrings +{ + meta: + description = "References the BITS service." + author = "Ivan Kwiatkowski (@JusticeRage)" + // The BITS service seems to be used heavily by EquationGroup. + strings: + $uuid_background_copy_manager_1_5 = { 1F 77 87 F0 4F D7 1A 4C BB 8A E1 6A CA 91 24 EA } + $uuid_background_copy_manager_2_0 = { 12 AD 18 6D E3 BD 93 43 B3 11 09 9C 34 6E 6D F9 } + $uuid_background_copy_manager_2_5 = { D6 98 CA 03 5D FF B8 49 AB C6 03 DD 84 12 70 20 } + $uuid_background_copy_manager_3_0 = { A7 DE 9C 65 9E 48 D9 11 A9 CD 00 0D 56 96 52 51 } + $uuid_background_copy_manager_4_0 = { 6B F5 6D BB CE CA DC 11 99 92 00 19 B9 3A 3A 84 } + $uuid_background_copy_manager_5_0 = { 4C A3 CC 1E 8A E8 E3 44 8D 6A 89 21 BD E9 E4 52 } + $uuid_background_copy_manager = { 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 } + $uuid_ibackground_copy_manager = { 0D 4C E3 5C C9 0D 1F 4C 89 7C DA A1 B7 8C EE 7C } + $uuid_background_copy_qmanager = { 69 AD 4A EE 51 BE 43 9B A9 2C 86 AE 49 0E 8B 30 } + $uuid_ibits_peer_cache_administration = { AD DE 9C 65 9E 48 D9 11 A9 CD 00 0D 56 96 52 51 } + $uuid_background_copy_callback = { C7 99 EA 97 86 01 D4 4A 8D F9 C5 B4 E0 ED 6B 22 } + condition: + any of them +} diff --git a/yara_sigs/index.yar b/yara_sigs/index.yar new file mode 100644 index 0000000..2c20b2c --- /dev/null +++ b/yara_sigs/index.yar @@ -0,0 +1,4 @@ +include "./strings/anti_xx.yar" +include "./strings/ip.yar" +include "./strings/suspicious.yar" +include "./strings/url.yar" diff --git a/yara_sigs/index_id.yar b/yara_sigs/index_id.yar new file mode 100644 index 0000000..b8a2c3d --- /dev/null +++ b/yara_sigs/index_id.yar @@ -0,0 +1,4 @@ +include "./file/compiler.yar" +include "./file/crypto.yar" +include "./file/packer.yar" +include "./file/suspicious.yar" \ No newline at end of file diff --git a/yara_sigs/index_mitre.yar b/yara_sigs/index_mitre.yar new file mode 100644 index 0000000..f389ac6 --- /dev/null +++ b/yara_sigs/index_mitre.yar @@ -0,0 +1 @@ +include "./mitre/techniques.yar" \ No newline at end of file diff --git a/yara_sigs/mitre/api_based.yar b/yara_sigs/mitre/api_based.yar new file mode 100644 index 0000000..80243d9 --- /dev/null +++ b/yara_sigs/mitre/api_based.yar @@ -0,0 +1,10 @@ +rule screeshot_write : T1113 +{ + meta: + description = "Takes Screenshot" + strings: + $ie = "SCREENSHOT" + $ff = "WRITE_FILE" + condition: + all of them +} \ No newline at end of file diff --git a/yara_sigs/mitre/techniques.yar b/yara_sigs/mitre/techniques.yar new file mode 100644 index 0000000..dff664c --- /dev/null +++ b/yara_sigs/mitre/techniques.yar @@ -0,0 +1,618 @@ +rule screenshot : T1113 { + meta: + author = "x0r" + description = "Take screenshot" + version = "0.1" + strings: + $d1 = "Gdi32.dll" nocase + $d2 = "User32.dll" nocase + $c1 = "BitBlt" + $c2 = "GetDC" + condition: + 1 of ($d*) and 1 of ($c*) +} + +rule Run_Entry : T1060 +{ + meta: + description = "Registry Run Keys / Startup Folder" + strings: + $a0 = "(HKEY_CURRENT_USER|HKCU)\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" nocase wide ascii + $a1 = "(HKEY_CURRENT_USER|HKCU)\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase wide ascii + $a2 = "(HKEY_LOCAL_MACHINE|HKLM)\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" nocase wide ascii + $a3 = "(HKEY_LOCAL_MACHINE|HKLM)\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase wide ascii + $a4 = "(HKEY_LOCAL_MACHINE|HKLM)\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" nocase wide ascii + $a5 = "RegSetValueExA" nocase wide ascii + + condition: + ($a0 or $a1 or $a2 or $a3 or $a4) and $a5 +} + + +rule cmd : T1059 +{ + meta: + description = "Command-Line Interface" + strings: + $a0 = "cmd.exe" nocase wide ascii + + condition: + any of them +} + + +rule Startup : T1060 +{ + meta: + description = "May have dropper capabilities" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $a2 = "Programs\\Startup" nocase wide ascii + $a4 = "%allusersprofile%" nocase wide ascii + condition: + all of them +} + + +rule AutoIT : T1064 +{ + meta: + description = "Scripting" + strings: + $a0 = "AutoIt Error" ascii wide + $a1 = "reserved for AutoIt internal use" ascii wide + condition: + any of them +} + + +rule WMI_strings : T1064 +{ + meta: + description = "Scripting" + strings: + // WMI namespaces which may be referenced in the ConnectServer call. All in the form of "ROOT\something" + $a0 = /ROOT\\(CIMV2|AccessLogging|ADFS|aspnet|Cli|Hardware|interop|InventoryLogging|Microsoft.{10}|Policy|RSOP|SECURITY|ServiceModel|snmpStandardCimv2|subscription|virtualization|WebAdministration|WMI)/ nocase ascii wide + condition: + any of them +} + + +rule Base64d_PE : T1027 +{ + meta: + description = "Contains a base64-encoded executable" + author = "Florian Roth" + date = "2017-04-21" + + strings: + $s0 = "TVqQAAIAAAAEAA8A//8AALgAAAA" wide ascii + $s1 = "TVqQAAMAAAAEAAAA//8AALgAAAA" wide ascii + + condition: + any of them +} + +rule Token_Impersonation : T1134 +{ + meta: + description = "Access Token Manipulation" + + strings: + $s0 = "ImpersonateLoggedOnUser" wide ascii + $s1 = "SetThreadToken" wide ascii + + condition: + all of them +} + + +rule Create_Process_with_a_Token : T1134 +{ + meta: + description = "Access Token Manipulation" + + strings: + $s0 = "DuplicateToken" wide ascii + $s1 = "CreateProcessWithTokenW" wide ascii + + condition: + all of them +} + + +rule Make_and_Impersonate_Token : T1135 +{ + meta: + description = "Access Token Manipulation" + + strings: + $s0 = "LogonUser" wide ascii + $s1 = "SetThreadToken" wide ascii + + condition: + all of them +} + + +rule Browsers : SuspiciousStrings +{ + meta: + description = "Contains references to internet browsers" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $ie = "iexplore.exe" nocase wide ascii + $ff = "firefox.exe" nocase wide ascii + $ff_key = "key3.db" + $ff_log = "signons.sqlite" + $chrome = "chrome.exe" nocase wide ascii + // TODO: Add user-agent strings + condition: + any of them +} + + +rule Disable_AV : T1089 +{ + meta: + description = "Disabling Security Tools" + author = "Jerome Athias" + source = "Metasploit's killav.rb script" + + strings: + $a0 = "AAWTray.exe" nocase wide ascii + $a1 = "Ad-Aware.exe" nocase wide ascii + $a2 = "MSASCui.exe" nocase wide ascii + $a3 = "_avp32.exe" nocase wide ascii + $a4 = "_avpcc.exe" nocase wide ascii + $a5 = "_avpm.exe" nocase wide ascii + $a6 = "aAvgApi.exe" nocase wide ascii + $a7 = "ackwin32.exe" nocase wide ascii + $a8 = "adaware.exe" nocase wide ascii + $a9 = "advxdwin.exe" nocase wide ascii + $a10 = "agentsvr.exe" nocase wide ascii + $a11 = "agentw.exe" nocase wide ascii + $a12 = "alertsvc.exe" nocase wide ascii + $a13 = "alevir.exe" nocase wide ascii + $a14 = "alogserv.exe" nocase wide ascii + $a15 = "amon9x.exe" nocase wide ascii + $a16 = "anti-trojan.exe" nocase wide ascii + $a17 = "antivirus.exe" nocase wide ascii + $a18 = "ants.exe" nocase wide ascii + $a19 = "apimonitor.exe" nocase wide ascii + $a20 = "aplica32.exe" nocase wide ascii + $a21 = "apvxdwin.exe" nocase wide ascii + $a22 = "arr.exe" nocase wide ascii + $a23 = "atcon.exe" nocase wide ascii + $a24 = "atguard.exe" nocase wide ascii + $a25 = "atro55en.exe" nocase wide ascii + $a26 = "atupdater.exe" nocase wide ascii + $a27 = "atwatch.exe" nocase wide ascii + $a28 = "au.exe" nocase wide ascii + $a29 = "aupdate.exe" nocase wide ascii + $a31 = "autodown.exe" nocase wide ascii + $a32 = "autotrace.exe" nocase wide ascii + $a33 = "autoupdate.exe" nocase wide ascii + $a34 = "avconsol.exe" nocase wide ascii + $a35 = "ave32.exe" nocase wide ascii + $a36 = "avgcc32.exe" nocase wide ascii + $a37 = "avgctrl.exe" nocase wide ascii + $a38 = "avgemc.exe" nocase wide ascii + $a39 = "avgnt.exe" nocase wide ascii + $a40 = "avgrsx.exe" nocase wide ascii + $a41 = "avgserv.exe" nocase wide ascii + $a42 = "avgserv9.exe" nocase wide ascii + $a43 = /av(gui|guard|center|gtray|gidsagent|gwdsvc|grsa|gcsrva|gcsrvx).exe/ nocase wide ascii + $a44 = "avgw.exe" nocase wide ascii + $a45 = "avkpop.exe" nocase wide ascii + $a46 = "avkserv.exe" nocase wide ascii + $a47 = "avkservice.exe" nocase wide ascii + $a48 = "avkwctl9.exe" nocase wide ascii + $a49 = "avltmain.exe" nocase wide ascii + $a50 = "avnt.exe" nocase wide ascii + $a51 = "avp.exe" nocase wide ascii + $a52 = "avp.exe" nocase wide ascii + $a53 = "avp32.exe" nocase wide ascii + $a54 = "avpcc.exe" nocase wide ascii + $a55 = "avpdos32.exe" nocase wide ascii + $a56 = "avpm.exe" nocase wide ascii + $a57 = "avptc32.exe" nocase wide ascii + $a58 = "avpupd.exe" nocase wide ascii + $a59 = "avsched32.exe" nocase wide ascii + $a60 = "avsynmgr.exe" nocase wide ascii + $a61 = "avwin.exe" nocase wide ascii + $a62 = "avwin95.exe" nocase wide ascii + $a63 = "avwinnt.exe" nocase wide ascii + $a64 = "avwupd.exe" nocase wide ascii + $a65 = "avwupd32.exe" nocase wide ascii + $a66 = "avwupsrv.exe" nocase wide ascii + $a67 = "avxmonitor9x.exe" nocase wide ascii + $a68 = "avxmonitornt.exe" nocase wide ascii + $a69 = "avxquar.exe" nocase wide ascii + $a73 = "beagle.exe" nocase wide ascii + $a74 = "belt.exe" nocase wide ascii + $a75 = "bidef.exe" nocase wide ascii + $a76 = "bidserver.exe" nocase wide ascii + $a77 = "bipcp.exe" nocase wide ascii + $a79 = "bisp.exe" nocase wide ascii + $a80 = "blackd.exe" nocase wide ascii + $a81 = "blackice.exe" nocase wide ascii + $a82 = "blink.exe" nocase wide ascii + $a83 = "blss.exe" nocase wide ascii + $a84 = "bootconf.exe" nocase wide ascii + $a85 = "bootwarn.exe" nocase wide ascii + $a86 = "borg2.exe" nocase wide ascii + $a87 = "bpc.exe" nocase wide ascii + $a89 = "bs120.exe" nocase wide ascii + $a90 = "bundle.exe" nocase wide ascii + $a91 = "bvt.exe" nocase wide ascii + $a92 = "ccapp.exe" nocase wide ascii + $a93 = "ccevtmgr.exe" nocase wide ascii + $a94 = "ccpxysvc.exe" nocase wide ascii + $a95 = "cdp.exe" nocase wide ascii + $a96 = "cfd.exe" nocase wide ascii + $a97 = "cfgwiz.exe" nocase wide ascii + $a98 = "cfiadmin.exe" nocase wide ascii + $a99 = "cfiaudit.exe" nocase wide ascii + $a100 = "cfinet.exe" nocase wide ascii + $a101 = "cfinet32.exe" nocase wide ascii + $a102 = "claw95.exe" nocase wide ascii + $a103 = "claw95cf.exe" nocase wide ascii + $a104 = "clean.exe" nocase wide ascii + $a105 = "cleaner.exe" nocase wide ascii + $a106 = "cleaner3.exe" nocase wide ascii + $a107 = "cleanpc.exe" nocase wide ascii + $a108 = "click.exe" nocase wide ascii + $a111 = "cmesys.exe" nocase wide ascii + $a112 = "cmgrdian.exe" nocase wide ascii + $a113 = "cmon016.exe" nocase wide ascii + $a114 = "connectionmonitor.exe" nocase wide ascii + $a115 = "cpd.exe" nocase wide ascii + $a116 = "cpf9x206.exe" nocase wide ascii + $a117 = "cpfnt206.exe" nocase wide ascii + $a118 = "ctrl.exe" nocase wide ascii fullword + $a119 = "cv.exe" nocase wide ascii + $a120 = "cwnb181.exe" nocase wide ascii + $a121 = "cwntdwmo.exe" nocase wide ascii + $a123 = "dcomx.exe" nocase wide ascii + $a124 = "defalert.exe" nocase wide ascii + $a125 = "defscangui.exe" nocase wide ascii + $a126 = "defwatch.exe" nocase wide ascii + $a127 = "deputy.exe" nocase wide ascii + $a129 = "dllcache.exe" nocase wide ascii + $a130 = "dllreg.exe" nocase wide ascii + $a132 = "dpf.exe" nocase wide ascii + $a134 = "dpps2.exe" nocase wide ascii + $a135 = "drwatson.exe" nocase wide ascii + $a136 = "drweb32.exe" nocase wide ascii + $a137 = "drwebupw.exe" nocase wide ascii + $a138 = "dssagent.exe" nocase wide ascii + $a139 = "dvp95.exe" nocase wide ascii + $a140 = "dvp95_0.exe" nocase wide ascii + $a141 = "ecengine.exe" nocase wide ascii + $a142 = "efpeadm.exe" nocase wide ascii + $a143 = "emsw.exe" nocase wide ascii + $a145 = "esafe.exe" nocase wide ascii + $a146 = "escanhnt.exe" nocase wide ascii + $a147 = "escanv95.exe" nocase wide ascii + $a148 = "espwatch.exe" nocase wide ascii + $a150 = "etrustcipe.exe" nocase wide ascii + $a151 = "evpn.exe" nocase wide ascii + $a152 = "exantivirus-cnet.exe" nocase wide ascii + $a153 = "exe.avxw.exe" nocase wide ascii + $a154 = "expert.exe" nocase wide ascii + $a156 = "f-agnt95.exe" nocase wide ascii + $a157 = "f-prot.exe" nocase wide ascii + $a158 = "f-prot95.exe" nocase wide ascii + $a159 = "f-stopw.exe" nocase wide ascii + $a160 = "fameh32.exe" nocase wide ascii + $a161 = "fast.exe" nocase wide ascii + $a162 = "fch32.exe" nocase wide ascii + $a163 = "fih32.exe" nocase wide ascii + $a164 = "findviru.exe" nocase wide ascii + $a165 = "firewall.exe" nocase wide ascii + $a166 = "fnrb32.exe" nocase wide ascii + $a167 = "fp-win.exe" nocase wide ascii + $a169 = "fprot.exe" nocase wide ascii + $a170 = "frw.exe" nocase wide ascii + $a171 = "fsaa.exe" nocase wide ascii + $a172 = "fsav.exe" nocase wide ascii + $a173 = "fsav32.exe" nocase wide ascii + $a176 = "fsav95.exe" nocase wide ascii + $a177 = "fsgk32.exe" nocase wide ascii + $a178 = "fsm32.exe" nocase wide ascii + $a179 = "fsma32.exe" nocase wide ascii + $a180 = "fsmb32.exe" nocase wide ascii + $a181 = "gator.exe" nocase wide ascii + $a182 = "gbmenu.exe" nocase wide ascii + $a183 = "gbpoll.exe" nocase wide ascii + $a184 = "generics.exe" nocase wide ascii + $a185 = "gmt.exe" nocase wide ascii + $a186 = "guard.exe" nocase wide ascii + $a187 = "guarddog.exe" nocase wide ascii + $a189 = "hbinst.exe" nocase wide ascii + $a190 = "hbsrv.exe" nocase wide ascii + $a191 = "hotactio.exe" nocase wide ascii + $a192 = "hotpatch.exe" nocase wide ascii + $a193 = "htlog.exe" nocase wide ascii + $a194 = "htpatch.exe" nocase wide ascii + $a195 = "hwpe.exe" nocase wide ascii + $a196 = "hxdl.exe" nocase wide ascii + $a197 = "hxiul.exe" nocase wide ascii + $a198 = "iamapp.exe" nocase wide ascii + $a199 = "iamserv.exe" nocase wide ascii + $a200 = "iamstats.exe" nocase wide ascii + $a201 = "ibmasn.exe" nocase wide ascii + $a202 = "ibmavsp.exe" nocase wide ascii + $a203 = "icload95.exe" nocase wide ascii + $a204 = "icloadnt.exe" nocase wide ascii + $a205 = "icmon.exe" nocase wide ascii + $a206 = "icsupp95.exe" nocase wide ascii + $a207 = "icsuppnt.exe" nocase wide ascii + $a209 = "iedll.exe" nocase wide ascii + $a210 = "iedriver.exe" nocase wide ascii + $a212 = "iface.exe" nocase wide ascii + $a213 = "ifw2000.exe" nocase wide ascii + $a214 = "inetlnfo.exe" nocase wide ascii + $a215 = "infus.exe" nocase wide ascii + $a216 = "infwin.exe" nocase wide ascii + $a218 = "intdel.exe" nocase wide ascii + $a219 = "intren.exe" nocase wide ascii + $a220 = "iomon98.exe" nocase wide ascii + $a221 = "istsvc.exe" nocase wide ascii + $a222 = "jammer.exe" nocase wide ascii + $a224 = "jedi.exe" nocase wide ascii + $a227 = "kavpf.exe" nocase wide ascii + $a228 = "kazza.exe" nocase wide ascii + $a229 = "keenvalue.exe" nocase wide ascii + $a236 = "ldnetmon.exe" nocase wide ascii + $a237 = "ldpro.exe" nocase wide ascii + $a238 = "ldpromenu.exe" nocase wide ascii + $a239 = "ldscan.exe" nocase wide ascii + $a240 = "lnetinfo.exe" nocase wide ascii + $a242 = "localnet.exe" nocase wide ascii + $a243 = "lockdown.exe" nocase wide ascii + $a244 = "lockdown2000.exe" nocase wide ascii + $a245 = "lookout.exe" nocase wide ascii + $a248 = "luall.exe" nocase wide ascii + $a249 = "luau.exe" nocase wide ascii + $a250 = "lucomserver.exe" nocase wide ascii + $a251 = "luinit.exe" nocase wide ascii + $a252 = "luspt.exe" nocase wide ascii + $a253 = "mapisvc32.exe" nocase wide ascii + $a254 = "mcagent.exe" nocase wide ascii + $a255 = "mcmnhdlr.exe" nocase wide ascii + $a256 = "mcshield.exe" nocase wide ascii + $a257 = "mctool.exe" nocase wide ascii + $a258 = "mcupdate.exe" nocase wide ascii + $a259 = "mcvsrte.exe" nocase wide ascii + $a260 = "mcvsshld.exe" nocase wide ascii + $a262 = "mfin32.exe" nocase wide ascii + $a263 = "mfw2en.exe" nocase wide ascii + $a265 = "mgavrtcl.exe" nocase wide ascii + $a266 = "mgavrte.exe" nocase wide ascii + $a267 = "mghtml.exe" nocase wide ascii + $a268 = "mgui.exe" nocase wide ascii + $a269 = "minilog.exe" nocase wide ascii + $a270 = "mmod.exe" nocase wide ascii + $a271 = "monitor.exe" nocase wide ascii + $a272 = "moolive.exe" nocase wide ascii + $a273 = "mostat.exe" nocase wide ascii + $a274 = "mpfagent.exe" nocase wide ascii + $a275 = "mpfservice.exe" nocase wide ascii + $a276 = "mpftray.exe" nocase wide ascii + $a277 = "mrflux.exe" nocase wide ascii + $a278 = "msapp.exe" nocase wide ascii + $a279 = "msbb.exe" nocase wide ascii + $a280 = "msblast.exe" nocase wide ascii + $a281 = "mscache.exe" nocase wide ascii + $a282 = "msccn32.exe" nocase wide ascii + $a283 = "mscman.exe" nocase wide ascii + $a285 = "msdm.exe" nocase wide ascii + $a286 = "msdos.exe" nocase wide ascii + $a287 = "msiexec16.exe" nocase wide ascii + $a288 = "msinfo32.exe" nocase wide ascii + $a289 = "mslaugh.exe" nocase wide ascii + $a290 = "msmgt.exe" nocase wide ascii + $a291 = "msmsgri32.exe" nocase wide ascii + $a292 = "mssmmc32.exe" nocase wide ascii + $a293 = "mssys.exe" nocase wide ascii + $a294 = "msvxd.exe" nocase wide ascii + $a295 = "mu0311ad.exe" nocase wide ascii + $a296 = "mwatch.exe" nocase wide ascii + $a297 = "n32scanw.exe" nocase wide ascii + $a298 = "nav.exe" nocase wide ascii + $a300 = "navapsvc.exe" nocase wide ascii + $a301 = "navapw32.exe" nocase wide ascii + $a302 = "navdx.exe" nocase wide ascii + $a303 = "navlu32.exe" nocase wide ascii + $a304 = "navnt.exe" nocase wide ascii + $a305 = "navstub.exe" nocase wide ascii + $a306 = "navw32.exe" nocase wide ascii + $a307 = "navwnt.exe" nocase wide ascii + $a308 = "nc2000.exe" nocase wide ascii + $a309 = "ncinst4.exe" nocase wide ascii + $a310 = "ndd32.exe" nocase wide ascii + $a311 = "neomonitor.exe" nocase wide ascii + $a312 = "neowatchlog.exe" nocase wide ascii + $a313 = "netarmor.exe" nocase wide ascii + $a314 = "netd32.exe" nocase wide ascii + $a315 = "netinfo.exe" nocase wide ascii + $a317 = "netscanpro.exe" nocase wide ascii + $a320 = "netutils.exe" nocase wide ascii + $a321 = "nisserv.exe" nocase wide ascii + $a322 = "nisum.exe" nocase wide ascii + $a323 = "nmain.exe" nocase wide ascii + $a324 = "nod32.exe" nocase wide ascii + $a325 = "normist.exe" nocase wide ascii + $a327 = "notstart.exe" nocase wide ascii + $a329 = "npfmessenger.exe" nocase wide ascii + $a330 = "nprotect.exe" nocase wide ascii + $a331 = "npscheck.exe" nocase wide ascii + $a332 = "npssvc.exe" nocase wide ascii + $a333 = "nsched32.exe" nocase wide ascii + $a334 = "nssys32.exe" nocase wide ascii + $a335 = "nstask32.exe" nocase wide ascii + $a336 = "nsupdate.exe" nocase wide ascii + $a338 = "ntrtscan.exe" nocase wide ascii + $a340 = "ntxconfig.exe" nocase wide ascii + $a341 = "nui.exe" nocase wide ascii + $a342 = "nupgrade.exe" nocase wide ascii + $a343 = "nvarch16.exe" nocase wide ascii + $a344 = "nvc95.exe" nocase wide ascii + $a345 = "nvsvc32.exe" nocase wide ascii + $a346 = "nwinst4.exe" nocase wide ascii + $a347 = "nwservice.exe" nocase wide ascii + $a348 = "nwtool16.exe" nocase wide ascii + $a350 = "onsrvr.exe" nocase wide ascii + $a351 = "optimize.exe" nocase wide ascii + $a352 = "ostronet.exe" nocase wide ascii + $a353 = "otfix.exe" nocase wide ascii + $a354 = "outpost.exe" nocase wide ascii + $a360 = "pavcl.exe" nocase wide ascii + $a361 = "pavproxy.exe" nocase wide ascii + $a362 = "pavsched.exe" nocase wide ascii + $a363 = "pavw.exe" nocase wide ascii + $a364 = "pccwin98.exe" nocase wide ascii + $a365 = "pcfwallicon.exe" nocase wide ascii + $a367 = "pcscan.exe" nocase wide ascii + $a369 = "periscope.exe" nocase wide ascii + $a370 = "persfw.exe" nocase wide ascii + $a371 = "perswf.exe" nocase wide ascii + $a372 = "pf2.exe" nocase wide ascii + $a373 = "pfwadmin.exe" nocase wide ascii + $a374 = "pgmonitr.exe" nocase wide ascii + $a375 = "pingscan.exe" nocase wide ascii + $a376 = "platin.exe" nocase wide ascii + $a377 = "pop3trap.exe" nocase wide ascii + $a378 = "poproxy.exe" nocase wide ascii + $a379 = "popscan.exe" nocase wide ascii + $a380 = "portdetective.exe" nocase wide ascii + $a381 = "portmonitor.exe" nocase wide ascii + $a382 = "powerscan.exe" nocase wide ascii + $a383 = "ppinupdt.exe" nocase wide ascii + $a384 = "pptbc.exe" nocase wide ascii + $a385 = "ppvstop.exe" nocase wide ascii + $a387 = "prmt.exe" nocase wide ascii + $a388 = "prmvr.exe" nocase wide ascii + $a389 = "procdump.exe" nocase wide ascii + $a390 = "processmonitor.exe" nocase wide ascii + $a392 = "programauditor.exe" nocase wide ascii + $a393 = "proport.exe" nocase wide ascii + $a394 = "protectx.exe" nocase wide ascii + $a395 = "pspf.exe" nocase wide ascii + $a396 = "purge.exe" nocase wide ascii + $a397 = "qconsole.exe" nocase wide ascii + $a398 = "qserver.exe" nocase wide ascii + $a399 = "rapapp.exe" nocase wide ascii + $a400 = "rav7.exe" nocase wide ascii + $a401 = "rav7win.exe" nocase wide ascii + $a404 = "rb32.exe" nocase wide ascii + $a405 = "rcsync.exe" nocase wide ascii + $a406 = "realmon.exe" nocase wide ascii + $a407 = "reged.exe" nocase wide ascii + $a410 = "rescue.exe" nocase wide ascii + $a412 = "rrguard.exe" nocase wide ascii + $a413 = "rshell.exe" nocase wide ascii + $a414 = "rtvscan.exe" nocase wide ascii + $a415 = "rtvscn95.exe" nocase wide ascii + $a416 = "rulaunch.exe" nocase wide ascii + $a421 = "safeweb.exe" nocase wide ascii + $a422 = "sahagent.exe" nocase wide ascii + $a424 = "savenow.exe" nocase wide ascii + $a425 = "sbserv.exe" nocase wide ascii + $a428 = "scan32.exe" nocase wide ascii + $a430 = "scanpm.exe" nocase wide ascii + $a431 = "scrscan.exe" nocase wide ascii + $a435 = "sfc.exe" nocase wide ascii + $a436 = "sgssfw32.exe" nocase wide ascii + $a439 = "shn.exe" nocase wide ascii + $a440 = "showbehind.exe" nocase wide ascii + $a441 = "smc.exe" nocase wide ascii + $a442 = "sms.exe" nocase wide ascii + $a443 = "smss32.exe" nocase wide ascii + $a445 = "sofi.exe" nocase wide ascii + $a447 = "spf.exe" nocase wide ascii + $a449 = "spoler.exe" nocase wide ascii + $a450 = "spoolcv.exe" nocase wide ascii + $a451 = "spoolsv32.exe" nocase wide ascii + $a452 = "spyxx.exe" nocase wide ascii + $a453 = "srexe.exe" nocase wide ascii + $a454 = "srng.exe" nocase wide ascii + $a455 = "ss3edit.exe" nocase wide ascii + $a457 = "ssgrate.exe" nocase wide ascii + $a458 = "st2.exe" nocase wide ascii fullword + $a461 = "supftrl.exe" nocase wide ascii + $a470 = "symproxysvc.exe" nocase wide ascii + $a471 = "symtray.exe" nocase wide ascii + $a472 = "sysedit.exe" nocase wide ascii + $a480 = "taumon.exe" nocase wide ascii + $a481 = "tbscan.exe" nocase wide ascii + $a483 = "tca.exe" nocase wide ascii + $a484 = "tcm.exe" nocase wide ascii + $a488 = "teekids.exe" nocase wide ascii + $a489 = "tfak.exe" nocase wide ascii + $a490 = "tfak5.exe" nocase wide ascii + $a491 = "tgbob.exe" nocase wide ascii + $a492 = "titanin.exe" nocase wide ascii + $a493 = "titaninxp.exe" nocase wide ascii + $a496 = "trjscan.exe" nocase wide ascii + $a500 = "tvmd.exe" nocase wide ascii + $a501 = "tvtmd.exe" nocase wide ascii + $a513 = "vet32.exe" nocase wide ascii + $a514 = "vet95.exe" nocase wide ascii + $a515 = "vettray.exe" nocase wide ascii + $a517 = "vir-help.exe" nocase wide ascii + $a519 = "vnlan300.exe" nocase wide ascii + $a520 = "vnpc3000.exe" nocase wide ascii + $a521 = "vpc32.exe" nocase wide ascii + $a522 = "vpc42.exe" nocase wide ascii + $a523 = "vpfw30s.exe" nocase wide ascii + $a524 = "vptray.exe" nocase wide ascii + $a525 = "vscan40.exe" nocase wide ascii + $a527 = "vsched.exe" nocase wide ascii + $a528 = "vsecomr.exe" nocase wide ascii + $a529 = "vshwin32.exe" nocase wide ascii + $a531 = "vsmain.exe" nocase wide ascii + $a532 = "vsmon.exe" nocase wide ascii + $a533 = "vsstat.exe" nocase wide ascii + $a534 = "vswin9xe.exe" nocase wide ascii + $a535 = "vswinntse.exe" nocase wide ascii + $a536 = "vswinperse.exe" nocase wide ascii + $a537 = "w32dsm89.exe" nocase wide ascii + $a538 = "w9x.exe" nocase wide ascii + $a541 = "webscanx.exe" nocase wide ascii + $a543 = "wfindv32.exe" nocase wide ascii + $a545 = "wimmun32.exe" nocase wide ascii + $a566 = "wnad.exe" nocase wide ascii + $a567 = "wnt.exe" nocase wide ascii + $a568 = "wradmin.exe" nocase wide ascii + $a569 = "wrctrl.exe" nocase wide ascii + $a570 = "wsbgate.exe" nocase wide ascii + $a573 = "wyvernworksfirewall.exe" nocase wide ascii + $a575 = "zapro.exe" nocase wide ascii + $a577 = "zatutor.exe" nocase wide ascii + $a579 = "zonealarm.exe" nocase wide ascii + // Strings from Dubnium below + $a580 = "QQPCRTP.exe" nocase wide ascii + $a581 = "QQPCTray.exe" nocase wide ascii + $a582 = "ZhuDongFangYu.exe" nocase wide ascii + $a583 = /360(tray|sd|rp).exe/ nocase wide ascii + $a584 = /qh(safetray|watchdog|activedefense).exe/ nocase wide ascii + $a585 = "McNASvc.exe" nocase wide ascii + $a586 = "MpfSrv.exe" nocase wide ascii + $a587 = "McProxy.exe" nocase wide ascii + $a588 = "mcmscsvc.exe" nocase wide ascii + $a589 = "McUICnt.exe" nocase wide ascii + $a590 = /ui(WatchDog|seagnt|winmgr).exe/ nocase wide ascii + $a591 = "ufseagnt.exe" nocase wide ascii + $a592 = /core(serviceshell|frameworkhost).exe/ nocase wide ascii + $a593 = /ay(agent|rtsrv|updsrv).aye/ nocase wide ascii + $a594 = /avast(ui|svc).exe/ nocase wide ascii + $a595 = /ms(seces|mpeng).exe/ nocase wide ascii + $a596 = "afwserv.exe" nocase wide ascii + $a597 = "FiddlerUser" + + condition: + any of them +} \ No newline at end of file diff --git a/yara_sigs/strings/anti_xx.yar b/yara_sigs/strings/anti_xx.yar new file mode 100644 index 0000000..0c9cc88 --- /dev/null +++ b/yara_sigs/strings/anti_xx.yar @@ -0,0 +1,1983 @@ +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. +*/ + +import "pe" + +rule DebuggerCheck__PEB : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="IsDebugged" + condition: + any of them +} + +rule DebuggerCheck__GlobalFlags : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="NtGlobalFlags" + condition: + any of them +} + +rule DebuggerCheck__QueryInfo : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="QueryInformationProcess" + condition: + any of them +} + +rule DebuggerCheck__RemoteAPI : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="CheckRemoteDebuggerPresent" + condition: + any of them +} + +rule DebuggerHiding__Thread : AntiDebug { + meta: + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + weight = 1 + strings: + $ ="SetInformationThread" + condition: + any of them +} + +rule DebuggerHiding__Active : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="DebugActiveProcess" + condition: + any of them +} + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule DebuggerTiming__PerformanceCounter : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="QueryPerformanceCounter" + condition: + any of them +} +*/ + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule DebuggerTiming__Ticks : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="GetTickCount" + condition: + any of them +} +*/ + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule DebuggerOutput__String : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="OutputDebugString" + condition: + any of them +} +*/ + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule DebuggerException__UnhandledFilter : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="SetUnhandledExceptionFilter" + condition: + any of them +} +*/ + +rule DebuggerException__ConsoleCtrl : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="GenerateConsoleCtrlEvent" + condition: + any of them +} + +rule DebuggerException__SetConsoleCtrl : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="SetConsoleCtrlHandler" + condition: + any of them +} + +rule ThreadControl__Context : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="SetThreadContext" + condition: + any of them +} + +rule DebuggerCheck__DrWatson : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ ="__invoke__watson" + condition: + any of them +} + +rule SEH__v3 : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ = "____except__handler3" + $ = "____local__unwind3" + condition: + any of them +} + +rule SEH__v4 : AntiDebug { + // VS 8.0+ + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ = "____except__handler4" + $ = "____local__unwind4" + $ = "__XcptFilter" + condition: + any of them +} + +rule SEH__vba : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ = "vbaExceptHandler" + condition: + any of them +} + +rule SEH__vectored : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ = "AddVectoredExceptionHandler" + $ = "RemoveVectoredExceptionHandler" + condition: + any of them +} + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule DebuggerPattern__RDTSC : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ = {0F 31} + condition: + any of them +} +*/ + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule DebuggerPattern__CPUID : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ = {0F A2} + condition: + any of them +} +*/ + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule DebuggerPattern__SEH_Saves : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ = {64 ff 35 00 00 00 00} + condition: + any of them +} +*/ + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule DebuggerPattern__SEH_Inits : AntiDebug { + meta: + weight = 1 + Author = "naxonez" + reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara" + strings: + $ = {64 89 25 00 00 00 00} + condition: + any of them +} +*/ + +rule VM_Generic_Detection : AntiVM +{ + meta: + description = "Tries to detect virtualized environments" + strings: + $a0 = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii + $a1 = "HARDWARE\\Description\\System" nocase wide ascii + $a2 = "SYSTEM\\CurrentControlSet\\Control\\SystemInformation" nocase wide ascii + $a3 = "SYSTEM\\CurrentControlSet\\Enum\\IDE" nocase wide ascii + $redpill = { 0F 01 0D 00 00 00 00 C3 } // Copied from the Cuckoo project + + // CLSIDs used to detect if speakers are present. Hoping this will not cause false positives. + $teslacrypt1 = { D1 29 06 E3 E5 27 CE 11 87 5D 00 60 8C B7 80 66 } // CLSID_AudioRender + $teslacrypt2 = { B3 EB 36 E4 4F 52 CE 11 9F 53 00 20 AF 0B A7 70 } // CLSID_FilterGraph + + condition: + any of ($a*) or $redpill or all of ($teslacrypt*) +} + +rule VMWare_Detection : AntiVM +{ + meta: + description = "Looks for VMWare presence" + author = "Cuckoo project" + + strings: + $a0 = "VMXh" + $a1 = "vmware" nocase wide ascii + $vmware4 = "hgfs.sys" nocase wide ascii + $vmware5 = "mhgfs.sys" nocase wide ascii + $vmware6 = "prleth.sys" nocase wide ascii + $vmware7 = "prlfs.sys" nocase wide ascii + $vmware8 = "prlmouse.sys" nocase wide ascii + $vmware9 = "prlvideo.sys" nocase wide ascii + $vmware10 = "prl_pv32.sys" nocase wide ascii + $vmware11 = "vpc-s3.sys" nocase wide ascii + $vmware12 = "vmsrvc.sys" nocase wide ascii + $vmware13 = "vmx86.sys" nocase wide ascii + $vmware14 = "vmnet.sys" nocase wide ascii + $vmware15 = "vmicheartbeat" nocase wide ascii + $vmware16 = "vmicvss" nocase wide ascii + $vmware17 = "vmicshutdown" nocase wide ascii + $vmware18 = "vmicexchange" nocase wide ascii + $vmware19 = "vmdebug" nocase wide ascii + $vmware20 = "vmmouse" nocase wide ascii + $vmware21 = "vmtools" nocase wide ascii + $vmware22 = "VMMEMCTL" nocase wide ascii + $vmware23 = "vmx86" nocase wide ascii + + // VMware MAC addresses + $vmware_mac_1a = "00-05-69" wide ascii + $vmware_mac_1b = "00:05:69" wide ascii + $vmware_mac_1c = "000569" wide ascii + $vmware_mac_2a = "00-50-56" wide ascii + $vmware_mac_2b = "00:50:56" wide ascii + $vmware_mac_2c = "005056" wide ascii + $vmware_mac_3a = "00-0C-29" nocase wide ascii + $vmware_mac_3b = "00:0C:29" nocase wide ascii + $vmware_mac_3c = "000C29" nocase wide ascii + $vmware_mac_4a = "00-1C-14" nocase wide ascii + $vmware_mac_4b = "00:1C:14" nocase wide ascii + $vmware_mac_4c = "001C14" nocase wide ascii + + // PCI Vendor IDs, from Hacking Team's leak + $virtualbox_vid_1 = "VEN_15ad" nocase wide ascii + + condition: + any of them +} + +rule Sandboxie_Detection : AntiVM +{ + meta: + description = "Looks for Sandboxie presence" + author = "Ivan Kwiatkowski (@JusticeRage)" + + strings: + $sbie = "SbieDll.dll" nocase wide ascii + $buster = /LOG_API(_VERBOSE)?.DLL/ nocase wide ascii + $sbie_process_1 = "SbieSvc.exe" nocase wide ascii + $sbie_process_2 = "SbieCtrl.exe" nocase wide ascii + $sbie_process_3 = "SandboxieRpcSs.exe" nocase wide ascii + $sbie_process_4 = "SandboxieDcomLaunch.exe" nocase wide ascii + $sbie_process_5 = "SandboxieCrypto.exe" nocase wide ascii + $sbie_process_6 = "SandboxieBITS.exe" nocase wide ascii + $sbie_process_7 = "SandboxieWUAU.exe" nocase wide ascii + + condition: + any of them +} + +rule VirtualPC_Detection : AntiVM +{ + meta: + description = "Looks for VirtualPC presence" + author = "Cuckoo project" + + strings: + $a0 = {0F 3F 07 0B } + $virtualpc1 = "vpcbus" nocase wide ascii + $virtualpc2 = "vpc-s3" nocase wide ascii + $virtualpc3 = "vpcuhub" nocase wide ascii + $virtualpc4 = "msvmmouf" nocase wide ascii + + condition: + any of them +} + +rule VirtualBox_Detection : AntiVM +{ + meta: + description = "Looks for VirtualBox presence" + author = "Cuckoo project" + strings: + $virtualbox1 = "VBoxHook.dll" nocase wide ascii + $virtualbox2 = "VBoxService" nocase wide ascii + $virtualbox3 = "VBoxTray" nocase wide ascii + $virtualbox4 = "VBoxMouse" nocase wide ascii + $virtualbox5 = "VBoxGuest" nocase wide ascii + $virtualbox6 = "VBoxSF" nocase wide ascii + $virtualbox7 = "VBoxGuestAdditions" nocase wide ascii + $virtualbox8 = "VBOX HARDDISK" nocase wide ascii + $virtualbox9 = "vboxservice" nocase wide ascii + $virtualbox10 = "vboxtray" nocase wide ascii + + // MAC addresses + $virtualbox_mac_1a = "08-00-27" + $virtualbox_mac_1b = "08:00:27" + $virtualbox_mac_1c = "080027" + + // PCI Vendor IDs, from Hacking Team's leak + $virtualbox_vid_1 = "VEN_80EE" nocase wide ascii + + // Registry keys + $virtualbox_reg_1 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase wide ascii + $virtualbox_reg_2 = /HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\VBOX__/ nocase wide ascii + + // Other + $virtualbox_files = /C:\\Windows\\System32\\drivers\\vbox.{15}\.(sys|dll)/ nocase wide ascii + $virtualbox_services = "System\\ControlSet001\\Services\\VBox[A-Za-z]+" nocase wide ascii + $virtualbox_pipe = /\\\\.\\pipe\\(VBoxTrayIPC|VBoxMiniRdDN)/ nocase wide ascii + $virtualbox_window = /VBoxTrayToolWnd(Class)?/ nocase wide ascii + condition: + any of them +} + +rule Parallels_Detection : AntiVM +{ + meta: + description = "Looks for Parallels presence" + strings: + $a0 = "magi" + $a1 = "c!nu" + $a2 = "mber" + + // PCI Vendor IDs, from Hacking Team's leak + $parallels_vid_1 = "VEN_80EE" nocase wide ascii + condition: + all of them +} + +rule Qemu_Detection : AntiVM +{ + meta: + description = "Looks for Qemu presence" + strings: + $a0 = "qemu" nocase wide ascii + condition: + any of them +} + +rule Check_Dlls : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for common sandbox dlls" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $dll1 = "sbiedll.dll" wide nocase ascii fullword + $dll2 = "dbghelp.dll" wide nocase ascii fullword + $dll3 = "api_log.dll" wide nocase ascii fullword + $dll4 = "dir_watch.dll" wide nocase ascii fullword + $dll5 = "pstorec.dll" wide nocase ascii fullword + $dll6 = "vmcheck.dll" wide nocase ascii fullword + $dll7 = "wpespy.dll" wide nocase ascii fullword + condition: + 2 of them +} + +rule Check_Qemu_Description : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for QEMU systembiosversion key" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $key = "HARDWARE\\Description\\System" nocase wide ascii + $value = "SystemBiosVersion" nocase wide ascii + $data = "QEMU" wide nocase ascii + condition: + all of them +} + +rule Check_Qemu_DeviceMap : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for Qemu reg keys" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii + $value = "Identifier" nocase wide ascii + $data = "QEMU" wide nocase ascii + condition: + all of them +} + +rule Check_VBox_Description : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks Vbox description reg key" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $key = "HARDWARE\\Description\\System" nocase wide ascii + $value = "SystemBiosVersion" nocase wide ascii + $data = "VBOX" nocase wide ascii + condition: + all of them +} +rule Check_VBox_DeviceMap : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks Vbox registry keys" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii + $value = "Identifier" nocase wide ascii + $data = "VBOX" nocase wide ascii + condition: + all of them +} +rule Check_VBox_Guest_Additions : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for the existence of the guest additions registry key" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $key = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" wide ascii nocase + condition: + any of them +} +rule Check_VBox_VideoDrivers : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for reg keys of Vbox video drivers" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $key = "HARDWARE\\Description\\System" nocase wide ascii + $value = "VideoBiosVersion" wide nocase ascii + $data = "VIRTUALBOX" nocase wide ascii + condition: + all of them +} +rule Check_VMWare_DeviceMap : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for the existence of VmWare Registry Keys" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" wide ascii nocase + $value = "Identifier" wide nocase ascii + $data = "VMware" wide nocase ascii + condition: + all of them +} +rule Check_VmTools : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for the existence of VmTools reg key" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $ ="SOFTWARE\\VMware, Inc.\\VMware Tools" nocase ascii wide + condition: + any of them +} +rule Check_Wine : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for the existence of Wine" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $ ="wine_get_unix_file_name" + condition: + any of them +} + +rule vmdetect : AntiVM +{ + meta: + author = "nex" + description = "Possibly employs anti-virtualization techniques" + + strings: + // Binary tricks + $vmware = {56 4D 58 68} + $virtualpc = {0F 3F 07 0B} + $ssexy = {66 0F 70 ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F DB ?? ?? ?? ?? ?? 66 0F EF} + $vmcheckdll = {45 C7 00 01} + $redpill = {0F 01 0D 00 00 00 00 C3} + + // Random strings + $vmware1 = "VMXh" + $vmware2 = "Ven_VMware_" nocase + $vmware3 = "Prod_VMware_Virtual_" nocase + $vmware4 = "hgfs.sys" nocase + $vmware5 = "mhgfs.sys" nocase + $vmware6 = "prleth.sys" nocase + $vmware7 = "prlfs.sys" nocase + $vmware8 = "prlmouse.sys" nocase + $vmware9 = "prlvideo.sys" nocase + $vmware10 = "prl_pv32.sys" nocase + $vmware11 = "vpc-s3.sys" nocase + $vmware12 = "vmsrvc.sys" nocase + $vmware13 = "vmx86.sys" nocase + $vmware14 = "vmnet.sys" nocase + $vmware15 = "vmicheartbeat" nocase + $vmware16 = "vmicvss" nocase + $vmware17 = "vmicshutdown" nocase + $vmware18 = "vmicexchange" nocase + $vmware19 = "vmdebug" nocase + $vmware20 = "vmmouse" nocase + $vmware21 = "vmtools" nocase + $vmware22 = "VMMEMCTL" nocase + $vmware23 = "vmx86" nocase + $vmware24 = "vmware" nocase + $virtualpc1 = "vpcbus" nocase + $virtualpc2 = "vpc-s3" nocase + $virtualpc3 = "vpcuhub" nocase + $virtualpc4 = "msvmmouf" nocase + $xen1 = "xenevtchn" nocase + $xen2 = "xennet" nocase + $xen3 = "xennet6" nocase + $xen4 = "xensvc" nocase + $xen5 = "xenvdb" nocase + $xen6 = "XenVMM" nocase + $virtualbox1 = "VBoxHook.dll" nocase + $virtualbox2 = "VBoxService" nocase + $virtualbox3 = "VBoxTray" nocase + $virtualbox4 = "VBoxMouse" nocase + $virtualbox5 = "VBoxGuest" nocase + $virtualbox6 = "VBoxSF" nocase + $virtualbox7 = "VBoxGuestAdditions" nocase + $virtualbox8 = "VBOX HARDDISK" nocase + + // MAC addresses + $vmware_mac_1a = "00-05-69" + $vmware_mac_1b = "00:05:69" + $vmware_mac_1c = "000569" + $vmware_mac_2a = "00-50-56" + $vmware_mac_2b = "00:50:56" + $vmware_mac_2c = "005056" + $vmware_mac_3a = "00-0C-29" nocase + $vmware_mac_3b = "00:0C:29" nocase + $vmware_mac_3c = "000C29" nocase + $vmware_mac_4a = "00-1C-14" nocase + $vmware_mac_4b = "00:1C:14" nocase + $vmware_mac_4c = "001C14" nocase + $virtualbox_mac_1a = "08-00-27" + $virtualbox_mac_1b = "08:00:27" + $virtualbox_mac_1c = "080027" + + condition: + any of them +} + +rule Check_Debugger : AntiDebug +{ + meta: + Author = "Nick Hoffman" + Description = "Looks for both isDebuggerPresent and CheckRemoteDebuggerPresent" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + condition: + pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") and + pe.imports("kernel32.dll","IsDebuggerPresent") +} + +rule Check_DriveSize : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Rule tries to catch uses of DeviceIOControl being used to get the drive size" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + + strings: + $physicaldrive = "\\\\.\\PhysicalDrive0" wide ascii nocase + $dwIoControlCode = {68 5c 40 07 00 [0-5] FF 15} //push 7405ch ; push esi (handle) then call deviceoiocontrol IOCTL_DISK_GET_LENGTH_INFO + condition: + pe.imports("kernel32.dll","CreateFileA") and + pe.imports("kernel32.dll","DeviceIoControl") and + $dwIoControlCode and + $physicaldrive +} + +rule Check_FilePaths : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Checks for filepaths containing popular sandbox names" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $path1 = "SANDBOX" wide ascii + $path2 = "\\SAMPLE" wide ascii + $path3 = "\\VIRUS" wide ascii + condition: + all of ($path*) and pe.imports("kernel32.dll","GetModuleFileNameA") +} + +rule Check_UserNames : AntiVM +{ + meta: + Author = "Nick Hoffman" + Description = "Looks for malware checking for common sandbox usernames" + Sample = "de1af0e97e94859d372be7fcf3a5daa5" + strings: + $user1 = "MALTEST" wide ascii + $user2 = "TEQUILABOOMBOOM" wide ascii + $user3 = "SANDBOX" wide ascii + $user4 = "VIRUS" wide ascii + $user5 = "MALWARE" wide ascii + condition: + all of ($user*) and pe.imports("advapi32.dll","GetUserNameA") +} + + +rule Check_OutputDebugStringA_iat : AntiDebug +{ + + meta: + Author = "http://twitter.com/j0sm1" + Description = "Detect in IAT OutputDebugstringA" + Date = "20/04/2015" + + condition: + pe.imports("kernel32.dll","OutputDebugStringA") +} + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule Check_unhandledExceptionFiler_iat { + + meta: + Author = "http://twitter.com/j0sm1" + Description = "it's checked if UnhandledExceptionFilter is imported" + Date = "20/04/2015" + Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#UnhandledExceptionFilter" + + condition: + pe.imports("kernel32.dll","UnhandledExceptionFilter") +} +*/ + +// 20150909 - Issue #39 - Commented because of High FP rate +/* +rule check_RaiseException_iat : AntiDebug{ + + meta: + Author = "http://twitter.com/j0sm1" + Description = "it's checked if RaiseException is imported" + Date = "20/04/2015" + Reference = "http://waleedassar.blogspot.com.es/2012/11/ollydbg-raiseexception-bug.html" + + condition: + pe.imports("kernel32.dll","RaiseException") +} +*/ + +rule Check_FindWindowA_iat : AntiDebug{ + + meta: + Author = "http://twitter.com/j0sm1" + Description = "it's checked if FindWindowA() is imported" + Date = "20/04/2015" + Reference = "http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow" + + strings: + $ollydbg = "OLLYDBG" + $windbg = "WinDbgFrameClass" + + condition: + pe.imports("user32.dll","FindWindowA") and ($ollydbg or $windbg) +} + +rule DebuggerCheck__MemoryWorkingSet : AntiDebug { + meta: + author = "Fernando Mercês" + date = "2015-06" + description = "Anti-debug process memory working set size check" + reference = "http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/" + + condition: + pe.imports("kernel32.dll", "K32GetProcessMemoryInfo") and + pe.imports("kernel32.dll", "GetCurrentProcess") +} + +rule WMI_VM_Detect : AntiVM +{ + meta: + + version = 2 + threat = "Using WMI to detect virtual machines via querying video card information" + behaviour_class = "Evasion" + author = "Joe Giron" + date = "2015-09-25" + description = "Detection of Virtual Appliances through the use of WMI for use of evasion." + + strings: + + $selstr = "SELECT Description FROM Win32_VideoController" nocase ascii wide + $selstr2 = "SELECT * FROM Win32_VideoController" nocase ascii wide + $vm1 = "virtualbox graphics adapter" nocase ascii wide + $vm2 = "vmware svga ii" nocase ascii wide + $vm3 = "vm additions s3 trio32/64" nocase ascii wide + $vm4 = "parallel" nocase ascii wide + $vm5 = "remotefx" nocase ascii wide + $vm6 = "cirrus logic" nocase ascii wide + $vm7 = "matrox" nocase ascii wide + + condition: + any of ($selstr*) and any of ($vm*) + + +} + +rule anti_dbg : AntiDebug { + meta: + author = "x0r" + description = "Checks if being debugged" + version = "0.2" + strings: + $d1 = "Kernel32.dll" nocase + $c1 = "CheckRemoteDebuggerPresent" + $c2 = "IsDebuggerPresent" + $c3 = "OutputDebugString" + $c4 = "ContinueDebugEvent" + $c5 = "DebugActiveProcess" + condition: + $d1 and 1 of ($c*) +} + +rule anti_dbgtools : AntiDebug { + meta: + author = "x0r" + description = "Checks for the presence of known debug tools" + version = "0.1" + strings: + $f1 = "procexp.exe" nocase + $f2 = "procmon.exe" nocase + $f3 = "processmonitor.exe" nocase + $f4 = "wireshark.exe" nocase + $f5 = "fiddler.exe" nocase + $f6 = "windbg.exe" nocase + $f7 = "ollydbg.exe" nocase + $f8 = "winhex.exe" nocase + $f9 = "processhacker.exe" nocase + $f10 = "hiew32.exe" nocase + $c11 = "\\\\.\\NTICE" + $c12 = "\\\\.\\SICE" + $c13 = "\\\\.\\Syser" + $c14 = "\\\\.\\SyserBoot" + $c15 = "\\\\.\\SyserDbgMsg" + condition: + any of them +} + +rule antisb_joesanbox : AntiVM { + meta: + author = "x0r" + description = "Anti-Sandbox checks for Joe Sandbox" + version = "0.1" + strings: + $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase + $c1 = "RegQueryValue" + $s1 = "55274-640-2673064-23950" + condition: + all of them +} + +rule antisb_anubis : AntiVM { + meta: + author = "x0r" + description = "Anti-Sandbox checks for Anubis" + version = "0.1" + strings: + $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase + $c1 = "RegQueryValue" + $s1 = "76487-337-8429955-22614" + $s2 = "76487-640-1457236-23837" + condition: + $p1 and $c1 and 1 of ($s*) +} + +rule antisb_threatExpert : AntiVM { + meta: + author = "x0r" + description = "Anti-Sandbox checks for ThreatExpert" + version = "0.1" + strings: + $f1 = "dbghelp.dll" nocase + condition: + all of them +} + +rule antisb_sandboxie : AntiVM { + meta: + author = "x0r" + description = "Anti-Sandbox checks for Sandboxie" + version = "0.1" + strings: + $f1 = "SbieDLL.dll" nocase + condition: + all of them +} + +rule antisb_cwsandbox : AntiVM { + meta: + author = "x0r" + description = "Anti-Sandbox checks for CWSandbox" + version = "0.1" + strings: + $p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase + $s1 = "76487-644-3177037-23510" + condition: + all of them +} + +rule antivm_virtualbox : AntiVM { + meta: + author = "x0r" + description = "AntiVM checks for VirtualBox" + version = "0.1" + strings: + $s1 = "VBoxService.exe" nocase + condition: + any of them +} + +rule antivm_vmware : AntiVM { + meta: + author = "x0r" + description = "AntiVM checks for VMWare" + version = "0.1" + strings: + $s1 = "vmware.exe" nocase + $s2 = "vmware-authd.exe" nocase + $s3 = "vmware-hostd.exe" nocase + $s4 = "vmware-tray.exe" nocase + $s5 = "vmware-vmx.exe" nocase + $s6 = "vmnetdhcp.exe" nocase + $s7 = "vpxclient.exe" nocase + $s8 = { b868584d56bb00000000b90a000000ba58560000ed } + condition: + any of them +} + +rule antivm_bios : AntiVM{ + meta: + author = "x0r" + description = "AntiVM checks for Bios version" + version = "0.2" + strings: + $p1 = "HARDWARE\\DESCRIPTION\\System" nocase + $p2 = "HARDWARE\\DESCRIPTION\\System\\BIOS" nocase + $c1 = "RegQueryValue" + $r1 = "SystemBiosVersion" + $r2 = "VideoBiosVersion" + $r3 = "SystemManufacturer" + condition: + 1 of ($p*) and 1 of ($c*) and 1 of ($r*) +} + +rule disable_antivirus : DisableWindowsSecurity { + meta: + author = "x0r" + description = "Disable AntiVirus" + version = "0.2" + strings: + $p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase + $p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase + $p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase + $c1 = "RegSetValue" + $r1 = "AntiVirusDisableNotify" + $r2 = "DontReportInfectionInformation" + $r3 = "DisableAntiSpyware" + $r4 = "RunInvalidSignatures" + $r5 = "AntiVirusOverride" + $r6 = "CheckExeSignatures" + $f1 = "blackd.exe" nocase + $f2 = "blackice.exe" nocase + $f3 = "lockdown.exe" nocase + $f4 = "lockdown2000.exe" nocase + $f5 = "taskkill.exe" nocase + $f6 = "tskill.exe" nocase + $f7 = "smc.exe" nocase + $f8 = "sniffem.exe" nocase + $f9 = "zapro.exe" nocase + $f10 = "zlclient.exe" nocase + $f11 = "zonealarm.exe" nocase + condition: + ($c1 and $p1 and 1 of ($f*)) or ($c1 and $p2) or 1 of ($r*) or $p3 +} + +rule disable_uax : DisableWindowsSecurity { + meta: + author = "x0r" + description = "Disable User Access Control" + version = "0.1" + strings: + $p1 = "SOFTWARE\\Microsoft\\Security Center" nocase + $r1 = "UACDisableNotify" + condition: + all of them +} + +rule disable_firewall : DisableWindowsSecurity { + meta: + author = "x0r" + description = "Disable Firewall" + version = "0.1" + strings: + $p1 = "SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" nocase + $c1 = "RegSetValue" + $r1 = "FirewallPolicy" + $r2 = "EnableFirewall" + $r3 = "FirewallDisableNotify" + $s1 = "netsh firewall add allowedprogram" + condition: + (1 of ($p*) and $c1 and 1 of ($r*)) or $s1 +} + +rule disable_registry : DisableWindowsSecurity { + meta: + author = "x0r" + description = "Disable Registry editor" + version = "0.1" + strings: + $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase + $c1 = "RegSetValue" + $r1 = "DisableRegistryTools" + $r2 = "DisableRegedit" + condition: + 1 of ($p*) and $c1 and 1 of ($r*) +} + +rule disable_dep : DisableWindowsSecurity { + meta: + author = "x0r" + description = "Bypass DEP" + version = "0.1" + strings: + $c1 = "EnableExecuteProtectionSupport" + $c2 = "NtSetInformationProcess" + $c3 = "VirtualProctectEx" + $c4 = "SetProcessDEPPolicy" + $c5 = "ZwProtectVirtualMemory" + condition: + any of them +} + +rule disable_taskmanager : DisableWindowsSecurity { + meta: + author = "x0r" + description = "Disable Task Manager" + version = "0.1" + strings: + $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" nocase + $r1 = "DisableTaskMgr" + condition: + 1 of ($p*) and 1 of ($r*) +} + +rule inject_thread : ProcessInjection { + meta: + author = "x0r" + description = "Code injection with CreateRemoteThread in a remote process" + version = "0.1" + strings: + $c1 = "OpenProcess" + $c2 = "VirtualAllocEx" + $c3 = "NtWriteVirtualMemory" + $c4 = "WriteProcessMemory" + $c5 = "CreateRemoteThread" + $c6 = "CreateThread" + $c7 = "OpenProcess" + condition: + $c1 and $c2 and ( $c3 or $c4 ) and ( $c5 or $c6 or $c7 ) +} +// Issue #101 - Commented because of High FP rate +/* +rule create_process { + meta: + author = "x0r" + description = "Create a new process" + version = "0.2" + strings: + $f1 = "Shell32.dll" nocase + $f2 = "Kernel32.dll" nocase + $c1 = "ShellExecute" + $c2 = "WinExec" + $c3 = "CreateProcess" + $c4 = "CreateThread" + condition: + ($f1 and $c1 ) or $f2 and ($c2 or $c3 or $c4) +} +*/ + +// Issue #101 - Commented because of High FP rate +/* +rule persistence { + meta: + author = "x0r" + description = "Install itself for autorun at Windows startup" + version = "0.1" + strings: + $p1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" nocase + $p2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase + $p3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" nocase + $p4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" nocase + $p5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" nocase + $p6 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" nocase + $p7 = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\" nocase + $p8 = "SOFTWARE\\Microsoft\\WindowsNT\\CurrentVersion\\Windows" nocase + $p9 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler" nocase + $p10 = "comfile\\shell\\open\\command" nocase + $p11 = "piffile\\shell\\open\\command" nocase + $p12 = "exefile\\shell\\open\\command" nocase + $p13 = "txtfile\\shell\\open\\command" nocase + $p14 = "\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options" + $f1 = "win.ini" nocase + $f2 = "system.ini" nocase + $f3 = "Start Menu\\Programs\\Startup" nocase + condition: + any of them +} +*/ + +rule hijack_network : ModifySystem { + meta: + author = "x0r" + description = "Hijack network configuration" + version = "0.1" + strings: + $p1 = "SOFTWARE\\Classes\\PROTOCOLS\\Handler" nocase + $p2 = "SOFTWARE\\Classes\\PROTOCOLS\\Filter" nocase + $p3 = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer" nocase + $p4 = "software\\microsoft\\windows\\currentversion\\internet settings\\proxyenable" nocase + $f1 = "drivers\\etc\\hosts" nocase + condition: + any of them +} + +rule create_service : ModifySystem { + meta: + author = "x0r" + description = "Create a windows service" + version = "0.2" + strings: + $f1 = "Advapi32.dll" nocase + $c1 = "CreateService" + $c2 = "ControlService" + $c3 = "StartService" + $c4 = "QueryServiceStatus" + condition: + all of them +} + +rule create_com_service : ModifySystem { + meta: + author = "x0r" + description = "Create a COM server" + version = "0.1" + strings: + $c1 = "DllCanUnloadNow" nocase + $c2 = "DllGetClassObject" + $c3 = "DllInstall" + $c4 = "DllRegisterServer" + $c5 = "DllUnregisterServer" + condition: + all of them +} + +rule network_udp_sock : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over UDP network" + version = "0.1" + strings: + $f1 = "Ws2_32.dll" nocase + $f2 = "System.Net" nocase + $f3 = "wsock32.dll" nocase + $c0 = "WSAStartup" + $c1 = "sendto" + $c2 = "recvfrom" + $c3 = "WSASendTo" + $c4 = "WSARecvFrom" + $c5 = "UdpClient" + condition: + (($f1 or $f3) and 2 of ($c*)) or ($f2 and $c5) +} + +rule network_tcp_listen : NetworkCommunication { + meta: + author = "x0r" + description = "Listen for incoming communication" + version = "0.1" + strings: + $f1 = "Ws2_32.dll" nocase + $f2 = "Mswsock.dll" nocase + $f3 = "System.Net" nocase + $f4 = "wsock32.dll" nocase + $c1 = "bind" + $c2 = "accept" + $c3 = "GetAcceptExSockaddrs" + $c4 = "AcceptEx" + $c5 = "WSAStartup" + $c6 = "WSAAccept" + $c7 = "WSASocket" + $c8 = "TcpListener" + $c9 = "AcceptTcpClient" + $c10 = "listen" + condition: + 1 of ($f*) and 2 of ($c*) +} + +rule network_dyndns : NetworkCommunication { + meta: + author = "x0r" + description = "Communications dyndns network" + version = "0.1" + strings: + $s1 =".no-ip.org" + $s2 =".publicvm.com" + $s3 =".linkpc.net" + $s4 =".dynu.com" + $s5 =".dynu.net" + $s6 =".afraid.org" + $s7 =".chickenkiller.com" + $s8 =".crabdance.com" + $s9 =".ignorelist.com" + $s10 =".jumpingcrab.com" + $s11 =".moo.com" + $s12 =".strangled.com" + $s13 =".twillightparadox.com" + $s14 =".us.to" + $s15 =".strangled.net" + $s16 =".info.tm" + $s17 =".homenet.org" + $s18 =".biz.tm" + $s19 =".continent.kz" + $s20 =".ax.lt" + $s21 =".system-ns.com" + $s22 =".adultdns.com" + $s23 =".craftx.biz" + $s24 =".ddns01.com" + $s25 =".dns53.biz" + $s26 =".dnsapi.info" + $s27 =".dnsd.info" + $s28 =".dnsdynamic.com" + $s29 =".dnsdynamic.net" + $s30 =".dnsget.org" + $s31 =".fe100.net" + $s32 =".flashserv.net" + $s33 =".ftp21.net" + condition: + any of them +} + +rule network_toredo : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over Toredo network" + version = "0.1" + strings: + $f1 = "FirewallAPI.dll" nocase + $p1 = "\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Interfaces\\" nocase + condition: + all of them +} + +rule network_smtp_dotNet : NetworkCommunication { + meta: + author = "x0r" + description = "Communications smtp" + version = "0.1" + strings: + $f1 = "System.Net.Mail" nocase + $p1 = "SmtpClient" nocase + condition: + all of them +} + +rule network_smtp_raw : NetworkCommunication { + meta: + author = "x0r" + description = "Communications smtp" + version = "0.1" + strings: + $s1 = "MAIL FROM:" nocase + $s2 = "RCPT TO:" nocase + condition: + all of them +} + +rule network_smtp_vb : NetworkCommunication { + meta: + author = "x0r" + description = "Communications smtp" + version = "0.1" + strings: + $c1 = "CDO.Message" nocase + $c2 = "cdoSMTPServer" nocase + $c3 = "cdoSendUsingMethod" nocase + $c4 = "cdoex.dll" nocase + $c5 = "/cdo/configuration/smtpserver" nocase + condition: + any of them +} + +rule network_p2p_win : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over P2P network" + version = "0.1" + strings: + $c1 = "PeerCollabExportContact" + $c2 = "PeerCollabGetApplicationRegistrationInfo" + $c3 = "PeerCollabGetEndpointName" + $c4 = "PeerCollabGetEventData" + $c5 = "PeerCollabGetInvitationResponse" + $c6 = "PeerCollabGetPresenceInfo" + $c7 = "PeerCollabGetSigninOptions" + $c8 = "PeerCollabInviteContact" + $c9 = "PeerCollabInviteEndpoint" + $c10 = "PeerCollabParseContact" + $c11 = "PeerCollabQueryContactData" + $c12 = "PeerCollabRefreshEndpointData" + $c13 = "PeerCollabRegisterApplication" + $c14 = "PeerCollabRegisterEvent" + $c15 = "PeerCollabSetEndpointName" + $c16 = "PeerCollabSetObject" + $c17 = "PeerCollabSetPresenceInfo" + $c18 = "PeerCollabSignout" + $c19 = "PeerCollabUnregisterApplication" + $c20 = "PeerCollabUpdateContact" + condition: + 5 of them +} + +rule network_tor : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over TOR network" + version = "0.1" + strings: + $p1 = "tor\\hidden_service\\private_key" nocase + $p2 = "tor\\hidden_service\\hostname" nocase + $p3 = "tor\\lock" nocase + $p4 = "tor\\state" nocase + condition: + any of them +} +rule network_irc : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over IRC network" + version = "0.1" + strings: + $s1 = "NICK" + $s2 = "PING" + $s3 = "JOIN" + $s4 = "USER" + $s5 = "PRIVMSG" + condition: + all of them +} + +rule network_http : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over HTTP" + version = "0.1" + strings: + $f1 = "wininet.dll" nocase + $c1 = "InternetConnect" + $c2 = "InternetOpen" + $c3 = "InternetOpenUrl" + $c4 = "InternetReadFile" + $c5 = "InternetWriteFile" + $c6 = "HttpOpenRequest" + $c7 = "HttpSendRequest" + $c8 = "IdHTTPHeaderInfo" + condition: + $f1 and $c1 and ($c2 or $c3) and ($c4 or $c5 or $c6 or $c7 or $c8) +} + +rule network_dropper : NetworkCommunication { + meta: + author = "x0r" + description = "File downloader/dropper" + version = "0.1" + strings: + $f1 = "urlmon.dll" nocase + $c1 = "URLDownloadToFile" + $c2 = "URLDownloadToCacheFile" + $c3 = "URLOpenStream" + $c4 = "URLOpenPullStream" + condition: + $f1 and 1 of ($c*) +} + +rule network_ftp : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over FTP" + version = "0.1" + strings: + $f1 = "Wininet.dll" nocase + $c1 = "FtpGetCurrentDirectory" + $c2 = "FtpGetFile" + $c3 = "FtpPutFile" + $c4 = "FtpSetCurrentDirectory" + $c5 = "FtpOpenFile" + $c6 = "FtpGetFileSize" + $c7 = "FtpDeleteFile" + $c8 = "FtpCreateDirectory" + $c9 = "FtpRemoveDirectory" + $c10 = "FtpRenameFile" + $c11 = "FtpDownload" + $c12 = "FtpUpload" + $c13 = "FtpGetDirectory" + condition: + $f1 and (4 of ($c*)) +} + +rule network_tcp_socket : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over RAW socket" + version = "0.1" + strings: + $f1 = "Ws2_32.dll" nocase + $f2 = "wsock32.dll" nocase + $c1 = "WSASocket" + $c2 = "socket" + $c3 = "send" + $c4 = "WSASend" + $c5 = "WSAConnect" + $c6 = "connect" + $c7 = "WSAStartup" + $c8 = "closesocket" + $c9 = "WSACleanup" + condition: + 1 of ($f*) and 2 of ($c*) +} + +rule network_dns : NetworkCommunication { + meta: + author = "x0r" + description = "Communications use DNS" + version = "0.1" + strings: + $f1 = "System.Net" + $f2 = "Ws2_32.dll" nocase + $f3 = "Dnsapi.dll" nocase + $f4 = "wsock32.dll" nocase + $c2 = "GetHostEntry" + $c3 = "getaddrinfo" + $c4 = "gethostbyname" + $c5 = "WSAAsyncGetHostByName" + $c6 = "DnsQuery" + condition: + 1 of ($f*) and 1 of ($c*) +} + +rule network_ssl : NetworkCommunication { + meta: + author = "x0r" + description = "Communications over SSL" + version = "0.1" + strings: + $f1 = "ssleay32.dll" nocase + $f2 = "libeay32.dll" nocase + $f3 = "libssl32.dll" nocase + $c1 = "IdSSLOpenSSL" nocase + condition: + any of them +} + +rule network_dga : NetworkCommunication { + meta: + author = "x0r" + description = "Communication using dga" + version = "0.1" + strings: + $dll1 = "Advapi32.dll" nocase + $dll2 = "wininet.dll" nocase + $dll3 = "Crypt32.dll" nocase + $time1 = "SystemTimeToFileTime" + $time2 = "GetSystemTime" + $time3 = "GetSystemTimeAsFileTime" + $hash1 = "CryptCreateHash" + $hash2 = "CryptAcquireContext" + $hash3 = "CryptHashData" + $net1 = "InternetOpen" + $net2 = "InternetOpenUrl" + $net3 = "gethostbyname" + $net4 = "getaddrinfo" + condition: + all of ($dll*) and 1 of ($time*) and 1 of ($hash*) and 1 of ($net*) +} + + +rule bitcoin : SuspiciousActivity { + meta: + author = "x0r" + description = "Perform crypto currency mining" + version = "0.1" + strings: + $f1 = "OpenCL.dll" nocase + $f2 = "nvcuda.dll" nocase + $f3 = "opengl32.dll" nocase + $s1 = "cpuminer 2.2.2X-Mining-Extensions" + $s2 = "cpuminer 2.2.3X-Mining-Extensions" + $s3 = "Ufasoft bitcoin-miner/0.20" + $s4 = "bitcoin" nocase + $s5 = "stratum" nocase + condition: + 1 of ($f*) and 1 of ($s*) +} + +rule certificate : SuspiciousActivity { + meta: + author = "x0r" + description = "Inject certificate in store" + version = "0.1" + strings: + $f1 = "Crypt32.dll" nocase + $r1 = "software\\microsoft\\systemcertificates\\spc\\certificates" nocase + $c1 = "CertOpenSystemStore" + condition: + all of them +} + +rule escalate_priv : SuspiciousActivity { + meta: + author = "x0r" + description = "Escalade priviledges" + version = "0.1" + strings: + $d1 = "Advapi32.dll" nocase + $c1 = "SeDebugPrivilege" + $c2 = "AdjustTokenPrivileges" + condition: + 1 of ($d*) and 1 of ($c*) +} + +rule screenshot : SuspiciousActivity { + meta: + author = "x0r" + description = "Take screenshot" + version = "0.1" + strings: + $d1 = "Gdi32.dll" nocase + $d2 = "User32.dll" nocase + $c1 = "BitBlt" + $c2 = "GetDC" + condition: + 1 of ($d*) and 1 of ($c*) +} + +rule lookupip : SuspiciousActivity { + meta: + author = "x0r" + description = "Lookup external IP" + version = "0.1" + strings: + $n1 = "checkip.dyndns.org" nocase + $n2 = "whatismyip.org" nocase + $n3 = "whatsmyipaddress.com" nocase + $n4 = "getmyip.org" nocase + $n5 = "getmyip.co.uk" nocase + condition: + any of them +} + +rule dyndns : SuspiciousActivity { + meta: + author = "x0r" + description = "Dynamic DNS" + version = "0.1" + strings: + $s1 = "SOFTWARE\\Vitalwerks\\DUC" nocase + condition: + any of them +} + +rule lookupgeo : SuspiciousActivity { + meta: + author = "x0r" + description = "Lookup Geolocation" + version = "0.1" + strings: + $n1 = "j.maxmind.com" nocase + condition: + any of them +} + +rule keylogger : SuspiciousActivity { + meta: + author = "x0r" + description = "Run a keylogger" + version = "0.1" + strings: + $f1 = "User32.dll" nocase + $c1 = "GetAsyncKeyState" + $c2 = "GetKeyState" + $c3 = "MapVirtualKey" + $c4 = "GetKeyboardType" + condition: + $f1 and 1 of ($c*) +} + +rule cred_local : SuspiciousActivity { + meta: + author = "x0r" + description = "Steal credential" + version = "0.1" + strings: + $c1 = "LsaEnumerateLogonSessions" + $c2 = "SamIConnect" + $c3 = "SamIGetPrivateData" + $c4 = "SamQueryInformationUse" + $c5 = "CredEnumerateA" + $c6 = "CredEnumerateW" + $r1 = "software\\microsoft\\internet account manager" nocase + $r2 = "software\\microsoft\\identitycrl\\creds" nocase + $r3 = "Security\\Policy\\Secrets" + condition: + any of them +} + + +rule sniff_audio : SuspiciousActivity { + meta: + author = "x0r" + description = "Record Audio" + version = "0.1" + strings: + $f1 = "winmm.dll" nocase + $c1 = "waveInStart" + $c2 = "waveInReset" + $c3 = "waveInAddBuffer" + $c4 = "waveInOpen" + $c5 = "waveInClose" + condition: + $f1 and 2 of ($c*) +} + +rule cred_ff : SuspiciousActivity { + meta: + author = "x0r" + description = "Steal Firefox credential" + version = "0.1" + strings: + $f1 = "signons.sqlite" + $f2 = "signons3.txt" + $f3 = "secmod.db" + $f4 = "cert8.db" + $f5 = "key3.db" + condition: + any of them +} + +rule cred_vnc : SuspiciousActivity { + meta: + author = "x0r" + description = "Steal VNC credential" + version = "0.1" + strings: + $s1 = "VNCPassView" + condition: + all of them +} + +rule cred_ie7 : SuspiciousActivity { + meta: + author = "x0r" + description = "Steal IE 7 credential" + version = "0.1" + strings: + $f1 = "Crypt32.dll" nocase + $c1 = "CryptUnprotectData" + $s1 = "abe2869f-9b47-4cd9-a358-c22904dba7f7" nocase + condition: + all of them +} + +rule sniff_lan : SuspiciousActivity { + meta: + author = "x0r" + description = "Sniff Lan network traffic" + version = "0.1" + strings: + $f1 = "packet.dll" nocase + $f2 = "npf.sys" nocase + $f3 = "wpcap.dll" nocase + $f4 = "winpcap.dll" nocase + condition: + any of them +} + +rule migrate_apc : SuspiciousActivity { + meta: + author = "x0r" + description = "APC queue tasks migration" + version = "0.1" + strings: + $c1 = "OpenThread" + $c2 = "QueueUserAPC" + condition: + all of them +} + +rule spreading_file : SuspiciousActivity { + meta: + author = "x0r" + description = "Malware can spread east-west file" + version = "0.1" + strings: + $f1 = "autorun.inf" nocase + $f2 = "desktop.ini" nocase + $f3 = "desktop.lnk" nocase + condition: + any of them +} + +rule spreading_share : SuspiciousActivity { + meta: + author = "x0r" + description = "Malware can spread east-west using share drive" + version = "0.1" + strings: + $f1 = "netapi32.dll" nocase + $c1 = "NetShareGetInfo" + $c2 = "NetShareEnum" + condition: + $f1 and 1 of ($c*) +} + +rule rat_vnc : SuspiciousActivity { + meta: + author = "x0r" + description = "Remote Administration toolkit VNC" + version = "0.1" + strings: + $f1 = "ultravnc.ini" nocase + $c2 = "StartVNC" + $c3 = "StopVNC" + condition: + any of them +} + +rule rat_rdp : SuspiciousActivity { + meta: + author = "x0r" + description = "Remote Administration toolkit enable RDP" + version = "0.1" + strings: + $p1 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server" nocase + $p2 = "software\\microsoft\\windows nt\\currentversion\\terminal server" nocase + $p3 = "SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" nocase + $r1 = "EnableAdminTSRemote" + $c1 = "net start termservice" + $c2 = "sc config termservice start" + condition: + any of them +} + +rule rat_telnet : SuspiciousActivity { + meta: + author = "x0r" + description = "Remote Administration toolkit enable Telnet" + version = "0.1" + strings: + $r1 = "software\\microsoft\\telnetserver" nocase + condition: + any of them +} + + +rule rat_webcam : SuspiciousActivity { + meta: + author = "x0r" + description = "Remote Administration toolkit using webcam" + version = "0.1" + strings: + $f1 = "avicap32.dll" nocase + $c1 = "capCreateCaptureWindow" nocase + condition: + all of them +} + +rule check_patchlevel : SuspiciousActivity { + meta: + author = "x0r" + description = "Check if hotfix are applied" + version = "0.1" + strings: + $p1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Hotfix" nocase + condition: + any of them +} + +rule win_mutex : GenericActivity { + meta: + author = "x0r" + description = "Create or check mutex" + version = "0.1" + strings: + $c1 = "CreateMutex" + condition: + 1 of ($c*) +} + +rule win_registry : GenericActivity { + meta: + author = "x0r" + description = "Affect system registries" + version = "0.1" + strings: + $f1 = "advapi32.dll" nocase + $c1 = "RegQueryValueExA" + $c2 = "RegOpenKeyExA" + $c3 = "RegCloseKey" + $c4 = "RegSetValueExA" + $c5 = "RegCreateKeyA" + $c6 = "RegCloseKey" + condition: + $f1 and 1 of ($c*) +} + +rule win_token : SuspiciousActivity { + meta: + author = "x0r" + description = "Affect system token" + version = "0.1" + strings: + $f1 = "advapi32.dll" nocase + $c1 = "DuplicateTokenEx" + $c2 = "AdjustTokenPrivileges" + $c3 = "OpenProcessToken" + $c4 = "LookupPrivilegeValueA" + condition: + $f1 and 1 of ($c*) +} + +rule win_private_profile : SuspiciousActivity { + meta: + author = "x0r" + description = "Affect private profile" + version = "0.1" + strings: + $f1 = "kernel32.dll" nocase + $c1 = "GetPrivateProfileIntA" + $c2 = "GetPrivateProfileStringA" + $c3 = "WritePrivateProfileStringA" + condition: + $f1 and 1 of ($c*) +} + +rule win_files_operation : GenericActivity { + meta: + author = "x0r" + description = "Affect private profile" + version = "0.1" + strings: + $f1 = "kernel32.dll" nocase + $c1 = "WriteFile" + $c2 = "SetFilePointer" + $c3 = "WriteFile" + $c4 = "ReadFile" + $c5 = "DeleteFileA" + $c6 = "CreateFileA" + $c7 = "FindFirstFileA" + $c8 = "MoveFileExA" + $c9 = "FindClose" + $c10 = "SetFileAttributesA" + $c11 = "CopyFile" + + condition: + $f1 and 3 of ($c*) +} + + +rule win_hook : SuspiciousActivity { + meta: + author = "x0r" + description = "Affect hook table" + version = "0.1" + strings: + $f1 = "user32.dll" nocase + $c1 = "UnhookWindowsHookEx" + $c2 = "SetWindowsHookExA" + $c3 = "CallNextHookEx" + condition: + $f1 and 1 of ($c*) +} +rule vmdetect_misc : AntiVM +{ + meta: + author = "@abhinavbom" + maltype = "NA" + version = "0.1" + date = "31/10/2015" + description = "Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names." + strings: + $vbox1 = "VBoxService" nocase ascii wide + $vbox2 = "VBoxTray" nocase ascii wide + $vbox3 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase ascii wide + $vbox4 = "SOFTWARE\\\\Oracle\\\\VirtualBox Guest Additions" nocase ascii wide + + $wine1 = "wine_get_unix_file_name" ascii wide + + $vmware1 = "vmmouse.sys" ascii wide + $vmware2 = "VMware Virtual IDE Hard Drive" ascii wide + + $miscvm1 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase ascii wide + $miscvm2 = "SYSTEM\\\\ControlSet001\\\\Services\\\\Disk\\\\Enum" nocase ascii wide + + // Drivers + $vmdrv1 = "hgfs.sys" ascii wide + $vmdrv2 = "vmhgfs.sys" ascii wide + $vmdrv3 = "prleth.sys" ascii wide + $vmdrv4 = "prlfs.sys" ascii wide + $vmdrv5 = "prlmouse.sys" ascii wide + $vmdrv6 = "prlvideo.sys" ascii wide + $vmdrv7 = "prl_pv32.sys" ascii wide + $vmdrv8 = "vpc-s3.sys" ascii wide + $vmdrv9 = "vmsrvc.sys" ascii wide + $vmdrv10 = "vmx86.sys" ascii wide + $vmdrv11 = "vmnet.sys" ascii wide + + // SYSTEM\ControlSet001\Services + $vmsrvc1 = "vmicheartbeat" ascii wide + $vmsrvc2 = "vmicvss" ascii wide + $vmsrvc3 = "vmicshutdown" ascii wide + $vmsrvc4 = "vmicexchange" ascii wide + $vmsrvc5 = "vmci" ascii wide + $vmsrvc6 = "vmdebug" ascii wide + $vmsrvc7 = "vmmouse" ascii wide + $vmsrvc8 = "VMTools" ascii wide + $vmsrvc9 = "VMMEMCTL" ascii wide + $vmsrvc10 = "vmware" ascii wide + $vmsrvc11 = "vmx86" ascii wide + $vmsrvc12 = "vpcbus" ascii wide + $vmsrvc13 = "vpc-s3" ascii wide + $vmsrvc14 = "vpcuhub" ascii wide + $vmsrvc15 = "msvmmouf" ascii wide + $vmsrvc16 = "VBoxMouse" ascii wide + $vmsrvc17 = "VBoxGuest" ascii wide + $vmsrvc18 = "VBoxSF" ascii wide + $vmsrvc19 = "xenevtchn" ascii wide + $vmsrvc20 = "xennet" ascii wide + $vmsrvc21 = "xennet6" ascii wide + $vmsrvc22 = "xensvc" ascii wide + $vmsrvc23 = "xenvdb" ascii wide + + // Processes + $miscproc1 = "vmware2" ascii wide + $miscproc2 = "vmount2" ascii wide + $miscproc3 = "vmusrvc" ascii wide + $miscproc4 = "vmsrvc" ascii wide + $miscproc5 = "vboxservice" ascii wide + $miscproc6 = "vboxtray" ascii wide + $miscproc7 = "xenservice" ascii wide + + $vmware_mac_1a = "00-05-69" + $vmware_mac_1b = "00:05:69" + $vmware_mac_2a = "00-50-56" + $vmware_mac_2b = "00:50:56" + $vmware_mac_3a = "00-0C-29" + $vmware_mac_3b = "00:0C:29" + $vmware_mac_4a = "00-1C-14" + $vmware_mac_4b = "00:1C:14" + $virtualbox_mac_1a = "08-00-27" + $virtualbox_mac_1b = "08:00:27" + + condition: + 2 of them +} diff --git a/yara_sigs/strings/base64.yar b/yara_sigs/strings/base64.yar new file mode 100644 index 0000000..a5fe55f --- /dev/null +++ b/yara_sigs/strings/base64.yar @@ -0,0 +1,17 @@ + +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. + +*/ +rule contentis_base64 : Base64 +{ + meta: + author = "Jaume Martin" + description = "This rule finds for base64 strings" + version = "0.2" + notes = "https://github.com/Yara-Rules/rules/issues/153" + strings: + $a = /([A-Za-z0-9+\/]{4}){3,}([A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?/ + condition: + $a +} diff --git a/yara_sigs/strings/ip.yar b/yara_sigs/strings/ip.yar new file mode 100644 index 0000000..07e3011 --- /dev/null +++ b/yara_sigs/strings/ip.yar @@ -0,0 +1,13 @@ +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as + long as you use it under this license. +*/ + +rule IP : SuspiciousStrings { + meta: + author = "Antonio S. " + strings: + $ip = /([0-9]{1,3}\.){3}[0-9]{1,3}/ wide ascii + condition: + $ip +} diff --git a/yara_sigs/strings/suspicious.yar b/yara_sigs/strings/suspicious.yar new file mode 100644 index 0000000..1f545a7 --- /dev/null +++ b/yara_sigs/strings/suspicious.yar @@ -0,0 +1,617 @@ +/* + This file is part of Manalyze. + + Manalyze is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + Manalyze is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with Manalyze. If not, see . +*/ + +rule System_Tools : SuspiciousStrings +{ + meta: + description = "Contains references to system / monitoring tools" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $a0 = "wireshark.exe" nocase wide ascii + $a1 = "ethereal.exe" nocase wide ascii + $a2 = "netstat.exe" nocase wide ascii + $a3 = /taskm(an|gr|on).exe/ nocase wide ascii + $a4 = /regedit(32)?.exe/ nocase wide ascii + $a5 = "sc.exe" nocase wide ascii + $a6 = "procexp.exe" nocase wide ascii + $a7 = "procmon.exe" nocase wide ascii + $a8 = "netmon.exe" nocase wide ascii + $a9 = "regmon.exe" nocase wide ascii + $a10 = "filemon.exe" nocase wide ascii + $a11 = "msconfig.exe" nocase wide ascii + $a12 = "vssadmin.exe" nocase wide ascii + $a13 = "bcdedit.exe" nocase wide ascii + $a14 = "dumpcap.exe" nocase wide ascii + $a15 = "tcpdump.exe" nocase wide ascii + $a16 = "mshta.exe" nocase wide ascii // Used by DUBNIUM to download files + $a17 = "control.exe" nocase wide ascii // Used by EquationGroup to launch DLLs + $a18 = "regsvr32.exe" nocase wide ascii + $a19 = "rundll32.exe" nocase wide ascii + + condition: + any of them +} + +rule Browsers : SuspiciousStrings +{ + meta: + description = "Contains references to internet browsers" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $ie = "iexplore.exe" nocase wide ascii + $ff = "firefox.exe" nocase wide ascii + $ff_key = "key3.db" + $ff_log = "signons.sqlite" + $chrome = "chrome.exe" nocase wide ascii + // TODO: Add user-agent strings + condition: + any of them +} + +rule RE_Tools : SuspiciousStrings +{ + meta: + description = "Contains references to debugging or reversing tools" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $a0 = /ida(q)?(64)?.exe/ nocase wide ascii + $a1 = "ImmunityDebugger.exe" nocase wide ascii + $a2 = "ollydbg.exe" nocase wide ascii + $a3 = "lordpe.exe" nocase wide ascii + $a4 = "peid.exe" nocase wide ascii + $a5 = "windbg.exe" nocase wide ascii + condition: + any of them +} + +rule Antivirus : SuspiciousStrings +{ + meta: + description = "Contains references to security software" + author = "Jerome Athias" + source = "Metasploit's killav.rb script" + + strings: + $a0 = "AAWTray.exe" nocase wide ascii + $a1 = "Ad-Aware.exe" nocase wide ascii + $a2 = "MSASCui.exe" nocase wide ascii + $a3 = "_avp32.exe" nocase wide ascii + $a4 = "_avpcc.exe" nocase wide ascii + $a5 = "_avpm.exe" nocase wide ascii + $a6 = "aAvgApi.exe" nocase wide ascii + $a7 = "ackwin32.exe" nocase wide ascii + $a8 = "adaware.exe" nocase wide ascii + $a9 = "advxdwin.exe" nocase wide ascii + $a10 = "agentsvr.exe" nocase wide ascii + $a11 = "agentw.exe" nocase wide ascii + $a12 = "alertsvc.exe" nocase wide ascii + $a13 = "alevir.exe" nocase wide ascii + $a14 = "alogserv.exe" nocase wide ascii + $a15 = "amon9x.exe" nocase wide ascii + $a16 = "anti-trojan.exe" nocase wide ascii + $a17 = "antivirus.exe" nocase wide ascii + $a18 = "ants.exe" nocase wide ascii + $a19 = "apimonitor.exe" nocase wide ascii + $a20 = "aplica32.exe" nocase wide ascii + $a21 = "apvxdwin.exe" nocase wide ascii + $a22 = "arr.exe" nocase wide ascii + $a23 = "atcon.exe" nocase wide ascii + $a24 = "atguard.exe" nocase wide ascii + $a25 = "atro55en.exe" nocase wide ascii + $a26 = "atupdater.exe" nocase wide ascii + $a27 = "atwatch.exe" nocase wide ascii + $a28 = "au.exe" nocase wide ascii + $a29 = "aupdate.exe" nocase wide ascii + $a31 = "autodown.exe" nocase wide ascii + $a32 = "autotrace.exe" nocase wide ascii + $a33 = "autoupdate.exe" nocase wide ascii + $a34 = "avconsol.exe" nocase wide ascii + $a35 = "ave32.exe" nocase wide ascii + $a36 = "avgcc32.exe" nocase wide ascii + $a37 = "avgctrl.exe" nocase wide ascii + $a38 = "avgemc.exe" nocase wide ascii + $a39 = "avgnt.exe" nocase wide ascii + $a40 = "avgrsx.exe" nocase wide ascii + $a41 = "avgserv.exe" nocase wide ascii + $a42 = "avgserv9.exe" nocase wide ascii + $a43 = /av(gui|guard|center|gtray|gidsagent|gwdsvc|grsa|gcsrva|gcsrvx).exe/ nocase wide ascii + $a44 = "avgw.exe" nocase wide ascii + $a45 = "avkpop.exe" nocase wide ascii + $a46 = "avkserv.exe" nocase wide ascii + $a47 = "avkservice.exe" nocase wide ascii + $a48 = "avkwctl9.exe" nocase wide ascii + $a49 = "avltmain.exe" nocase wide ascii + $a50 = "avnt.exe" nocase wide ascii + $a51 = "avp.exe" nocase wide ascii + $a52 = "avp.exe" nocase wide ascii + $a53 = "avp32.exe" nocase wide ascii + $a54 = "avpcc.exe" nocase wide ascii + $a55 = "avpdos32.exe" nocase wide ascii + $a56 = "avpm.exe" nocase wide ascii + $a57 = "avptc32.exe" nocase wide ascii + $a58 = "avpupd.exe" nocase wide ascii + $a59 = "avsched32.exe" nocase wide ascii + $a60 = "avsynmgr.exe" nocase wide ascii + $a61 = "avwin.exe" nocase wide ascii + $a62 = "avwin95.exe" nocase wide ascii + $a63 = "avwinnt.exe" nocase wide ascii + $a64 = "avwupd.exe" nocase wide ascii + $a65 = "avwupd32.exe" nocase wide ascii + $a66 = "avwupsrv.exe" nocase wide ascii + $a67 = "avxmonitor9x.exe" nocase wide ascii + $a68 = "avxmonitornt.exe" nocase wide ascii + $a69 = "avxquar.exe" nocase wide ascii + $a73 = "beagle.exe" nocase wide ascii + $a74 = "belt.exe" nocase wide ascii + $a75 = "bidef.exe" nocase wide ascii + $a76 = "bidserver.exe" nocase wide ascii + $a77 = "bipcp.exe" nocase wide ascii + $a79 = "bisp.exe" nocase wide ascii + $a80 = "blackd.exe" nocase wide ascii + $a81 = "blackice.exe" nocase wide ascii + $a82 = "blink.exe" nocase wide ascii + $a83 = "blss.exe" nocase wide ascii + $a84 = "bootconf.exe" nocase wide ascii + $a85 = "bootwarn.exe" nocase wide ascii + $a86 = "borg2.exe" nocase wide ascii + $a87 = "bpc.exe" nocase wide ascii + $a89 = "bs120.exe" nocase wide ascii + $a90 = "bundle.exe" nocase wide ascii + $a91 = "bvt.exe" nocase wide ascii + $a92 = "ccapp.exe" nocase wide ascii + $a93 = "ccevtmgr.exe" nocase wide ascii + $a94 = "ccpxysvc.exe" nocase wide ascii + $a95 = "cdp.exe" nocase wide ascii + $a96 = "cfd.exe" nocase wide ascii + $a97 = "cfgwiz.exe" nocase wide ascii + $a98 = "cfiadmin.exe" nocase wide ascii + $a99 = "cfiaudit.exe" nocase wide ascii + $a100 = "cfinet.exe" nocase wide ascii + $a101 = "cfinet32.exe" nocase wide ascii + $a102 = "claw95.exe" nocase wide ascii + $a103 = "claw95cf.exe" nocase wide ascii + $a104 = "clean.exe" nocase wide ascii + $a105 = "cleaner.exe" nocase wide ascii + $a106 = "cleaner3.exe" nocase wide ascii + $a107 = "cleanpc.exe" nocase wide ascii + $a108 = "click.exe" nocase wide ascii + $a111 = "cmesys.exe" nocase wide ascii + $a112 = "cmgrdian.exe" nocase wide ascii + $a113 = "cmon016.exe" nocase wide ascii + $a114 = "connectionmonitor.exe" nocase wide ascii + $a115 = "cpd.exe" nocase wide ascii + $a116 = "cpf9x206.exe" nocase wide ascii + $a117 = "cpfnt206.exe" nocase wide ascii + $a118 = "ctrl.exe" nocase wide ascii fullword + $a119 = "cv.exe" nocase wide ascii + $a120 = "cwnb181.exe" nocase wide ascii + $a121 = "cwntdwmo.exe" nocase wide ascii + $a123 = "dcomx.exe" nocase wide ascii + $a124 = "defalert.exe" nocase wide ascii + $a125 = "defscangui.exe" nocase wide ascii + $a126 = "defwatch.exe" nocase wide ascii + $a127 = "deputy.exe" nocase wide ascii + $a129 = "dllcache.exe" nocase wide ascii + $a130 = "dllreg.exe" nocase wide ascii + $a132 = "dpf.exe" nocase wide ascii + $a134 = "dpps2.exe" nocase wide ascii + $a135 = "drwatson.exe" nocase wide ascii + $a136 = "drweb32.exe" nocase wide ascii + $a137 = "drwebupw.exe" nocase wide ascii + $a138 = "dssagent.exe" nocase wide ascii + $a139 = "dvp95.exe" nocase wide ascii + $a140 = "dvp95_0.exe" nocase wide ascii + $a141 = "ecengine.exe" nocase wide ascii + $a142 = "efpeadm.exe" nocase wide ascii + $a143 = "emsw.exe" nocase wide ascii + $a145 = "esafe.exe" nocase wide ascii + $a146 = "escanhnt.exe" nocase wide ascii + $a147 = "escanv95.exe" nocase wide ascii + $a148 = "espwatch.exe" nocase wide ascii + $a150 = "etrustcipe.exe" nocase wide ascii + $a151 = "evpn.exe" nocase wide ascii + $a152 = "exantivirus-cnet.exe" nocase wide ascii + $a153 = "exe.avxw.exe" nocase wide ascii + $a154 = "expert.exe" nocase wide ascii + $a156 = "f-agnt95.exe" nocase wide ascii + $a157 = "f-prot.exe" nocase wide ascii + $a158 = "f-prot95.exe" nocase wide ascii + $a159 = "f-stopw.exe" nocase wide ascii + $a160 = "fameh32.exe" nocase wide ascii + $a161 = "fast.exe" nocase wide ascii + $a162 = "fch32.exe" nocase wide ascii + $a163 = "fih32.exe" nocase wide ascii + $a164 = "findviru.exe" nocase wide ascii + $a165 = "firewall.exe" nocase wide ascii + $a166 = "fnrb32.exe" nocase wide ascii + $a167 = "fp-win.exe" nocase wide ascii + $a169 = "fprot.exe" nocase wide ascii + $a170 = "frw.exe" nocase wide ascii + $a171 = "fsaa.exe" nocase wide ascii + $a172 = "fsav.exe" nocase wide ascii + $a173 = "fsav32.exe" nocase wide ascii + $a176 = "fsav95.exe" nocase wide ascii + $a177 = "fsgk32.exe" nocase wide ascii + $a178 = "fsm32.exe" nocase wide ascii + $a179 = "fsma32.exe" nocase wide ascii + $a180 = "fsmb32.exe" nocase wide ascii + $a181 = "gator.exe" nocase wide ascii + $a182 = "gbmenu.exe" nocase wide ascii + $a183 = "gbpoll.exe" nocase wide ascii + $a184 = "generics.exe" nocase wide ascii + $a185 = "gmt.exe" nocase wide ascii + $a186 = "guard.exe" nocase wide ascii + $a187 = "guarddog.exe" nocase wide ascii + $a189 = "hbinst.exe" nocase wide ascii + $a190 = "hbsrv.exe" nocase wide ascii + $a191 = "hotactio.exe" nocase wide ascii + $a192 = "hotpatch.exe" nocase wide ascii + $a193 = "htlog.exe" nocase wide ascii + $a194 = "htpatch.exe" nocase wide ascii + $a195 = "hwpe.exe" nocase wide ascii + $a196 = "hxdl.exe" nocase wide ascii + $a197 = "hxiul.exe" nocase wide ascii + $a198 = "iamapp.exe" nocase wide ascii + $a199 = "iamserv.exe" nocase wide ascii + $a200 = "iamstats.exe" nocase wide ascii + $a201 = "ibmasn.exe" nocase wide ascii + $a202 = "ibmavsp.exe" nocase wide ascii + $a203 = "icload95.exe" nocase wide ascii + $a204 = "icloadnt.exe" nocase wide ascii + $a205 = "icmon.exe" nocase wide ascii + $a206 = "icsupp95.exe" nocase wide ascii + $a207 = "icsuppnt.exe" nocase wide ascii + $a209 = "iedll.exe" nocase wide ascii + $a210 = "iedriver.exe" nocase wide ascii + $a212 = "iface.exe" nocase wide ascii + $a213 = "ifw2000.exe" nocase wide ascii + $a214 = "inetlnfo.exe" nocase wide ascii + $a215 = "infus.exe" nocase wide ascii + $a216 = "infwin.exe" nocase wide ascii + $a218 = "intdel.exe" nocase wide ascii + $a219 = "intren.exe" nocase wide ascii + $a220 = "iomon98.exe" nocase wide ascii + $a221 = "istsvc.exe" nocase wide ascii + $a222 = "jammer.exe" nocase wide ascii + $a224 = "jedi.exe" nocase wide ascii + $a227 = "kavpf.exe" nocase wide ascii + $a228 = "kazza.exe" nocase wide ascii + $a229 = "keenvalue.exe" nocase wide ascii + $a236 = "ldnetmon.exe" nocase wide ascii + $a237 = "ldpro.exe" nocase wide ascii + $a238 = "ldpromenu.exe" nocase wide ascii + $a239 = "ldscan.exe" nocase wide ascii + $a240 = "lnetinfo.exe" nocase wide ascii + $a242 = "localnet.exe" nocase wide ascii + $a243 = "lockdown.exe" nocase wide ascii + $a244 = "lockdown2000.exe" nocase wide ascii + $a245 = "lookout.exe" nocase wide ascii + $a248 = "luall.exe" nocase wide ascii + $a249 = "luau.exe" nocase wide ascii + $a250 = "lucomserver.exe" nocase wide ascii + $a251 = "luinit.exe" nocase wide ascii + $a252 = "luspt.exe" nocase wide ascii + $a253 = "mapisvc32.exe" nocase wide ascii + $a254 = "mcagent.exe" nocase wide ascii + $a255 = "mcmnhdlr.exe" nocase wide ascii + $a256 = "mcshield.exe" nocase wide ascii + $a257 = "mctool.exe" nocase wide ascii + $a258 = "mcupdate.exe" nocase wide ascii + $a259 = "mcvsrte.exe" nocase wide ascii + $a260 = "mcvsshld.exe" nocase wide ascii + $a262 = "mfin32.exe" nocase wide ascii + $a263 = "mfw2en.exe" nocase wide ascii + $a265 = "mgavrtcl.exe" nocase wide ascii + $a266 = "mgavrte.exe" nocase wide ascii + $a267 = "mghtml.exe" nocase wide ascii + $a268 = "mgui.exe" nocase wide ascii + $a269 = "minilog.exe" nocase wide ascii + $a270 = "mmod.exe" nocase wide ascii + $a271 = "monitor.exe" nocase wide ascii + $a272 = "moolive.exe" nocase wide ascii + $a273 = "mostat.exe" nocase wide ascii + $a274 = "mpfagent.exe" nocase wide ascii + $a275 = "mpfservice.exe" nocase wide ascii + $a276 = "mpftray.exe" nocase wide ascii + $a277 = "mrflux.exe" nocase wide ascii + $a278 = "msapp.exe" nocase wide ascii + $a279 = "msbb.exe" nocase wide ascii + $a280 = "msblast.exe" nocase wide ascii + $a281 = "mscache.exe" nocase wide ascii + $a282 = "msccn32.exe" nocase wide ascii + $a283 = "mscman.exe" nocase wide ascii + $a285 = "msdm.exe" nocase wide ascii + $a286 = "msdos.exe" nocase wide ascii + $a287 = "msiexec16.exe" nocase wide ascii + $a288 = "msinfo32.exe" nocase wide ascii + $a289 = "mslaugh.exe" nocase wide ascii + $a290 = "msmgt.exe" nocase wide ascii + $a291 = "msmsgri32.exe" nocase wide ascii + $a292 = "mssmmc32.exe" nocase wide ascii + $a293 = "mssys.exe" nocase wide ascii + $a294 = "msvxd.exe" nocase wide ascii + $a295 = "mu0311ad.exe" nocase wide ascii + $a296 = "mwatch.exe" nocase wide ascii + $a297 = "n32scanw.exe" nocase wide ascii + $a298 = "nav.exe" nocase wide ascii + $a300 = "navapsvc.exe" nocase wide ascii + $a301 = "navapw32.exe" nocase wide ascii + $a302 = "navdx.exe" nocase wide ascii + $a303 = "navlu32.exe" nocase wide ascii + $a304 = "navnt.exe" nocase wide ascii + $a305 = "navstub.exe" nocase wide ascii + $a306 = "navw32.exe" nocase wide ascii + $a307 = "navwnt.exe" nocase wide ascii + $a308 = "nc2000.exe" nocase wide ascii + $a309 = "ncinst4.exe" nocase wide ascii + $a310 = "ndd32.exe" nocase wide ascii + $a311 = "neomonitor.exe" nocase wide ascii + $a312 = "neowatchlog.exe" nocase wide ascii + $a313 = "netarmor.exe" nocase wide ascii + $a314 = "netd32.exe" nocase wide ascii + $a315 = "netinfo.exe" nocase wide ascii + $a317 = "netscanpro.exe" nocase wide ascii + $a320 = "netutils.exe" nocase wide ascii + $a321 = "nisserv.exe" nocase wide ascii + $a322 = "nisum.exe" nocase wide ascii + $a323 = "nmain.exe" nocase wide ascii + $a324 = "nod32.exe" nocase wide ascii + $a325 = "normist.exe" nocase wide ascii + $a327 = "notstart.exe" nocase wide ascii + $a329 = "npfmessenger.exe" nocase wide ascii + $a330 = "nprotect.exe" nocase wide ascii + $a331 = "npscheck.exe" nocase wide ascii + $a332 = "npssvc.exe" nocase wide ascii + $a333 = "nsched32.exe" nocase wide ascii + $a334 = "nssys32.exe" nocase wide ascii + $a335 = "nstask32.exe" nocase wide ascii + $a336 = "nsupdate.exe" nocase wide ascii + $a338 = "ntrtscan.exe" nocase wide ascii + $a340 = "ntxconfig.exe" nocase wide ascii + $a341 = "nui.exe" nocase wide ascii + $a342 = "nupgrade.exe" nocase wide ascii + $a343 = "nvarch16.exe" nocase wide ascii + $a344 = "nvc95.exe" nocase wide ascii + $a345 = "nvsvc32.exe" nocase wide ascii + $a346 = "nwinst4.exe" nocase wide ascii + $a347 = "nwservice.exe" nocase wide ascii + $a348 = "nwtool16.exe" nocase wide ascii + $a350 = "onsrvr.exe" nocase wide ascii + $a351 = "optimize.exe" nocase wide ascii + $a352 = "ostronet.exe" nocase wide ascii + $a353 = "otfix.exe" nocase wide ascii + $a354 = "outpost.exe" nocase wide ascii + $a360 = "pavcl.exe" nocase wide ascii + $a361 = "pavproxy.exe" nocase wide ascii + $a362 = "pavsched.exe" nocase wide ascii + $a363 = "pavw.exe" nocase wide ascii + $a364 = "pccwin98.exe" nocase wide ascii + $a365 = "pcfwallicon.exe" nocase wide ascii + $a367 = "pcscan.exe" nocase wide ascii + $a369 = "periscope.exe" nocase wide ascii + $a370 = "persfw.exe" nocase wide ascii + $a371 = "perswf.exe" nocase wide ascii + $a372 = "pf2.exe" nocase wide ascii + $a373 = "pfwadmin.exe" nocase wide ascii + $a374 = "pgmonitr.exe" nocase wide ascii + $a375 = "pingscan.exe" nocase wide ascii + $a376 = "platin.exe" nocase wide ascii + $a377 = "pop3trap.exe" nocase wide ascii + $a378 = "poproxy.exe" nocase wide ascii + $a379 = "popscan.exe" nocase wide ascii + $a380 = "portdetective.exe" nocase wide ascii + $a381 = "portmonitor.exe" nocase wide ascii + $a382 = "powerscan.exe" nocase wide ascii + $a383 = "ppinupdt.exe" nocase wide ascii + $a384 = "pptbc.exe" nocase wide ascii + $a385 = "ppvstop.exe" nocase wide ascii + $a387 = "prmt.exe" nocase wide ascii + $a388 = "prmvr.exe" nocase wide ascii + $a389 = "procdump.exe" nocase wide ascii + $a390 = "processmonitor.exe" nocase wide ascii + $a392 = "programauditor.exe" nocase wide ascii + $a393 = "proport.exe" nocase wide ascii + $a394 = "protectx.exe" nocase wide ascii + $a395 = "pspf.exe" nocase wide ascii + $a396 = "purge.exe" nocase wide ascii + $a397 = "qconsole.exe" nocase wide ascii + $a398 = "qserver.exe" nocase wide ascii + $a399 = "rapapp.exe" nocase wide ascii + $a400 = "rav7.exe" nocase wide ascii + $a401 = "rav7win.exe" nocase wide ascii + $a404 = "rb32.exe" nocase wide ascii + $a405 = "rcsync.exe" nocase wide ascii + $a406 = "realmon.exe" nocase wide ascii + $a407 = "reged.exe" nocase wide ascii + $a410 = "rescue.exe" nocase wide ascii + $a412 = "rrguard.exe" nocase wide ascii + $a413 = "rshell.exe" nocase wide ascii + $a414 = "rtvscan.exe" nocase wide ascii + $a415 = "rtvscn95.exe" nocase wide ascii + $a416 = "rulaunch.exe" nocase wide ascii + $a421 = "safeweb.exe" nocase wide ascii + $a422 = "sahagent.exe" nocase wide ascii + $a424 = "savenow.exe" nocase wide ascii + $a425 = "sbserv.exe" nocase wide ascii + $a428 = "scan32.exe" nocase wide ascii + $a430 = "scanpm.exe" nocase wide ascii + $a431 = "scrscan.exe" nocase wide ascii + $a435 = "sfc.exe" nocase wide ascii + $a436 = "sgssfw32.exe" nocase wide ascii + $a439 = "shn.exe" nocase wide ascii + $a440 = "showbehind.exe" nocase wide ascii + $a441 = "smc.exe" nocase wide ascii + $a442 = "sms.exe" nocase wide ascii + $a443 = "smss32.exe" nocase wide ascii + $a445 = "sofi.exe" nocase wide ascii + $a447 = "spf.exe" nocase wide ascii + $a449 = "spoler.exe" nocase wide ascii + $a450 = "spoolcv.exe" nocase wide ascii + $a451 = "spoolsv32.exe" nocase wide ascii + $a452 = "spyxx.exe" nocase wide ascii + $a453 = "srexe.exe" nocase wide ascii + $a454 = "srng.exe" nocase wide ascii + $a455 = "ss3edit.exe" nocase wide ascii + $a457 = "ssgrate.exe" nocase wide ascii + $a458 = "st2.exe" nocase wide ascii fullword + $a461 = "supftrl.exe" nocase wide ascii + $a470 = "symproxysvc.exe" nocase wide ascii + $a471 = "symtray.exe" nocase wide ascii + $a472 = "sysedit.exe" nocase wide ascii + $a480 = "taumon.exe" nocase wide ascii + $a481 = "tbscan.exe" nocase wide ascii + $a483 = "tca.exe" nocase wide ascii + $a484 = "tcm.exe" nocase wide ascii + $a488 = "teekids.exe" nocase wide ascii + $a489 = "tfak.exe" nocase wide ascii + $a490 = "tfak5.exe" nocase wide ascii + $a491 = "tgbob.exe" nocase wide ascii + $a492 = "titanin.exe" nocase wide ascii + $a493 = "titaninxp.exe" nocase wide ascii + $a496 = "trjscan.exe" nocase wide ascii + $a500 = "tvmd.exe" nocase wide ascii + $a501 = "tvtmd.exe" nocase wide ascii + $a513 = "vet32.exe" nocase wide ascii + $a514 = "vet95.exe" nocase wide ascii + $a515 = "vettray.exe" nocase wide ascii + $a517 = "vir-help.exe" nocase wide ascii + $a519 = "vnlan300.exe" nocase wide ascii + $a520 = "vnpc3000.exe" nocase wide ascii + $a521 = "vpc32.exe" nocase wide ascii + $a522 = "vpc42.exe" nocase wide ascii + $a523 = "vpfw30s.exe" nocase wide ascii + $a524 = "vptray.exe" nocase wide ascii + $a525 = "vscan40.exe" nocase wide ascii + $a527 = "vsched.exe" nocase wide ascii + $a528 = "vsecomr.exe" nocase wide ascii + $a529 = "vshwin32.exe" nocase wide ascii + $a531 = "vsmain.exe" nocase wide ascii + $a532 = "vsmon.exe" nocase wide ascii + $a533 = "vsstat.exe" nocase wide ascii + $a534 = "vswin9xe.exe" nocase wide ascii + $a535 = "vswinntse.exe" nocase wide ascii + $a536 = "vswinperse.exe" nocase wide ascii + $a537 = "w32dsm89.exe" nocase wide ascii + $a538 = "w9x.exe" nocase wide ascii + $a541 = "webscanx.exe" nocase wide ascii + $a543 = "wfindv32.exe" nocase wide ascii + $a545 = "wimmun32.exe" nocase wide ascii + $a566 = "wnad.exe" nocase wide ascii + $a567 = "wnt.exe" nocase wide ascii + $a568 = "wradmin.exe" nocase wide ascii + $a569 = "wrctrl.exe" nocase wide ascii + $a570 = "wsbgate.exe" nocase wide ascii + $a573 = "wyvernworksfirewall.exe" nocase wide ascii + $a575 = "zapro.exe" nocase wide ascii + $a577 = "zatutor.exe" nocase wide ascii + $a579 = "zonealarm.exe" nocase wide ascii + // Strings from Dubnium below + $a580 = "QQPCRTP.exe" nocase wide ascii + $a581 = "QQPCTray.exe" nocase wide ascii + $a582 = "ZhuDongFangYu.exe" nocase wide ascii + $a583 = /360(tray|sd|rp).exe/ nocase wide ascii + $a584 = /qh(safetray|watchdog|activedefense).exe/ nocase wide ascii + $a585 = "McNASvc.exe" nocase wide ascii + $a586 = "MpfSrv.exe" nocase wide ascii + $a587 = "McProxy.exe" nocase wide ascii + $a588 = "mcmscsvc.exe" nocase wide ascii + $a589 = "McUICnt.exe" nocase wide ascii + $a590 = /ui(WatchDog|seagnt|winmgr).exe/ nocase wide ascii + $a591 = "ufseagnt.exe" nocase wide ascii + $a592 = /core(serviceshell|frameworkhost).exe/ nocase wide ascii + $a593 = /ay(agent|rtsrv|updsrv).aye/ nocase wide ascii + $a594 = /avast(ui|svc).exe/ nocase wide ascii + $a595 = /ms(seces|mpeng).exe/ nocase wide ascii + $a596 = "afwserv.exe" nocase wide ascii + $a597 = "FiddlerUser" + + condition: + any of them +} + +rule Dropper_Strings : SuspiciousStrings +{ + meta: + description = "May have dropper capabilities" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $a0 = "CurrentVersion\\Run" nocase wide ascii + $a1 = "CurrentControlSet\\Services" nocase wide ascii + $a2 = "Programs\\Startup" nocase wide ascii + $a3 = "%temp%" nocase wide ascii + $a4 = "%allusersprofile%" nocase wide ascii + condition: + any of them +} + +rule AutoIT_compiled_script : SuspiciousStrings +{ + meta: + description = "Is an AutoIT compiled script" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $a0 = "AutoIt Error" ascii wide + $a1 = "reserved for AutoIt internal use" ascii wide + condition: + any of them +} + +rule WMI_strings : SuspiciousStrings +{ + meta: + description = "Accesses the WMI" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + // WMI namespaces which may be referenced in the ConnectServer call. All in the form of "ROOT\something" + $a0 = /ROOT\\(CIMV2|AccessLogging|ADFS|aspnet|Cli|Hardware|interop|InventoryLogging|Microsoft.{10}|Policy|RSOP|SECURITY|ServiceModel|snmpStandardCimv2|subscription|virtualization|WebAdministration|WMI)/ nocase ascii wide + condition: + any of them +} + + +rule Base64d_PE : SuspiciousStrings +{ + meta: + description = "Contains a base64-encoded executable" + author = "Florian Roth" + date = "2017-04-21" + + strings: + $s0 = "TVqQAAIAAAAEAA8A//8AALgAAAA" wide ascii + $s1 = "TVqQAAMAAAAEAAAA//8AALgAAAA" wide ascii + + condition: + any of them +} + +rule Misc_Suspicious_Strings : SuspiciousStrings +{ + meta: + description = "Miscellaneous malware strings" + author = "Ivan Kwiatkowski (@JusticeRage)" + strings: + $a0 = "backdoor" nocase ascii wide + $a1 = "virus" nocase ascii wide fullword + $a2 = "hack" nocase ascii wide fullword + $a3 = "exploit" nocase ascii wide + $a4 = "cmd.exe" nocase ascii wide + $a5 = "CWSandbox" nocase wide ascii // Found in some Zeus/Citadel samples + $a6 = "System32\\drivers\\etc\\hosts" nocase wide ascii + condition: + any of them +} + diff --git a/yara_sigs/strings/url.yar b/yara_sigs/strings/url.yar new file mode 100644 index 0000000..30cd39f --- /dev/null +++ b/yara_sigs/strings/url.yar @@ -0,0 +1,15 @@ +/* + This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as + long as you use it under this license. +*/ + +rule url : SuspiciousStrings{ + meta: + author = "Antonio S. " + strings: + $url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/ wide ascii + $url_regex1 = /http?:\/\/([\w\.-]+)([\/\w \.-]*)/ wide ascii + condition: + any of them +} +