mirrors/Detect-It-Easy
2
0
Fork 0
mirror of https://github.com/horsicq/Detect-It-Easy.git synced 2026-06-24 01:54:08 +00:00
Code Issues Projects Releases Packages Wiki Activity
Detect-It-Easy/yara_rules/packer.yar
DosX 725f3f759d Reformat YARA rules indentation 
Normalize indentation and spacing across multiple YARA rule files. Changes are whitespace/formatting-only (alignment of comments, blocks, and string sections) and do not modify rule logic or conditions. Updated files: yara_rules/DiE_BasicHeuristics_by_DosX.yar, yara_rules/DiE_EnhancedHeuristics_by_DosX.yar, yara_rules/DiE_InterestingThings_by_DosX.yar, yara_rules/crypto_signature.yar, yara_rules/malware_analisys.yar, yara_rules/packer.yar, yara_rules/packer_compiler_signatures.yar, yara_rules/peid.yar.
2026-04-19 13:53:40 +03:00

15264 lines
546 KiB
Text
Raw Permalink Blame History

/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule emotet_packer {
meta:
description = "recent Emotet packer pdb string"
author = "Marc Salinas (@Bondey_m)"
reference = "330fb2954c1457149988cda98ca8401fbc076802ff44bb30894494b1c5531119"
reference = "d08a4dc159b17bde8887fa548b7d265108f5f117532d221adf7591fbad29b457"
reference = "7b5b8aaef86b1a7a8e7f28f0bda0bb7742a8523603452cf38170e5253f7a5c82"
reference = "e6abb24c70a205ab471028aee22c1f32690c02993b77ee0e77504eb360860776"
reference = "5684850a7849ab475227da91ada8ac5741e36f98780d9e3b01ae3085a8ef02fc"
reference = "acefdb67d5c0876412e4d079b38da1a5e67a7fcd936576c99cc712391d3a5ff5"
reference = "14230ba12360a172f9f242ac98121ca76e7c4450bfcb499c2af89aa3a1ef7440"
reference = "4fe9b38d2c32d0ee19d7be3c1a931b9448904aa72e888f40f43196e0b2207039"
reference = "e31028282c38cb13dd4ede7e9c8aa62d45ddae5ebaa0fe3afb3256601dbf5de7"
date = "2017-12-12"
strings:
$pdb1 = "123EErrrtools.pdb"
$pdb2= "gGEW\\F???/.pdb"
condition:
$pdb1 or $pdb2
}
rule silent_banker : banker {
meta: author="malware-lu"
strings:
$a = {6A 40 68 00 30 0000 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
rule zbot : banker {
meta: author="malware-lu"
strings:
$a = "__SYSTEM__" wide
$b = "*tanentry*"
$c = "*<option"
$d = "*<select"
$e = "*<input"
condition:
($a and $b) or ($c and $d and $e)
}
rule banbra : banker {
meta: author="malware-lu"
strings:
$a = "senha" fullword nocase
$b = "cartao" fullword nocase
$c = "caixa"
$d = "login" fullword nocase
$e = ".com.br"
condition:
#a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3
}
rule Borland {
meta: author="malware-lu"
strings:
$patternBorland = "Borland" wide ascii
condition:
$patternBorland
}
rule MSLRHv032afakePCGuard4xxemadicius {
meta: author="malware-lu"
strings:
$a0 = { FC 55 50 E8 00000000 5D EB 01 E3 60 E8 03 000000 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 58 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule EnigmaProtector1XSukhovVladimirSergeNMarkin {
meta: author="malware-lu"
strings:
$a0 = { 000000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 000000 56 69 72 74 75 61 6C 46 72 65 65 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 4D 65 73 73 61 67 65 42 6F 78 41 000000 52 65 67 43 6C 6F 73 65 4B 65 79 000000 53 79 73 46 72 65 65 53 74 72 69 6E 67 000000 43 72 65 61 74 65 46 6F 6E 74 41 000000 53 68 65 6C 6C 45 78 65 63 75 74 65 41 0000 }
condition:
$a0
}
rule SPLayerv008 {
meta: author="malware-lu"
strings:
$a0 = { 8D 40 00 B9 ???????? 6A ?? 58 C0 0C ???? 48 ???? 66 13 F0 91 3B D9 ???????????????? 00000000 }
condition:
$a0
}
rule DxPackV086Dxd {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 8B FD 81 ED 06 10 40 00 2B BD 94 12 40 00 81 EF 06 000000 83 BD 14 13 40 00 01 0F 84 2F 01 0000 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMicrosoftVisualC60 {
meta: author="malware-lu"
strings:
$a0 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 }
$a1 = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE }
$a2 = { 91 EB 02 CD 20 BF 50 BC 04 6F 91 BE D0 ???? 6F EB 02 CD 20 2B F7 EB 02 F0 46 8D 1D F4 00 }
$a3 = { C1 CE 10 C1 F6 0F 68 00 ???? 00 2B FA 5B 23 F9 8D 15 80 ???? 00 E8 01 000000 B6 5E 0B }
$a4 = { D1 E9 03 C0 68 80 ???? 00 EB 02 CD 20 5E 40 BB F4 000000 33 CA 2B C7 0F B6 16 EB 01 3E }
$a5 = { E8 01 000000 0E 59 E8 01 000000 58 58 BE 80 ???? 00 EB 02 61 E9 68 F4 000000 C1 C8 }
$a6 = { EB 01 4D 83 F6 4C 68 80 ???? 00 EB 02 CD 20 5B EB 01 23 68 48 1C 2B 3A E8 02 000000 38 }
$a7 = { EB 02 AB 35 EB 02 B5 C6 8D 05 80 ???? 00 C1 C2 11 BE F4 000000 F7 DB F7 DB 0F BE 38 E8 }
$a8 = { EB 02 CD 20 ?? CF ???? 80 ???? 00 ???????????????? 00 }
$a9 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ???? BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point or $a6 at pe.entry_point or $a7 at pe.entry_point or $a8 at pe.entry_point or $a9 at pe.entry_point
}
rule TPPpackclane {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5D 81 ED F5 8F 40 00 60 33 ?? E8 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMicrosoftVisualC6070 {
meta: author="malware-lu"
strings:
$a0 = { 0B D0 8B DA E8 02 000000 40 A0 5A EB 01 9D B8 80 ???? 00 EB 02 CD 20 03 D3 8D 35 F4 000000 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 000000 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27 }
$a1 = { 0B D0 8B DA E8 02 000000 40 A0 5A EB 01 9D B8 80 ?????? EB 02 CD 20 03 D3 8D 35 F4 00 }
$a2 = { 87 FE E8 02 000000 98 CC 5F BB 80 ???? 00 EB 02 CD 20 68 F4 000000 E8 01 000000 E3 }
$a3 = { F7 D8 40 49 EB 02 E0 0A 8D 35 80 ?????? 0F B6 C2 EB 01 9C 8D 1D F4 000000 EB 01 3C 80 }
$a4 = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point
}
rule Thinstall24x25xJititSoftware {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B8 ???????? BB ???????? 50 E8 00000000 58 2D ???????? B9 ???????? BA ???????? BE ???????? BF ???????? BD ???????? 03 E8 }
condition:
$a0 at pe.entry_point
}
rule LocklessIntroPack {
meta: author="malware-lu"
strings:
$a0 = { 2C E8 ???????? 5D 8B C5 81 ED F6 73 ???? 2B 85 ???????? 83 E8 06 89 85 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03faketElock061FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 E9 00000000 60 E8 00000000 58 83 C0 08 F3 EB FF E0 83 C0 28 50 E8 00000000 5E B3 33 8D 46 0E 8D 76 31 28 18 F8 73 00 C3 8B FE B9 3C 02 }
condition:
$a0 at pe.entry_point
}
rule ExeStealth275aWebtoolMaster {
meta: author="malware-lu"
strings:
$a0 = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 }
condition:
$a0 at pe.entry_point
}
rule PEArmor046Hying {
meta: author="malware-lu"
strings:
$a0 = { E8 AA 000000 2D ???? 000000000000000000 3D ???? 00 2D ???? 000000000000000000000000000000000000000000 4B ???? 00 5C ???? 00 6F ???? 0000000000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 }
$a1 = { E8 AA 000000 2D ?????? 0000000000000000 3D }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule eXPressorv13CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 45 78 50 72 2D 76 2E 31 2E 33 2E }
$a1 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 33 2E 2E B8 ???????? 2B 05 ???????? A3 ???????? 83 3D ???????? 00 74 13 A1 ???????? 03 05 ???????? 89 ???? E9 ???? 0000 C7 05 }
condition:
$a0 or $a1 at pe.entry_point
}
rule Upackv032BetaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 ???? AD 50 ???? AD 91 F3 A5 }
$a1 = { BE 88 01 ???? AD 50 ?? AD 91 ?? F3 A5 }
condition:
$a0 or $a1
}
rule MSLRHV031emadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 }
condition:
$a0 at pe.entry_point
}
rule PECompactv184 {
meta: author="malware-lu"
strings:
$a0 = { 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
condition:
$a0 at pe.entry_point
}
rule PCGuardforWin32v500SofProBlagojeCeklic {
meta: author="malware-lu"
strings:
$a0 = { FC 55 50 E8 00000000 5D 60 E8 03 000000 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 ?????? 00 EB 01 E3 60 E8 03 000000 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 000000 83 EB 0E EB 01 0C }
condition:
$a0 at pe.entry_point
}
rule WiseInstallerStub {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 78 05 0000 53 56 BE 04 01 0000 57 8D 85 94 FD FF FF 56 33 DB 50 53 FF 15 34 20 40 00 8D 85 94 FD FF FF 56 50 8D 85 94 FD FF FF 50 FF 15 30 20 40 00 8B 3D 2C 20 40 00 53 53 6A 03 53 6A 01 8D 85 94 FD FF FF 68 000000 80 50 FF D7 83 F8 FF }
$a1 = { 55 8B EC 81 EC ?? 04 0000 53 56 57 6A ?????????????? FF 15 ???? 40 00 ???????????????????????????????????????????????????????????????????????????????????????????????????????????????? 80 ?? 20 }
$a2 = { 55 8B EC 81 EC ???? 0000 53 56 57 6A 01 5E 6A 04 89 75 E8 FF 15 ?? 40 40 00 FF 15 ?? 40 40 00 8B F8 89 7D ?? 8A 07 3C 22 0F 85 ?? 000000 8A 47 01 47 89 7D ?? 33 DB 3A C3 74 0D 3C 22 74 09 8A 47 01 47 89 7D ?? EB EF 80 3F 22 75 04 47 89 7D ?? 80 3F 20 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2
}
rule AnskyaNTPackerGeneratorAnskya {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 B8 88 1D 00 10 E8 C7 FA FF FF 6A 0A 68 20 1E 00 10 A1 14 31 00 10 50 E8 71 FB FF FF 8B D8 85 DB 74 2F 53 A1 14 31 00 10 50 E8 97 FB FF FF 85 C0 74 1F 53 A1 14 31 00 10 50 E8 5F FB FF FF 85 C0 74 0F 50 E8 5D FB FF FF 85 C0 74 05 E8 70 FC FF FF 5B E8 F2 F6 FF FF 0000 48 45 41 52 54 }
condition:
$a0
}
rule ThinstallVirtualizationSuite30493080ThinstallCompany {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00000000 58 BB 37 1F 0000 2B C3 50 68 ???????? 68 00 2C 0000 68 04 01 0000 E8 BA FE FF FF E9 90 FF FF FF CCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 00 }
$a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00000000 58 BB 37 1F 0000 2B C3 50 68 ???????? 68 00 2C 0000 68 04 01 0000 E8 BA FE FF FF E9 90 FF FF FF CCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 000000 80 43 33 C0 E8 19 01 0000 73 0E 8B 4D F8 E8 27 01 0000 02 45 F7 AA EB E9 E8 04 01 0000 0F 82 96 000000 E8 F9 000000 73 5B B9 04 000000 E8 05 01 0000 48 74 DE 0F 89 C6 000000 E8 DF 000000 73 1B 55 BD 00 01 0000 E8 DF 000000 88 07 47 4D 75 F5 E8 C7 000000 72 E9 5D EB }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule NsPack14byNorthStarLiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00000000 EB 16 B9 01 000000 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }
condition:
$a0
}
rule FSGv110EngbartxtWatcomCCEXE {
meta: author="malware-lu"
strings:
$a0 = { EB 02 CD 20 03 ?? 8D ?? 80 ???? 00 ?????????????????? EB 02 }
condition:
$a0 at pe.entry_point
}
rule AcidCrypt: Packer {
meta: author="malware-lu"
strings:
$a0 = { 60 B9 ?????? 00 BA ?????? 00 BE ?????? 00 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB }
$a1 = { BE ???????? 02 38 40 4E 75 FA 8B C2 8A 18 32 DF C0 CB }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule eXPressorv1451CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?????? 05 00 ?????? A3 08 ?????? A1 08 ?????? B9 81 ?????? 2B 48 18 89 0D 0C ?????? 83 3D 10 ?????? 00 74 16 A1 08 ?????? 8B 0D 0C ?????? 03 48 14 }
$a1 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ?????? 05 00 ?????? A3 08 ?????? A1 08 ?????? B9 81 ?????? 2B 48 18 89 0D 0C ?????? 83 3D 10 ?????? 00 74 16 A1 08 ?????? 8B 0D 0C ?????? 03 48 14 89 4D CC }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule BeRoEXEPackerv100LZMABeRoFarbrausch {
meta: author="malware-lu"
strings:
$a0 = { 60 68 ???????? 68 ???????? 68 ???????? E8 ???????? BE ???????? B9 04 000000 8B F9 81 FE ???????? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 }
condition:
$a0 at pe.entry_point
}
rule PackanoidArkanoid {
meta: author="malware-lu"
strings:
$a0 = { BF 00 10 40 00 BE ?????? 00 E8 9D 000000 B8 }
condition:
$a0 at pe.entry_point
}
rule DAEMONProtectv067 {
meta: author="malware-lu"
strings:
$a0 = { 60 60 9C 8C C9 32 C9 E3 0C 52 0F 01 4C 24 FE 5A 83 C2 0C 8B 1A 9D 61 }
condition:
$a0 at pe.entry_point
}
rule EmbedPEV100V124cyclotron {
meta: author="malware-lu"
strings:
$a0 = { 00000000 ???????? 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????? 00000000 ???????????????????????? 00000000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000000000000000 }
condition:
$a0
}
rule VProtectorV10Avcasm {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 8A 8E 40 00 68 C6 8E 40 00 64 A1 00000000 50 64 89 25 00000000 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 }
condition:
$a0 at pe.entry_point
}
rule EncryptPE2200481022005314WFS {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 7A }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02JDPack1xJDProtect09Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 22 000000 5D 8B D5 81 ED 90909090 2B 95 90909090 81 EA 06 909090 89 95 90909090 83 BD 45 00 01 00 01 }
condition:
$a0 at pe.entry_point
}
rule EmbedPEV1Xcyclotron {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 50 60 68 ???????? E8 ???? 0000 }
condition:
$a0 at pe.entry_point
}
rule EncryptPEV220070411WFS {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 1B 02 0000000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????????????????????????????????????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 47 65 74 54 65 6D 70 50 61 74 68 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 000000 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01MicrosoftVisualBasic60DLLAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 5A 68 90909090 68 90909090 52 E9 9090 FF }
condition:
$a0 at pe.entry_point
}
rule NsPack14Liuxingping {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 ???? 40 00 2D ???? 40 00 }
condition:
$a0 at pe.entry_point
}
rule VxTrivial46 {
meta: author="malware-lu"
strings:
$a0 = { B4 4E B1 20 BA ???? CD 21 BA ???? B8 ?? 3D CD 21 }
condition:
$a0 at pe.entry_point
}
rule STUDRC410JamieEditionScanTimeUnDetectablebyMarjinZ {
meta: author="malware-lu"
strings:
$a0 = { 68 2C 11 40 00 E8 F0 FF FF FF 000000000000 30 000000 38 00000000000000 37 BB 71 EC A4 E1 98 4C 9B FE 8F 0F FA 6A 07 F6 000000000000 01 000000 20 20 46 6F 72 20 73 74 75 64 00 20 54 6F 00000000 06 000000 CC 1A 40 00 07 000000 D4 18 40 00 07 000000 7C 18 40 00 07 000000 2C 18 40 00 07 000000 E0 17 40 00 56 42 35 21 F0 1F 2A 00000000000000000000000000 7E 00000000000000000000000000 0A 00 09 04 000000000000 E8 13 40 00 F4 13 40 0000 F0 30 0000 FF FF FF 08 000000 01 00000000000000 E9 000000 04 11 40 00 04 11 40 00 C8 10 40 00 78 000000 7C 000000 81 000000 82 00000000000000000000000000000000000000 61 61 61 00 53 74 75 64 0000 73 74 75 64 0000 01 00 01 00 30 16 40 0000000000 FF FF FF FF FF FF FF FF 00000000 B4 16 40 00 10 30 40 00 07 000000 24 12 40 00 0E 00 20 0000000000 1C 9E 21 00 EC 11 40 00 5C 10 40 00 E4 1A 40 00 2C 34 40 00 68 17 40 00 58 17 40 00 78 17 40 00 8C 17 40 00 8C 10 40 00 62 10 40 00 92 10 40 00 F8 1A 40 00 24 19 40 00 98 10 40 00 9E 10 40 00 77 04 18 FF 04 1C FF 05 0000 24 01 00 0D 14 00 78 1C 40 00 48 21 40 00 }
condition:
$a0 at pe.entry_point
}
rule VxSonikYouth {
meta: author="malware-lu"
strings:
$a0 = { 8A 16 02 00 8A 07 32 C2 88 07 43 FE C2 81 FB }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 }
condition:
$a0 at pe.entry_point
}
rule UPXShit006 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? 43 00 B9 15 000000 80 34 08 ?? E2 FA E9 D6 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule SetupFactoryv6003SetupLauncher {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 90 61 40 00 68 70 3B 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 14 61 40 00 33 D2 8A D4 89 15 5C 89 40 00 8B C8 81 E1 FF 000000 89 0D 58 89 40 00 C1 E1 08 03 CA 89 0D 54 89 40 00 C1 E8 10 A3 50 89 }
condition:
$a0
}
rule CrypKeyV61XDLLCrypKeyCanadaInc {
meta: author="malware-lu"
strings:
$a0 = { 83 3D ???????? 00 75 34 68 ???????? E8 }
condition:
$a0 at pe.entry_point
}
rule VcAsmProtectorVcAsm {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 ???????? 64 A1 00000000 50 64 89 25 00000000 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 }
condition:
$a0 at pe.entry_point
}
rule PECompact2xxSlimLoaderBitSumTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 32 00 }
condition:
$a0 at pe.entry_point
}
rule ENIGMAProtectorV11V12SukhovVladimir {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 83 ED 06 81 }
condition:
$a0 at pe.entry_point
}
rule yodasProtectorv10bAshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 60 E8 00000000 5D 81 ED 4C 32 40 00 E8 03 000000 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 000000 90 EB 01 ?? E8 03 000000 EB 01 }
condition:
$a0 at pe.entry_point
}
rule PEDiminisherv01 {
meta: author="malware-lu"
strings:
$a0 = { 53 51 52 56 57 55 E8 00000000 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 000000 89 95 9A 33 40 00 80 BD 99 33 40 0000 74 }
$a1 = { 5D 8B D5 81 ED A2 30 40 ?? 2B 95 91 33 40 ?? 81 EA 0B ?????? 89 95 9A 33 40 ?? 80 BD 99 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule SOFTWrapperforWin9xNTEvaluationVersion {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5D 8B C5 2D ?????? 00 50 81 ED 05 000000 8B C5 2B 85 03 0F 0000 89 85 03 0F 0000 8B F0 03 B5 0B 0F 0000 8B F8 03 BD 07 0F 0000 83 7F 0C 00 74 2B 56 57 8B 7F 10 03 F8 8B 76 10 03 F0 83 3F 00 74 0C 8B 1E 89 1F 83 C6 04 83 C7 04 EB EF }
condition:
$a0 at pe.entry_point
}
rule Armadillov200 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 00 02 41 00 68 C4 A0 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule Armadillov201 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 08 02 41 00 68 04 9A 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule FreeJoinerSmallbuild014021024027GlOFF {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? FF FF 6A 00 E8 0D 000000 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
condition:
$a0 at pe.entry_point
}
rule SDProtector1xRandyLi {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00000000 50 64 89 25 00000000 58 64 A3 00000000 58 58 58 58 8B E8 E8 3B 000000 E8 01 000000 FF 58 05 53 000000 51 8B 4C 24 10 89 81 B8 000000 B8 55 01 0000 89 41 20 33 C0 89 41 04 89 41 }
condition:
$a0 at pe.entry_point
}
rule NSISInstallerNullSoft {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 20 53 55 56 33 DB 57 89 5C 24 18 C7 44 24 10 ???????? C6 44 24 14 20 FF 15 30 70 40 00 53 FF 15 80 72 40 00 68 ???????? 68 ???????? A3 ???????? E8 ???????? BE }
condition:
$a0 at pe.entry_point
}
rule PEXv099 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 ???????? 83 C4 04 E8 01 ???????? 5D 81 }
condition:
$a0 at pe.entry_point
}
rule IMPPacker10MahdiHezavehiIMPOSTER {
meta: author="malware-lu"
strings:
$a0 = { 28 ?????? 0000000000000000 40 ?????? 34 ?????? 0000000000000000000000000000000000000000 4C ?????? 5C ?????? 00000000 ???????????????? 00000000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 0000 47 65 74 50 72 6F 63 }
condition:
$a0
}
rule PEProtectv09 {
meta: author="malware-lu"
strings:
$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 ???????? 58 83 C0 07 C6 ?? C3 }
$a1 = { E9 ?? 000000 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 20 28 43 29 6F }
condition:
$a0 at pe.entry_point or $a1
}
rule nbuildv10soft {
meta: author="malware-lu"
strings:
$a0 = { B9 ???? BB ???? C0 ???? 80 ???? 43 E2 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01StelthPE101Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 BA ???????? FF E2 BA E0 10 40 00 B8 68 24 1A 40 89 02 83 C2 03 B8 40 00 E8 EE 89 02 83 C2 FD FF E2 2D 3D 5B 20 48 69 64 65 50 45 20 5D 3D 2D 90 000000 }
condition:
$a0 at pe.entry_point
}
rule IProtect10FxSubdllmodebyFuXdas {
meta: author="malware-lu"
strings:
$a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 53 75 62 2E 64 6C 6C 000000000000000000000000000000000000000000 ?????? 00 60 E8 00000000 5D 81 ED B6 13 40 00 FF 74 24 20 E8 40 000000 0B C0 74 2F 89 85 A8 13 40 00 8D 85 81 13 40 00 50 FF B5 A8 13 40 00 E8 92 000000 0B C0 74 13 89 85 A4 13 40 00 8D 85 8E 13 40 00 50 FF 95 A4 13 40 00 8B 85 AC 13 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00000000 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00000000 81 E7 0000 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 0000 75 02 EB 17 81 EF 0000 01 00 81 FF 000000 70 73 07 BF 0000 F7 BF EB 02 EB D3 97 64 8F 05 00000000 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00000000 8D 85 98 13 40 00 89 20 89 68 04 8D 9D 4F 14 40 00 89 58 08 64 89 25 00000000 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 000000 03 76 3C 81 3E 50 45 0000 74 02 EB 7D 8B 7C 24 10 B9 96 000000 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 000000 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 000000 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00000000 83 C4 04 C2 08 00 E8 B5 FA FF FF }
condition:
$a0 at pe.entry_point
}
rule MSVisualCv8DLLhsmallsig2 {
meta: author="malware-lu"
strings:
$a0 = { 8B FF 55 8B EC 53 8B 5D 08 56 8B 75 0C 85 F6 57 8B 7D 10 0F 84 ???? 0000 83 FE 01 }
condition:
$a0 at pe.entry_point
}
rule MSVisualCv8DLLhsmallsig1 {
meta: author="malware-lu"
strings:
$a0 = { 8B FF 55 8B EC 83 7D 0C 01 75 05 E8 ?????? FF 5D E9 D6 FE FF FF CCCCCCCCCC }
condition:
$a0 at pe.entry_point
}
rule RCryptorv16xVaska {
meta: author="malware-lu"
strings:
$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ???????? C3 }
condition:
$a0 at pe.entry_point
}
rule UPXv20MarkusLaszloReiser {
meta: author="malware-lu"
strings:
$a0 = { 55 FF 96 ???????? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ???????? 8B AE ???????? 8D BE 00 F0 FF FF BB 00 10 0000 50 54 6A 04 53 57 FF D5 8D 87 ???? 0000 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }
condition:
$a0
}
rule BladeJoinerv15 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 C4 E4 FE FF FF 53 56 57 33 C0 89 45 F0 89 85 }
condition:
$a0 at pe.entry_point
}
rule FSGv133Engdulekxt {
meta: author="malware-lu"
strings:
$a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF }
$a1 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule FSGv13 {
meta: author="malware-lu"
strings:
$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ???????? 53 E8 0A 000000 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 000000 2B CB 75 10 E8 38 00 }
condition:
$a0 at pe.entry_point
}
rule FSGv12 {
meta: author="malware-lu"
strings:
$a0 = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 0000 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 0000000000 }
condition:
$a0 at pe.entry_point
}
rule FSGv11 {
meta: author="malware-lu"
strings:
$a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE ???????? FC B2 80 8A 06 46 88 07 47 02 D2 75 05 8A 16 }
condition:
$a0 at pe.entry_point
}
rule FSGv10 {
meta: author="malware-lu"
strings:
$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ???????? 53 E8 0A 000000 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }
condition:
$a0 at pe.entry_point
}
rule FSGv120EngdulekxtMicrosoftVisualC6070 {
meta: author="malware-lu"
strings:
$a0 = { EB 02 CD 20 EB 01 91 8D 35 80 ???? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 000000 F7 FB 58 33 DF EB 01 3F E8 02 000000 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA }
condition:
$a0 at pe.entry_point
}
rule SuperDAT: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 40 F3 42 00 68 A4 BF 42 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 08 F2 42 00 33 D2 8A D4 89 15 60 42 43 00 8B C8 81 E1 FF 000000 89 0D }
condition:
$a0 at pe.entry_point
}
rule PECompactv200alpha38 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 80 B8 BF 10 00 10 01 74 7A C6 80 BF 10 00 10 01 9C 55 53 51 57 52 56 8D 98 0F 10 00 10 8B 53 14 8B E8 6A 40 68 00 10 0000 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 8B F8 50 8B 33 8B 53 14 03 F2 8B 4B 0C 03 CA 8D 85 B7 10 00 10 FF 73 04 8F }
condition:
$a0
}
rule RCryptor16cVaska {
meta: author="malware-lu"
strings:
$a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ???????? B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point
}
rule TheGuardLibrary {
meta: author="malware-lu"
strings:
$a0 = { 50 E8 ???????? 58 25 ?? F0 FF FF 8B C8 83 C1 60 51 83 C0 40 83 EA 06 52 FF 20 9D C3 }
condition:
$a0 at pe.entry_point
}
rule FreeCryptor01build001GlOFF {
meta: author="malware-lu"
strings:
$a0 = { 8B 04 24 40 90 83 C0 07 80 38 9090 74 02 EB FF 68 26 ???? 00 64 FF 35 00000000 64 89 25 00000000 FF E4 90 8B 04 24 64 A3 00000000 8B 64 24 08 90 83 C4 08 }
condition:
$a0
}
rule PseudoSigner02BJFNT12Anorganix {
meta: author="malware-lu"
strings:
$a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 00 }
condition:
$a0 at pe.entry_point
}
rule DingBoysPElockPhantasmv08 {
meta: author="malware-lu"
strings:
$a0 = { 55 57 56 52 51 53 E8 00000000 5D 8B D5 81 ED 0D 39 40 00 }
condition:
$a0 at pe.entry_point
}
rule Thinstall2736Jitit {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 58 BB F3 1C 0000 2B C3 50 68 0000 40 00 68 00 26 0000 68 CC 000000 E8 C1 FE FF FF E9 97 FF FF FF CCCCCCCCCCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 000000 80 43 33 C0 E8 19 01 0000 73 0E 8B 4D F8 E8 27 01 0000 02 45 F7 AA EB E9 E8 04 01 0000 0F 82 96 000000 E8 F9 000000 73 5B B9 04 000000 E8 05 01 0000 48 74 DE 0F 89 C6 000000 E8 DF 000000 73 1B 55 BD 00 01 0000 E8 DF 000000 88 07 47 4D 75 F5 E8 C7 000000 72 E9 5D EB A2 B9 01 000000 E8 D0 000000 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 000000 88 45 F7 E9 7C FF FF FF B9 07 000000 E8 AA 000000 50 33 C9 B1 02 E8 A0 000000 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 000000 89 45 FC E9 48 FF FF FF E8 87 000000 49 E2 09 8B C3 E8 7D 000000 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 000000 0B C5 5D 8B D8 E8 5F 000000 3D 0000 01 00 73 14 3D FF 37 0000 73 0E 3D 7F 02 0000 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 }
condition:
$a0 at pe.entry_point
}
rule UnnamedScrambler11Cp0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 E4 53 56 33 C0 89 45 E4 89 45 E8 89 45 EC B8 C0 47 00 10 E8 4F F3 FF FF BE 5C 67 00 10 33 C0 55 68 D2 4A 00 10 64 FF 30 64 89 20 E8 EB DE FF FF E8 C6 F8 FF FF BA E0 4A 00 10 B8 CC 67 00 10 E8 5F F8 FF FF 8B D8 8B D6 8B C3 8B 0D CC 67 00 10 E8 3A DD FF FF 8B 46 50 8B D0 B8 D4 67 00 10 E8 5B EF FF FF B8 D4 67 00 10 E8 09 EF FF FF 8B D0 8D 46 14 8B 4E 50 E8 14 DD FF FF 8B 46 48 8B D0 B8 D8 67 00 ?????????? FF B8 D8 67 00 10 E8 E3 EE FF FF 8B D0 8B C6 8B 4E 48 E8 EF DC FF FF FF 76 5C FF 76 58 FF 76 64 FF 76 60 B9 D4 67 00 10 8B 15 D8 67 00 10 A1 D4 67 00 10 E8 76 F6 FF FF A1 D4 67 00 10 E8 5C EE FF FF 8B D0 B8 CC 67 00 10 E8 CC F7 FF FF 8B D8 B8 DC 67 00 10 }
condition:
$a0
}
rule y0dasCrypterv1xModified {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED ???????? B9 ???? 0000 8D BD ???????? 8B F7 AC }
condition:
$a0 at pe.entry_point
}
rule Armadillov252b2 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 B0 ?????? 68 60 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 24 }
condition:
$a0 at pe.entry_point
}
rule Upackv036betaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE E0 11 ???? FF 36 E9 C3 000000 48 01 ???? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C }
$a1 = { BE E0 11 ???? FF 36 E9 C3 000000 48 01 ???? 0B 01 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 ???????????????????????????????????????????????????????????????????????????????????????????????????????????? 82 8E FE FF FF 58 8B 4E 40 5F E3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule VxNecropolis {
meta: author="malware-lu"
strings:
$a0 = { 50 FC AD 33 C2 AB 8B D0 E2 F8 }
condition:
$a0 at pe.entry_point
}
rule WinUpackv039finalrelocatedimagebaseByDwingc2005h2 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 09 000000 ?????? 00 E9 06 02 0000 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD 03 C3 50 97 AD 91 F3 A5 5E AD 56 91 01 1E AD E2 FB AD 8D 6E 10 01 5D 00 8D 7D 1C B5 ?? F3 AB 5E AD 53 50 51 97 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 }
condition:
$a0 at pe.entry_point
}
rule ASPackv1061bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }
condition:
$a0 at pe.entry_point
}
rule aPackv062 {
meta: author="malware-lu"
strings:
$a0 = { 1E 06 8C C8 8E D8 ?????? 8E C0 50 BE ???? 33 FF FC B6 }
condition:
$a0 at pe.entry_point
}
rule tElockv071 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ED 10 0000 C3 83 }
condition:
$a0 at pe.entry_point
}
rule tElockv070 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 BD 10 0000 C3 83 E2 00 F9 75 FA 70 }
condition:
$a0 at pe.entry_point
}
rule Ningishzida10CyberDoom {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 96 E8 00000000 5D 81 ED 03 25 40 00 B9 04 1B 0000 8D BD 4B 25 40 00 8B F7 AC ???????????????????????????????????????????????????????????????????????????????????????????????? AA E2 CC }
condition:
$a0 at pe.entry_point
}
rule ASProtectSKE21xdllAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 000000 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?????? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 0000 8D 45 35 50 E9 82 0000000000000000000000000000000000 }
condition:
$a0 at pe.entry_point
}
rule PAVCryptorPawningAntiVirusCryptormasha_dev {
meta: author="malware-lu"
strings:
$a0 = { 53 56 57 55 BB 2C ???? 70 BE 00 30 00 70 BF 20 ???? 70 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 00 70 00 74 06 FF 15 54 30 00 70 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 1C 30 00 70 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 14 30 00 70 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 8F FA FF FF FF 15 20 30 00 70 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ???? 70 00 74 06 FF 15 10 ???? 70 8B 06 50 E8 A9 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 000000 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 00 70 E8 26 FF FF FF C3 90 8F 05 04 30 00 70 E9 E9 FF FF FF C3 }
condition:
$a0
}
rule ExeShieldCryptor13RCTomCommander {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 60 E8 00000000 5D 81 ED 8C 21 40 00 B9 51 2D 40 00 81 E9 E6 21 40 00 8B D5 81 C2 E6 21 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
condition:
$a0 at pe.entry_point
}
rule CrinklerV01V02RuneLHStubbeandAskeSimonChristensen {
meta: author="malware-lu"
strings:
$a0 = { B9 ???????? 01 C0 68 ???????? 6A 00 58 50 6A 00 5F 48 5D BB 03 000000 BE ???????? E9 }
condition:
$a0 at pe.entry_point
}
rule VxGRUNT4Family {
meta: author="malware-lu"
strings:
$a0 = { E8 1C 00 8D 9E 41 01 40 3E 8B 96 14 03 B9 EA 00 87 DB F7 D0 31 17 83 C3 02 E2 F7 C3 }
condition:
$a0 at pe.entry_point
}
rule nPackV112002006BetaNEOxuinC {
meta: author="malware-lu"
strings:
$a0 = { 83 3D 40 ?????? 00 75 05 E9 01 000000 C3 E8 41 000000 B8 80 ?????? 2B 05 08 ?????? A3 3C ?????? E8 5E 000000 E8 EC 01 0000 E8 F8 06 0000 E8 03 06 0000 A1 3C ?????? C7 05 40 ?????? 01 000000 01 05 00 ?????? FF 35 00 ?????? C3 C3 }
condition:
$a0 at pe.entry_point
}
rule VxEddie1800 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 81 EE ???? FC 2E ???????? 4D 5A ???? FA 8B E6 81 C4 ???? FB 3B ?????????? 50 06 56 1E 8B FE 33 C0 50 8E D8 C4 ?????? 2E ???????? 2E }
condition:
$a0 at pe.entry_point
}
rule EncryptPEV22006115WFS {
meta: author="malware-lu"
strings:
$a0 = { 45 50 45 3A 20 45 6E 63 72 79 70 74 50 45 20 56 32 2E 32 30 30 36 2E 31 2E 31 35 }
condition:
$a0
}
rule PrincessSandyv10eMiNENCEProcessPatcherPatch {
meta: author="malware-lu"
strings:
$a0 = { 68 27 11 40 00 E8 3C 01 0000 6A 00 E8 41 01 0000 A3 00 20 40 00 8B 58 3C 03 D8 0F B7 43 14 0F B7 4B 06 8D 7C 18 18 81 3F 2E 4C 4F 41 74 0B 83 C7 28 49 75 F2 E9 A7 000000 8B 5F 0C 03 1D 00 20 40 00 89 1D 04 20 40 00 8B FB 83 C7 04 68 4C 20 40 00 68 08 }
condition:
$a0
}
rule aPackv082 {
meta: author="malware-lu"
strings:
$a0 = { 1E 06 8C CB BA ???? 03 DA 8D ?????? FC 33 F6 33 FF 48 4B 8E C0 8E DB }
condition:
$a0 at pe.entry_point
}
rule NJoiner01AsmVersionNEX {
meta: author="malware-lu"
strings:
$a0 = { 6A 00 68 00 14 40 00 68 00 10 40 00 6A 00 E8 14 000000 6A 00 E8 13 000000 CC FF 25 AC 12 40 00 FF 25 B0 12 40 00 FF 25 B4 12 40 00 FF 25 B8 12 40 00 FF 25 BC 12 40 00 FF 25 C0 12 40 00 FF 25 C4 12 40 00 FF 25 C8 12 40 00 FF 25 CC 12 40 00 FF 25 D0 12 40 00 FF 25 D4 12 40 00 FF 25 D8 12 40 00 FF 25 DC 12 40 00 FF 25 E4 12 40 00 FF 25 EC 12 40 00 }
condition:
$a0 at pe.entry_point
}
rule Obsiduim1304ObsiduimSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 25 000000 EB 04 ???????? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 23 EB 01 ?? 33 C0 EB 02 ???? C3 EB 02 ???? EB 04 ???????? 64 67 FF 36 0000 EB 03 ?????? 64 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02FSG131Anorganix {
meta: author="malware-lu"
strings:
$a0 = { BE 909090 00 BF 909090 00 BB 909090 00 53 BB 909090 00 B2 80 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01CodeSafe20Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090909090909090909090909090909090909090 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 E9 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01NorthStarPEShrinker13Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00000000 E9 }
condition:
$a0 at pe.entry_point
}
rule ocBat2Exe10OC {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 08 000000 6A 00 6A 00 49 75 F9 53 56 57 B8 58 3C 40 00 E8 6C FA FF FF 33 C0 55 68 8A 3F 40 00 64 FF 30 64 89 20 6A 00 6A 00 6A 03 6A 00 6A 01 68 000000 80 8D 55 EC 33 C0 E8 81 E9 FF FF 8B 45 EC E8 41 F6 FF FF 50 E8 F3 FA FF FF 8B F8 83 FF FF 0F 84 83 02 0000 6A 02 6A 00 6A EE 57 E8 FC FA FF FF 6A 00 68 60 99 4F 00 6A 12 68 18 57 40 00 57 E8 E0 FA FF FF 83 3D 60 99 4F 00 12 0F 85 56 02 0000 8D 45 E4 50 8D 45 E0 BA 18 57 40 00 B9 40 42 0F 00 E8 61 F4 FF FF 8B 45 E0 B9 12 000000 BA 01 000000 E8 3B F6 FF FF 8B 45 E4 8D 55 E8 E8 04 FB ???????? E8 B8 58 99 4F 00 E8 67 F3 FF FF 33 C0 A3 60 99 4F 00 8D 45 DC 50 B9 05 000000 BA 01 000000 A1 58 99 4F 00 E8 04 F6 FF FF 8B 45 DC BA A4 3F 40 00 E8 E3 F4 FF FF }
condition:
$a0
}
rule ASDPack20asd {
meta: author="malware-lu"
strings:
$a0 = { 00000000 ???????? 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????? 00000000 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8D 49 00 1F 01 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 90 }
$a1 = { 5B 43 83 7B 74 00 0F 84 08 000000 89 43 14 E9 }
$a2 = { 8B 44 24 04 56 57 53 E8 CD 01 0000 C3 00000000000000000000000000 10 000000 }
condition:
$a0 or $a1 or $a2 at pe.entry_point
}
rule EXECryptor2021protectedIAT {
meta: author="malware-lu"
strings:
$a0 = { A4 ?????? 00000000 FF FF FF FF 3C ?????? 94 ?????? D8 ?????? 00000000 FF FF FF FF B8 ?????? D4 ?????? 0000000000000000000000000000000000000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000000000 45 78 69 74 50 72 6F 63 65 73 73 000000 ?????????????????????????????????????? 00 60 ?????? 70 ?????? 84 ?????? 00000000 75 73 65 72 33 32 2E 64 6C 6C 00000000 4D 65 73 73 61 67 65 42 6F 78 41 }
condition:
$a0
}
rule ShrinkWrapv14 {
meta: author="malware-lu"
strings:
$a0 = { 58 60 8B E8 55 33 F6 68 48 01 ???? E8 49 01 ???? EB }
condition:
$a0 at pe.entry_point
}
rule UnknownbySMT {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? 8D BE ???????? 83 ???? 57 EB }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01VOBProtectCD5Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 36 3E 26 8A C0 60 E8 00000000 E9 }
condition:
$a0 at pe.entry_point
}
rule SimplePack10Xbagie {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5B 8D 5B FA 6A 00 FF 93 ???? 0000 89 C5 8B 7D 3C 8D 74 3D 00 8D BE F8 000000 8B 86 88 000000 09 C0 }
condition:
$a0 at pe.entry_point
}
rule ThemidaWinLicenseV18XV19XOreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 60 0B C0 74 68 E8 00000000 58 05 53 000000 80 38 E9 75 13 61 EB 45 DB 2D ???????? FF FF FF FF FF FF FF FF 3D ???????? 0000 58 25 00 F0 FF FF 33 FF 66 BB ???? 66 83 ???? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ???????? 83 C3 ?? 39 1A 74 07 2D ???????? EB DA 8B F8 B8 ???????? 03 C7 B9 ???????? 03 CF EB 0A B8 ???????? B9 ???????? 50 51 E8 ???????? E8 ???????? 58 2D ???????? B9 ???????? C6 00 E9 83 E9 05 89 48 01 61 E9 }
condition:
$a0 at pe.entry_point
}
rule EXEjoinerAmok {
meta: author="malware-lu"
strings:
$a0 = { A1 14 A1 40 00 C1 E0 02 A3 18 A1 40 }
condition:
$a0 at pe.entry_point
}
rule EmbedPEv124cyclotron {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 50 60 68 ???????? E8 CB FF 0000 }
condition:
$a0 at pe.entry_point
}
rule tElockv04xv05x {
meta: author="malware-lu"
strings:
$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00000000 5E 83 C6 ?? 8B FE 68 79 01 ???? 59 EB 01 }
condition:
$a0 at pe.entry_point
}
rule Armadillov301v305 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 0F }
condition:
$a0 at pe.entry_point
}
rule DingBoysPElockv007 {
meta: author="malware-lu"
strings:
$a0 = { 55 57 56 52 51 53 E8 00000000 5D 8B D5 81 ED 23 35 40 00 }
condition:
$a0 at pe.entry_point
}
rule mPack003DeltaAziz {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 33 C0 89 45 F0 B8 A8 76 00 10 E8 67 C4 FF FF 33 C0 55 68 C2 78 00 10 64 FF 30 64 89 20 8D 55 F0 33 C0 E8 93 C8 FF FF 8B 45 F0 E8 87 CB FF FF A3 08 A5 00 10 33 C0 55 68 A5 78 00 10 64 FF 30 64 89 20 A1 08 A5 00 10 E8 FA C9 FF FF 83 F8 FF 75 0A E8 88 B2 FF FF E9 1B 01 0000 C7 05 14 A5 00 10 32 000000 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 C9 C9 FF FF BA 14 A5 00 10 A1 08 A5 00 10 B9 04 000000 E8 C5 C9 FF FF 83 3D 14 A5 00 10 32 77 0A E8 47 B2 FF FF E9 DA 000000 A1 08 A5 00 10 8B 15 14 A5 00 10 E8 92 C9 FF FF BA 18 A5 }
condition:
$a0 at pe.entry_point
}
rule SixtoFourv10 {
meta: author="malware-lu"
strings:
$a0 = { 50 55 4C 50 83 ???? FC BF ???? BE ???? B5 ?? 57 F3 A5 C3 33 ED }
condition:
$a0 at pe.entry_point
}
rule FreeJoinerSmallbuild029GlOFF {
meta: author="malware-lu"
strings:
$a0 = { 50 32 C4 8A C3 58 E8 DE FD FF FF 6A 00 E8 0D 000000 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
condition:
$a0 at pe.entry_point
}
rule ThemidaWinLicenseV1XNoCompressionSecureEngineOreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { 8B C5 8B D4 60 E8 00000000 5D 81 ED ???????? 89 95 ???????? 89 B5 ???????? 89 85 ???????? 83 BD ?????????? 74 0C 8B E8 8B E2 B8 01 000000 C2 0C 00 8B 44 24 24 89 85 ???????? 6A 45 E8 A3 000000 68 9A 74 83 07 E8 DF 000000 68 25 4B 89 0A E8 D5 000000 E9 ???????? 0000000000000000000000000000000000000000 }
condition:
$a0
}
rule WinUpackv030betaByDwing {
meta: author="malware-lu"
strings:
$a0 = { E9 ???????? 42 79 44 77 69 6E 67 40 000000 50 45 0000 }
$a1 = { E9 ???????? 42 79 44 77 69 6E 67 40 000000 50 45 0000 4C 01 02 }
condition:
$a0 or $a1
}
rule Armadillov260b2 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 90 ?????? 68 24 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 60 ?????? 33 D2 8A D4 89 15 3C }
condition:
$a0 at pe.entry_point
}
rule Armadillov260b1 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 50 ?????? 68 74 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?????? 33 D2 8A D4 89 15 FC }
condition:
$a0 at pe.entry_point
}
rule ExeLockerv10IonIce {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 60 8B 6C 24 20 81 ED 05 000000 3E 8F 85 6C 000000 3E 8F 85 68 000000 3E 8F 85 64 000000 3E 8F 85 60 000000 3E 8F 85 5C 000000 3E 8F 85 58 000000 3E 8F 85 54 0000 }
condition:
$a0 at pe.entry_point
}
rule RLPackV10betaap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 0000 8D 9D 13 01 0000 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
condition:
$a0 at pe.entry_point
}
rule PellesC300400450EXEX86CRTDLL {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 6A FF 68 ???????? 68 ???????? 64 FF 35 ???????? 64 89 25 ???????? 83 EC ?? 53 56 57 89 65 E8 C7 45 FC ???????? 68 ???????? E8 ???????? 59 BE ???????? EB }
condition:
$a0 at pe.entry_point
}
rule BeRoEXEPackerv100LZBRRBeRoFarbrausch {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? BF ???????? FC B2 80 33 DB A4 B3 02 E8 ???????? 73 F6 33 C9 E8 ???????? 73 1C 33 C0 E8 ???????? 73 23 B3 02 41 B0 10 }
condition:
$a0 at pe.entry_point
}
rule Armadillov190a {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 64 FF 68 10 F2 40 00 68 14 9B 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4Modified {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule APatchGUIv11 {
meta: author="malware-lu"
strings:
$a0 = { 52 31 C0 E8 FF FF FF FF }
condition:
$a0 at pe.entry_point
}
rule ExeSafeguardv10simonzh {
meta: author="malware-lu"
strings:
$a0 = { C0 5D EB 4E EB 47 DF 69 4E 58 DF 59 74 F3 EB 01 DF 75 EE 9A 59 9C 81 C1 E2 FF FF FF EB 01 DF 9D FF E1 E8 51 E8 EB FF FF FF DF 22 3F 9A C0 81 ED 19 18 40 00 EB 48 EB 47 DF 69 4E 58 DF 59 79 EE EB 01 DF 78 E9 DF 59 9C 81 C1 E5 FF FF FF 9D FF E1 EB 51 E8 EE }
condition:
$a0
}
rule PseudoSigner01CDCopsIIAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 53 60 BD 90909090 8D 45 90 8D 5D 90 E8 00000000 8D 01 E9 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeVIRUSIWormHybrisFEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 EB 16 A8 54 0000 47 41 42 4C 4B 43 47 43 000000000000 52 49 53 00 FC 68 4C 70 40 00 FF 15 }
condition:
$a0 at pe.entry_point
}
rule Obsidium1322ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 04 ???????? E8 2A 000000 EB 03 ?????? EB 04 ???????? 8B 54 24 0C EB 02 ???? 83 82 B8 000000 26 EB 04 ???????? 33 C0 EB 02 ???? C3 EB 01 ?? EB 03 ?????? 64 67 FF 36 0000 EB 02 ???? 64 67 89 26 0000 EB 02 ???? EB 01 ?? 50 EB 04 ???????? 33 C0 EB 04 ???????? 8B 00 EB 02 ???? C3 EB 03 ?????? E9 FA 000000 EB 04 ???????? E8 D5 FF FF FF EB 02 ???? EB 04 ???????? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 0000 EB 01 ?? 83 C4 04 EB 04 }
condition:
$a0 at pe.entry_point
}
rule PrivateEXEProtector20SetiSoft {
meta: author="malware-lu"
strings:
$a0 = { 89 ???? 38 000000 8B ?? 00000000 81 ?????????? 89 ?? 00000000 81 ?? 04 000000 81 ?? 04 000000 81 ?? 00000000 0F 85 D6 FF FF FF }
condition:
$a0
}
rule NTkrnlSecureSuite01015DLLNTkrnlSoftware {
meta: author="malware-lu"
strings:
$a0 = { 000000000000000000000000 34 10 0000 28 10 00000000000000000000000000000000000000000000 ???????????????? 00000000 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 8B 44 24 04 05 ???????? 50 E8 01 000000 C3 C3 }
condition:
$a0
}
rule UPXHiTv001DJSiba {
meta: author="malware-lu"
strings:
$a0 = { 94 BC ?????? 00 B9 ?? 000000 80 34 0C ?? E2 FA 94 FF E0 61 }
condition:
$a0
}
rule Vpackerttui {
meta: author="malware-lu"
strings:
$a0 = { 89 C6 C7 45 E0 01 000000 F7 03 0000 FF FF 75 18 0F B7 03 50 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 EB 13 53 8B 45 D8 50 FF 55 F8 89 07 8B C3 E8 ?? FE FF FF 8B D8 83 C7 04 FF 45 E0 4E 75 C4 8B F3 83 3E 00 75 88 8B 45 E4 8B 40 10 03 45 DC 8B 55 14 83 C2 20 89 02 68 00 80 0000 6A 00 8B 45 D4 50 FF 55 EC 8B 55 DC 8B 42 3C 03 45 DC 83 C0 04 8B D8 83 C3 14 8D 45 E0 50 6A 40 68 00 10 0000 52 FF 55 E8 8D 43 60 }
condition:
$a0
}
rule IProtect10FxlibdllmodebyFuXdas {
meta: author="malware-lu"
strings:
$a0 = { EB 33 2E 46 55 58 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 46 78 4C 69 62 2E 64 6C 6C 000000000000000000000000000000000000000000 ?????? 00 60 E8 00000000 5D 81 ED 71 10 40 00 FF 74 24 20 E8 40 000000 0B C0 74 2F 89 85 63 10 40 00 8D 85 3C 10 40 00 50 FF B5 63 10 40 00 E8 92 000000 0B C0 74 13 89 85 5F 10 40 00 8D 85 49 10 40 00 50 FF 95 5F 10 40 00 8B 85 67 10 40 00 89 44 24 1C 61 FF E0 8B 7C 24 04 8D 85 00 10 40 00 50 64 FF 35 00000000 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00000000 81 E7 0000 FF FF 66 81 3F 4D 5A 75 0F 8B F7 03 76 3C 81 3E 50 45 0000 75 02 EB 17 81 EF 0000 01 00 81 FF 000000 70 73 07 BF 0000 F7 BF EB 02 EB D3 97 64 8F 05 00000000 83 C4 04 C2 04 00 8D 85 00 10 40 00 50 64 FF 35 00000000 8D 85 53 10 40 00 89 20 89 68 04 8D 9D 0A 11 40 00 89 58 08 64 89 25 00000000 8B 74 24 0C 66 81 3E 4D 5A 74 05 E9 8A 000000 03 76 3C 81 3E 50 45 0000 74 02 EB 7D 8B 7C 24 10 B9 96 000000 32 C0 F2 AE 8B CF 2B 4C 24 10 8B 56 78 03 54 24 0C 8B 5A 20 03 5C 24 0C 33 C0 8B 3B 03 7C 24 0C 8B 74 24 10 51 F3 A6 75 05 83 C4 04 EB 0A 59 83 C3 04 40 3B 42 18 75 E2 3B 42 18 75 02 EB 35 8B 72 24 03 74 24 0C 52 BB 02 000000 33 D2 F7 E3 5A 03 C6 33 C9 66 8B 08 8B 7A 1C 33 D2 BB 04 000000 8B C1 F7 E3 03 44 24 0C 03 C7 8B 00 03 44 24 0C EB 02 33 C0 64 8F 05 00000000 83 C4 04 C2 08 00 E8 FA FD FF FF }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02DxPack10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 8B FD 81 ED 90909090 2B B9 00000000 81 EF 90909090 83 BD 9090909090 0F 84 00000000 }
condition:
$a0 at pe.entry_point
}
rule SecureEXE30ZipWorx {
meta: author="malware-lu"
strings:
$a0 = { E9 B8 000000 ?????? 00 ?????? 00 ?????? 000000000000 }
condition:
$a0 at pe.entry_point
}
rule eXPressorv12CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 45 78 50 72 2D 76 2E 31 2E 32 2E }
$a1 = { 55 8B EC 81 EC D4 01 0000 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ???????? 2B 05 84 ?????? A3 ???????? 83 3D ???????? 00 74 16 A1 ???????? 03 05 80 ?????? 89 85 54 FE FF FF E9 ?? 07 0000 C7 05 ???????? 01 000000 68 04 }
$a2 = { 55 8B EC 81 EC D4 01 0000 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ???????? 2B 05 84 ?????? A3 ???????? 83 3D ???????? 00 74 16 A1 ???????? 03 05 80 ?????? 89 85 54 FE FF FF E9 ?? 07 0000 C7 05 ???????? 01 000000 68 04 01 0000 8D 85 F0 FE FF FF 50 6A 00 FF 15 }
condition:
$a0 or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule NullsoftPIMPInstallSystemv13x {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC ???? 0000 56 57 6A ?? BE ???????? 59 8D BD }
condition:
$a0 at pe.entry_point
}
rule Enigmaprotector110111VladimirSukhov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 83 ED 06 81 ED ?????????????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 EB 02 FF 35 60 E8 24 0000000000 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 000000 03 31 }
$a1 = { 60 E8 00000000 5D 83 ED 06 81 ED ?????????????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 EB 02 FF 35 60 E8 24 0000000000 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 000000 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00000000 EB 02 C1 90 58 61 EB 01 3E EB ?????????????????????????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 01 E8 ?????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 05 F6 01 0000 ?????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 B9 3D 1A }
condition:
$a0 or $a1
}
rule PECompactv140b5v140b6 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 9090 01 85 9E A0 40 ?? BB 8A 11 }
condition:
$a0 at pe.entry_point
}
rule VxExplosion1000 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 1E 06 50 81 ?????? 56 FC B8 21 35 CD 21 2E ???????? 2E ???????? 26 ???????????? 74 ?? 8C D8 48 8E D8 }
condition:
$a0 at pe.entry_point
}
rule PKZIPSFXv11198990 {
meta: author="malware-lu"
strings:
$a0 = { FC 2E 8C 0E ???? A1 ???? 8C CB 81 C3 ???? 3B C3 72 ?? 2D ???? 2D ???? FA BC ???? 8E D0 FB }
condition:
$a0 at pe.entry_point
}
rule PEBundlev20b5v23 {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ???? 40 ?? 87 DD 01 AD ???????? 01 AD }
condition:
$a0 at pe.entry_point
}
rule PUNiSHERV15DemoFEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00000000 }
condition:
$a0 at pe.entry_point
}
rule HACKSTOPv110v111 {
meta: author="malware-lu"
strings:
$a0 = { B4 30 CD 21 86 E0 3D ???? 73 ?? B4 2F CD 21 B0 ?? B4 4C CD 21 50 B8 ???? 58 EB }
condition:
$a0 at pe.entry_point
}
rule Obsidium1336ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 04 ???????? E8 28 000000 EB 01 ?????????????? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 26 EB 04 ???????? 33 C0 EB 01 ?? C3 EB 03 ?????? EB 04 ???????? 64 67 FF 36 0000 EB 04 ???????? 64 67 89 26 0000 EB 03 ?????? EB 04 ???????? 50 EB 01 ?? 33 C0 EB 02 ???? 8B 00 EB 04 ???????? C3 EB 04 ???????? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 01 ?? EB 03 ?????? 58 EB 02 ???? EB 04 ???????? 64 67 8F 06 0000 EB 04 }
condition:
$a0
}
rule DualseXeEncryptor10bDual {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 00 05 0000 E8 00000000 5D 81 ED 0E 000000 8D 85 3A 04 0000 89 28 33 FF 8D 85 80 03 0000 8D 8D 3A 04 0000 2B C8 8B 9D 8A 04 0000 E8 24 02 0000 8D 9D 58 03 0000 8D B5 7F 03 0000 46 80 3E 00 74 24 56 FF 95 58 05 0000 46 80 3E 00 75 FA 46 80 3E 00 74 E7 50 56 50 FF 95 5C 05 0000 89 03 58 83 C3 04 EB E3 8D 85 69 02 0000 FF D0 8D 85 56 04 0000 50 68 1F 00 02 00 6A 00 8D 85 7A 04 0000 50 }
condition:
$a0 at pe.entry_point
}
rule MarjinZEXEScramblerSEbyMarjinZ {
meta: author="malware-lu"
strings:
$a0 = { E8 A3 02 0000 E9 35 FD FF FF FF 25 C8 20 00 10 6A 14 68 C0 21 00 10 E8 E4 01 0000 FF 35 7C 33 00 10 8B 35 8C 20 00 10 FF D6 59 89 45 E4 83 F8 FF 75 0C FF 75 08 FF 15 88 20 00 10 59 EB 61 6A 08 E8 02 03 0000 59 83 65 FC 00 FF 35 7C 33 00 10 FF D6 89 45 E4 FF 35 78 33 00 10 FF D6 89 45 E0 8D 45 E0 50 8D 45 E4 50 FF 75 08 E8 D1 02 0000 89 45 DC FF 75 E4 8B 35 74 20 00 10 FF D6 A3 7C 33 00 10 FF 75 E0 FF D6 83 C4 1C A3 78 33 00 10 C7 45 FC FE FF FF FF E8 09 000000 8B 45 DC E8 A0 01 0000 C3 }
condition:
$a0
}
rule nPack111502006BetaNEOx {
meta: author="malware-lu"
strings:
$a0 = { 83 3D ?????????? 75 05 E9 01 000000 C3 E8 41 000000 B8 ???????? 2B 05 ???????? A3 ???????? E8 5E 000000 E8 E0 01 0000 E8 EC 06 0000 E8 F7 05 0000 A1 ???????? C7 05 ???????????????? 01 05 ???????? FF 35 ???????? C3 C3 56 57 68 ???????? FF 15 ???????? 8B 35 ???????? 8B F8 68 ???????? 57 FF D6 68 ???????? 57 A3 ???????? FF D6 5F A3 ???????? 5E C3 }
condition:
$a0 at pe.entry_point
}
rule DingBoysPElockPhantasmv15b3 {
meta: author="malware-lu"
strings:
$a0 = { 9C 55 57 56 52 51 53 9C FA E8 00000000 5D 81 ED 5B 53 40 00 B0 }
condition:
$a0 at pe.entry_point
}
rule ShellModify01pll621 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 98 66 41 00 68 3C 3D 41 00 64 A1 00000000 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01MacromediaFlashProjector60Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C E9 }
condition:
$a0 at pe.entry_point
}
rule Packman0001Bubbasoft {
meta: author="malware-lu"
strings:
$a0 = { 0F 85 ?? FF FF FF 8D B3 ???????? EB 3D 8B 46 0C 03 C3 50 FF 55 00 56 8B 36 0B F6 75 02 8B F7 03 F3 03 FB EB 1B D1 C1 D1 E9 73 05 0F B7 C9 EB 05 03 CB 8D 49 02 50 51 50 FF 55 04 AB 58 83 C6 04 8B 0E 85 C9 75 DF 5E 83 C6 14 8B 7E 10 85 FF 75 BC 8D 8B 00 }
condition:
$a0
}
rule aPackv098bDSESnotsaved {
meta: author="malware-lu"
strings:
$a0 = { 8C CB BA ???? 03 DA FC 33 F6 33 FF 4B 8E DB 8D ?????? 8E C0 B9 ???? F3 A5 4A 75 }
condition:
$a0
}
rule ASProtectvIfyouknowthisversionpostonPEiDboardh2 {
meta: author="malware-lu"
strings:
$a0 = { 90 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 000000 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ???? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 0000 8D 45 35 50 E9 82 00000000000000000000000000000000 }
condition:
$a0
}
rule Aluwainv809 {
meta: author="malware-lu"
strings:
$a0 = { 8B EC 1E E8 ???? 9D 5E }
condition:
$a0 at pe.entry_point
}
rule AntiDote12DLLDemoSISTeam {
meta: author="malware-lu"
strings:
$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90909090909090909090 80 7C 24 08 01 0F 85 ???????? 60 BE ???????? 8D BE ???????? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 08 8A 06 46 83 F0 FF 74 74 89 C5 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 75 20 41 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C9 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 83 C1 02 81 FD 00 F3 FF FF 83 D1 01 8D 14 2F 83 FD FC 76 0F 8A 02 42 88 07 47 49 75 F7 E9 63 FF FF FF 90 8B 02 83 C2 04 89 07 83 C7 04 83 E9 04 77 F1 01 CF E9 4C FF FF FF }
condition:
$a0
}
rule MSLRHv032afakeMicrosoftVisualCemadicius {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00000000 50 64 89 25 00000000 64 8F 05 00000000 83 C4 0C 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
condition:
$a0 at pe.entry_point
}
rule SoftwareCompressV12BGSoftwareProtectTechnologies {
meta: author="malware-lu"
strings:
$a0 = { E9 BE 000000 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 0000 }
condition:
$a0 at pe.entry_point
}
rule Themida1201OreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { 8B C5 8B D4 60 E8 00000000 5D 81 ED ???? 35 09 89 95 ???? 35 09 89 B5 ???? 35 09 89 85 ???? 35 09 83 BD ???? 35 09 00 74 0C 8B E8 8B E2 B8 01 000000 C2 0C 00 8B 44 24 24 89 85 ???? 35 09 6A 45 E8 A3 000000 68 9A 74 83 07 E8 DF 000000 68 25 }
condition:
$a0
}
rule PECompactv126b1v126b2 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? 05 0E }
condition:
$a0 at pe.entry_point
}
rule Cruncherv10 {
meta: author="malware-lu"
strings:
$a0 = { 2E ???????? 2E ?????? B4 30 CD 21 3C 03 73 ?? BB ???? 8E DB 8D ?????? B4 09 CD 21 06 33 C0 50 CB }
condition:
$a0 at pe.entry_point
}
rule AntiDote1214SEDLLSISTeam {
meta: author="malware-lu"
strings:
$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 08 32 90909090909090909090 80 7C 24 08 01 0F 85 ???????? 60 BE ???????? 8D BE ???????? 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC 11 DB }
condition:
$a0 at pe.entry_point
}
rule ASProtectSKE21xexeAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 90 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 000000 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?????? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 0000 8D 45 35 50 E9 82 00000000000000000000000000000000 }
condition:
$a0
}
rule DBPEv210DingBoy {
meta: author="malware-lu"
strings:
$a0 = { EB 20 ???????????????????????????????????????????????????????????????? 9C 55 57 56 52 51 53 9C E8 ???????? 5D 81 ED ???????? EB 58 75 73 65 72 33 32 2E 64 6C 6C ?? 4D 65 73 73 61 67 65 42 6F 78 41 ?? 6B 65 72 6E 65 6C }
condition:
$a0 at pe.entry_point
}
rule NsPacKV37LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D 83 ED 07 8D ?????????? 80 39 01 0F ?????? 0000 }
condition:
$a0 at pe.entry_point
}
rule tElock099tE {
meta: author="malware-lu"
strings:
$a0 = { E9 5E DF FF FF 000000 ???????? E5 ???? 000000000000000000 05 }
condition:
$a0 at pe.entry_point
}
rule WinZipSelfExtractor22personaleditionWinZipComputing {
meta: author="malware-lu"
strings:
$a0 = { 53 FF 15 58 70 40 00 B3 22 38 18 74 03 80 C3 FE 40 33 D2 8A 08 3A CA 74 10 3A CB 74 07 40 8A 08 3A CA 75 F5 38 10 74 01 40 52 50 52 52 FF 15 5C 70 40 00 50 E8 15 FB FF FF 50 FF 15 8C 70 40 00 5B }
condition:
$a0 at pe.entry_point
}
rule ZipWorxSecureEXEv25ZipWORXTechnologiesLLC {
meta: author="malware-lu"
strings:
$a0 = { E9 B8 000000 ???????????????????????? 0000000000 ???????????????????? 00 53 65 63 75 72 65 45 58 45 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 28 63 29 20 32 30 }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEdition117iBoxaPLibAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 ?????????????????????????????? 8D B5 79 29 0000 8D 9D 2C 03 0000 33 FF ?????????????????????????????? EB 0F FF 74 37 04 FF 34 }
condition:
$a0 at pe.entry_point
}
rule Alloyv1x2000 {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 ?? 87 DD 6A 04 68 ?? 10 ???? 68 ?? 02 ???? 6A ?? FF 95 46 23 40 ?? 0B }
condition:
$a0 at pe.entry_point
}
rule FreeJoiner153Stubengine171GlOFF {
meta: author="malware-lu"
strings:
$a0 = { E8 02 FD FF FF 6A 00 E8 0D 000000 CC FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A8 10 40 00 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02MicrosoftVisualC70DLLAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 8D 6C 01 00 81 EC 00000000 8B 45 90 83 F8 01 56 0F 84 00000000 85 C0 0F 84 }
condition:
$a0 at pe.entry_point
}
rule EYouDiDaiYueHeiFengGao {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B8 ???????? E8 ???????? 53 56 57 0F 31 8B D8 0F 31 8B D0 2B D3 C1 EA 10 B8 ???????? 0F 6E C0 B8 ???????? 0F 6E C8 0F F5 C1 0F 7E C0 0F 77 03 C2 ?????????? FF E0 }
condition:
$a0 at pe.entry_point
}
rule EXECryptorV21Xsoftcompletecom {
meta: author="malware-lu"
strings:
$a0 = { 83 C6 14 8B 55 FC E9 ?? FF FF FF }
$a1 = { E9 ???????? 66 9C 60 50 8D 88 ???????? 8D 90 04 16 ???? 8B DC 8B E1 }
condition:
$a0 or $a1 at pe.entry_point
}
rule PCShrinkerv045 {
meta: author="malware-lu"
strings:
$a0 = { BD ???????? 01 AD E3 38 40 ?? FF B5 DF 38 40 }
condition:
$a0 at pe.entry_point
}
rule yodasProtectorV1033AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 ?? BB 55 000000 E8 03 000000 EB 01 ?? E8 8E 000000 E8 03 000000 EB 01 ?? E8 81 000000 E8 03 000000 EB 01 ?? E8 B7 000000 E8 03 000000 EB 01 ?? E8 AA 000000 E8 03 000000 EB 01 ?? 83 FB 55 E8 03 000000 EB 01 ?? 75 2D E8 03 000000 EB 01 ?? 60 E8 00000000 5D 81 ED 07 E2 40 00 8B D5 81 C2 56 E2 40 00 52 E8 01 000000 C3 C3 E8 03 000000 EB 01 ?? E8 0E 000000 E8 D1 FF FF FF C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 }
condition:
$a0 at pe.entry_point
}
rule SoftSentryv211 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 50 }
condition:
$a0 at pe.entry_point
}
rule FSGv120EngdulekxtBorlandDelphiBorlandC {
meta: author="malware-lu"
strings:
$a0 = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ???? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 000000 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeStonesPEEncryptor20FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 53 51 52 56 57 55 E8 00000000 5D 81 ED 42 30 40 00 FF 95 32 35 40 00 B8 37 30 40 00 03 C5 2B 85 1B 34 40 00 89 85 27 34 40 00 83 }
condition:
$a0 at pe.entry_point
}
rule Armadillov300 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 60 33 C9 }
condition:
$a0 at pe.entry_point
}
rule RCryptorv11Vaska {
meta: author="malware-lu"
strings:
$a0 = { 8B 04 24 83 E8 4F 68 ???????? FF D0 }
$a1 = { 8B 04 24 83 E8 4F 68 ???????? FF D0 B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 or $a1
}
rule Fusion10jaNooNi {
meta: author="malware-lu"
strings:
$a0 = { 68 04 30 40 00 68 04 30 40 00 E8 09 03 0000 68 04 30 40 00 E8 C7 02 0000 }
condition:
$a0 at pe.entry_point
}
rule UpxLock1012CyberDoomTeamXBoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 48 12 40 00 60 E8 2B 03 0000 61 }
condition:
$a0 at pe.entry_point
}
rule PCPEEncryptorAlphapreview {
meta: author="malware-lu"
strings:
$a0 = { 53 51 52 56 57 55 E8 00000000 5D 8B CD 81 ED 33 30 40 ?? 2B 8D EE 32 40 00 83 E9 0B 89 8D F2 32 40 ?? 80 BD D1 32 40 ?? 01 0F 84 }
condition:
$a0 at pe.entry_point
}
rule VxKeypress1212 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? E8 ???? E8 ???? E8 ???????? E8 ???????? E8 ???????? EA ???????? 1E 33 DB 8E DB BB }
condition:
$a0 at pe.entry_point
}
rule SoftwareCompressv12BGSoftwareProtectTechnologies {
meta: author="malware-lu"
strings:
$a0 = { E9 BE 000000 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 000000 73 F6 33 C9 E8 64 000000 73 1C 33 C0 E8 5B 000000 73 23 B3 02 41 B0 10 E8 4F 000000 12 C0 73 F7 75 3F AA EB D4 E8 4D 000000 2B CB 75 10 E8 42 000000 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 000000 3D 00 7D 0000 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 1A 0F 41 00 89 44 24 1C 61 C2 04 00 E8 00000000 81 2C 24 3A 10 41 00 5D E8 00000000 81 2C 24 31 01 0000 8B 85 2A 0F 41 00 29 04 24 }
condition:
$a0 at pe.entry_point
}
rule NsPackV14LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 B1 85 40 00 2D AA 85 40 00 }
condition:
$a0 at pe.entry_point
}
rule VProtectorV11Avcasm {
meta: author="malware-lu"
strings:
$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 000000 8B 44 24 04 8B 00 3D 04 0000 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00000000 }
condition:
$a0 at pe.entry_point
}
rule Obsidium1300ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 04 ???????? E8 29 000000 EB 02 ???? EB 01 ?? 8B 54 24 0C EB 02 ???? 83 82 B8 000000 22 EB 02 ???? 33 C0 EB 04 ???????? C3 EB 04 ???????? EB 04 ???????? 64 67 FF 36 0000 EB 04 ???????? 64 67 89 26 0000 EB 04 ???????? EB 01 ?? 50 EB 03 ?????? 33 C0 EB 02 ???? 8B 00 EB 01 ?? C3 EB 04 ???????? E9 FA 000000 EB 01 ?? E8 D5 FF FF FF EB 02 ???? EB 03 ?????? 58 EB 04 ???????? EB 01 ?? 64 67 8F 06 0000 EB 02 ???? 83 C4 04 EB 02 ???? E8 47 26 0000 }
condition:
$a0 at pe.entry_point
}
rule XXPack01bagie {
meta: author="malware-lu"
strings:
$a0 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 0000 EB 00 68 00 ?????? C3 }
condition:
$a0 at pe.entry_point
}
rule ExeLocker10IonIce {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 60 8B 6C 24 20 81 ED 05 000000 }
condition:
$a0 at pe.entry_point
}
rule yodasProtectorV101AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 E8 03 000000 EB 01 ?? E8 86 000000 E8 03 000000 EB 01 ?? E8 79 000000 E8 03 000000 EB 01 ?? E8 A4 000000 E8 03 000000 EB 01 ?? E8 97 000000 E8 03 000000 EB 01 ?? E8 2D 000000 E8 03 000000 EB 01 ?? 60 E8 00000000 5D 81 ED D5 E4 41 00 8B D5 81 C2 23 E5 41 00 52 E8 01 000000 C3 C3 E8 03 000000 EB 01 ?? E8 0E 000000 E8 D1 FF FF FF C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 }
condition:
$a0 at pe.entry_point
}
rule ASPackv2001AlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 72 05 0000 EB 4C }
condition:
$a0 at pe.entry_point
}
rule USERNAMEv300 {
meta: author="malware-lu"
strings:
$a0 = { FB 2E ???????? 2E ???????? 2E ???????? 2E ???????? 8C C8 2B C1 8B C8 2E ???????? 2E ???????? 33 C0 8E D8 06 0E 07 FC 33 F6 }
condition:
$a0 at pe.entry_point
}
rule nSpackV2xLiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 07 000000 2B E8 8D B5 }
condition:
$a0
}
rule GameGuardv20065xxdllsignbyhot_UNP {
meta: author="malware-lu"
strings:
$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 BA 4C 000000 80 7C 24 08 01 0F 85 ?? 01 0000 60 BE 00 }
condition:
$a0 at pe.entry_point
}
rule Upack_PatchoranyVersionDwing {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 09 000000 ?????? 00 E9 06 02 }
condition:
$a0 at pe.entry_point
}
rule PCPECalpha {
meta: author="malware-lu"
strings:
$a0 = { 53 51 52 56 57 55 E8 ???????? 5D 8B CD 81 ?????????? 2B ?????????? 83 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4Unextractable {
meta: author="malware-lu"
strings:
$a0 = { 03 05 00 1B B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule Escargot01finalMeat {
meta: author="malware-lu"
strings:
$a0 = { EB 04 40 30 2E 31 60 68 61 ?????? 64 FF 35 00000000 64 89 25 00000000 B8 92 ?????? 8B 00 FF D0 50 B8 CD ?????? 81 38 DE C0 37 13 75 2D 68 C9 ?????? 6A 40 68 00 ?? 0000 68 0000 ???? B8 96 ?????? 8B 00 FF D0 8B 44 24 F0 8B 4C 24 F4 EB 05 49 C6 04 01 40 0B C9 75 F7 BE 00 10 ???? B9 00 ???? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ???????? E9 AC 000000 8B 46 0C BB 0000 ???? 03 C3 50 50 }
condition:
$a0 at pe.entry_point
}
rule MetrowerksCodeWarriorv20GUI {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 53 56 83 EC 44 55 B8 FF FF FF FF 50 50 68 ???? 40 00 64 FF 35 00000000 64 89 25 00000000 68 ???????????????????????? E8 ???? 0000 E8 ???? 0000 E8 }
condition:
$a0
}
rule UnnamedScrambler21Beta211p0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 15 000000 6A 00 6A 00 49 75 F9 53 56 57 B8 ?? 3A ???? E8 ?? EE FF FF 33 C0 55 68 ?? 43 ???? 64 FF 30 64 89 20 BA ?? 43 ???? B8 E4 64 ???? E8 0F FD FF FF 8B D8 85 DB 75 07 6A 00 E8 ?? EE FF FF BA E8 64 ???? 8B C3 8B 0D E4 64 ???? E8 ?? D7 FF FF B8 F8 ?????? BA 04 000000 E8 ?? EF FF FF 33 C0 A3 F8 ?????? BB ???????? C7 45 EC E8 64 ???? C7 45 E8 ???????? C7 45 E4 ???????? BE ???????? BF ???????? B8 E0 ?????? BA 04 000000 E8 ?? EF FF FF 68 F4 01 0000 E8 ?? EE FF FF 83 7B 04 00 75 0B 83 3B 00 0F 86 ?? 07 0000 EB 06 0F 8E ?? 07 0000 8B 03 8B D0 B8 E4 ?????? E8 ?? E5 FF FF B8 E4 ?????? E8 ?? E3 FF FF 8B D0 8B 45 EC 8B 0B E8 }
condition:
$a0
}
rule NoodleCryptv20 {
meta: author="malware-lu"
strings:
$a0 = { EB 01 9A E8 3D 000000 EB 01 9A E8 EB 01 0000 EB 01 9A E8 2C 04 0000 EB 01 }
$a1 = { EB 01 9A E8 ?? 000000 EB 01 9A E8 ???? 0000 EB 01 9A E8 ???? 0000 EB 01 }
condition:
$a0 at pe.entry_point or $a1
}
rule PoPa001PackeronPascalbagie {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 A4 3E 00 10 E8 30 F6 FF FF 33 C0 55 68 BE 40 00 10 ???????? 89 20 6A 00 68 80 000000 6A 03 6A 00 6A 01 68 000000 80 8D 55 EC 33 C0 E8 62 E7 FF FF 8B 45 EC E8 32 F2 FF FF 50 E8 B4 F6 FF FF A3 64 66 00 10 33 D2 55 68 93 40 00 10 64 FF 32 64 89 22 83 3D 64 66 00 10 FF 0F 84 3A 01 0000 6A 00 6A 00 6A 00 A1 64 66 00 10 50 E8 9B F6 FF FF 83 E8 10 50 A1 64 66 00 10 50 E8 BC F6 FF FF 6A 00 68 80 66 00 10 6A 10 68 68 66 00 10 A1 64 66 00 10 50 E8 8B F6 FF FF }
condition:
$a0 at pe.entry_point
}
rule BlindSpot10s134k {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 50 02 0000 8D 85 B0 FE FF FF 53 56 A3 90 12 40 00 57 8D 85 B0 FD FF FF 68 00 01 0000 33 F6 50 56 FF 15 24 10 40 00 56 68 80 000000 6A 03 56 56 8D 85 B0 FD FF FF 68 000000 80 50 FF 15 20 10 40 00 56 56 68 00 08 0000 50 89 45 FC FF 15 1C 10 40 00 8D 45 F8 8B 1D 18 10 40 00 56 50 6A 34 FF 35 90 12 40 00 FF 75 FC FF D3 85 C0 0F 84 7F 01 0000 39 75 F8 0F 84 76 01 0000 A1 90 12 40 00 66 8B 40 30 66 3D 01 00 75 14 8D 85 E4 FE FF FF 68 04 01 0000 50 FF 15 14 10 40 00 EB 2C 66 3D 02 00 75 14 8D 85 E4 FE FF FF 50 68 04 01 0000 FF 15 10 10 40 00 EB 12 8D 85 E4 FE FF FF 68 04 01 0000 50 FF 15 0C 10 40 00 8B 3D 08 10 40 00 8D 85 E4 FE FF FF 68 54 10 40 00 50 }
condition:
$a0
}
rule GamehouseMediaProtectorVersionUnknown {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? 6A 00 FF 15 ???????? 50 FF 15 ?????? 0000000000000000 }
condition:
$a0 at pe.entry_point
}
rule tElockv042 {
meta: author="malware-lu"
strings:
$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00000000 5E 83 C6 52 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 }
condition:
$a0 at pe.entry_point
}
rule EXEStealthv274WebToolMaster {
meta: author="malware-lu"
strings:
$a0 = { EB 00 EB 17 ?????????????????????????????????????????????? 60 90 E8 00000000 5D }
condition:
$a0 at pe.entry_point
}
rule EXEManagerVersion301994cSolarDesigner {
meta: author="malware-lu"
strings:
$a0 = { B4 30 1E 06 CD 21 2E ?????? BF ???? B9 ???? 33 C0 2E ???? 47 E2 }
condition:
$a0 at pe.entry_point
}
rule Upackv02BetaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 ???? AD 8B F8 95 A5 33 C0 33 }
condition:
$a0 at pe.entry_point
}
rule DEFv100Engbartxt {
meta: author="malware-lu"
strings:
$a0 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 0000 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ???? 40 00 C3 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 }
condition:
$a0 at pe.entry_point
}
rule AnslymCrypter {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A 68 30 1C 05 10 A1 60 56 05 10 50 E8 68 47 FB FF 8B D8 85 DB 0F 84 B6 02 0000 53 A1 60 56 05 10 50 E8 F2 48 FB FF 8B F0 85 F6 0F 84 A0 02 0000 E8 F3 }
condition:
$a0 at pe.entry_point
}
rule ARMProtectorv02SMoKE {
meta: author="malware-lu"
strings:
$a0 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D EB 01 00 81 ED 09 20 40 00 EB 02 83 09 8D B5 9A 20 40 00 EB 02 83 09 BA 0B 12 0000 EB 01 00 8D 8D A5 32 40 00 }
condition:
$a0 at pe.entry_point
}
rule CrypKeyV56XDLLKenonicControlsLtd {
meta: author="malware-lu"
strings:
$a0 = { 8B 1D ???????? 83 FB 00 75 0A E8 ???????? E8 }
condition:
$a0 at pe.entry_point
}
rule PEiDBundlev102v104BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ?? 000000000000000000000000000000 36 ?????? 2E ?????? 0000000000000000000000000000000000000000 01 0000 80 00000000 4B 65 72 6E 65 6C 33 32 2E 44 }
condition:
$a0 at pe.entry_point
}
rule VxHeloween1172 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 81 EE ???? 56 50 06 0E 1F 8C C0 01 ???? 01 ???? 80 ???????? 8B ???? A3 ???? 8A ???? A2 ???? B8 ???? CD 21 3D }
condition:
$a0 at pe.entry_point
}
rule PackedwithPKLITEv150withCRCcheck1 {
meta: author="malware-lu"
strings:
$a0 = { 1F B4 09 BA ???? CD 21 B8 ???? CD 21 }
condition:
$a0 at pe.entry_point
}
rule Pe123v2006412 {
meta: author="malware-lu"
strings:
$a0 = { 8B C0 60 9C E8 01 000000 C3 53 E8 72 000000 50 E8 1C 03 0000 8B D8 FF D3 5B C3 8B C0 E8 00000000 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 8B 7D 0C 8B 75 08 F3 A4 61 5D C2 0C 00 E8 00000000 58 83 E8 05 C3 8B C0 E8 00000000 58 83 C0 05 C3 8B }
condition:
$a0 at pe.entry_point
}
rule DropperCreatorV01Conflict {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 8D 05 ???????? 29 C5 8D 85 ???????? 31 C0 64 03 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 }
condition:
$a0
}
rule XCRv013 {
meta: author="malware-lu"
strings:
$a0 = { 93 71 08 ???????????????? 8B D8 78 E2 ???????? 9C 33 C3 ???????? 60 79 CE ???????? E8 01 ???????? 83 C4 04 E8 AB FF FF FF ???????? 2B E8 ???????? 03 C5 FF 30 ???????? C6 ?? EB }
condition:
$a0 at pe.entry_point
}
rule XCRv012 {
meta: author="malware-lu"
strings:
$a0 = { 60 9C E8 ???????? 8B DD 5D 81 ED ???????? 89 9D }
condition:
$a0 at pe.entry_point
}
rule InnoSetupModulev129 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 EC 89 45 C0 E8 5B 73 FF FF E8 D6 87 FF FF E8 C5 A9 FF FF E8 E0 }
condition:
$a0 at pe.entry_point
}
rule Armadillov3xx {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 }
condition:
$a0 at pe.entry_point
}
rule dUP2xPatcherwwwdiablo2oo2cjbnet {
meta: author="malware-lu"
strings:
$a0 = { 8B CB 85 C9 74 ?? 80 3A 01 74 08 AC AE 75 0A 42 49 EB EF 47 46 42 49 EB E9 }
condition:
$a0
}
rule PseudoSigner02PEProtect09Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 000000 58 83 C0 07 C6 90 C3 }
condition:
$a0 at pe.entry_point
}
rule pscrambler12byp0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 04 000000 6A 00 6A 00 49 75 F9 51 53 ???????? 10 E8 2D F3 FF FF 33 C0 55 68 E8 31 00 10 64 FF 30 64 89 20 8D 45 E0 E8 53 F5 FF FF 8B 45 E0 8D 55 E4 E8 30 F6 FF FF 8B 45 E4 8D 55 E8 E8 A9 F4 FF FF 8B 45 E8 8D 55 EC E8 EE F7 FF FF 8B 55 EC B8 C4 54 00 10 E8 D9 EC FF FF 83 3D C4 54 00 10 00 0F 84 05 01 0000 80 3D A0 40 00 10 00 74 41 A1 C4 54 00 10 E8 D9 ED FF FF E8 48 E0 FF FF 8B D8 A1 C4 54 00 10 E8 C8 ED FF FF 50 B8 C4 54 00 10 E8 65 EF FF FF 8B D3 59 E8 69 E1 FF FF 8B C3 E8 12 FA FF FF 8B C3 E8 33 E0 FF FF E9 AD 000000 B8 05 01 0000 E8 0C E0 FF FF 8B D8 53 68 05 01 0000 E8 57 F3 FF FF 8D 45 DC 8B D3 E8 39 ED FF FF 8B 55 DC B8 14 56 00 10 B9 00 32 00 10 E8 BB ED FF FF 8B 15 14 56 00 10 B8 C8 54 00 10 E8 53 E5 FF FF BA 01 000000 B8 C8 54 00 10 E8 8C E8 FF FF E8 DF E0 FF FF 85 C0 75 52 6A 00 A1 C4 54 00 10 E8 3B ED FF FF 50 B8 C4 54 00 10 E8 D8 EE FF FF 8B D0 B8 C8 54 00 10 59 E8 3B E6 FF FF E8 76 E0 FF FF B8 C8 54 00 10 E8 4C E6 FF FF E8 67 E0 FF FF 6A 00 6A 00 6A 00 A1 14 56 00 10 E8 53 EE FF FF 50 6A 00 6A 00 E8 41 F3 FF FF 80 3D 9C 40 00 10 00 74 05 E8 EF FB FF FF 33 C0 5A 59 59 64 89 10 68 EF 31 00 10 8D 45 DC BA 05 000000 E8 7D EB FF FF C3 E9 23 E9 FF FF EB EB 5B E8 63 EA FF FF 000000 FF FF FF FF 08 000000 74 65 6D 70 2E 65 78 65 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor2223compressedcodewwwstrongbitcom {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 58 ?????????? 8B 1C 24 81 EB ???????? B8 ???????? 50 6A 04 68 00 10 0000 50 6A 00 B8 C4 ?????? 8B 04 18 FF D0 59 BA ???????? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ???????? 01 D9 FF D1 58 8B 1C 24 68 00 80 0000 6A 00 50 }
$a1 = { E8 00000000 58 ?????????? 8B 1C 24 81 EB ???????? B8 ???????? 50 6A 04 68 00 10 0000 50 6A 00 B8 C4 ?????? 8B 04 18 FF D0 59 BA ???????? 01 DA 52 53 50 89 C7 89 D6 FC F3 A4 B9 ???????? 01 D9 FF D1 58 8B 1C 24 68 00 80 0000 6A 00 50 B8 C8 ?????? 8B 04 18 FF D0 59 58 5B 83 EB 05 C6 03 B8 43 89 03 83 C3 04 C6 03 C3 09 C9 74 46 89 C3 E8 A0 000000 FC AD 83 F8 FF 74 38 53 89 CB 01 C3 01 0B 83 C3 04 AC 3C FE 73 07 25 FF 000000 EB ED 81 C3 FE 000000 09 C0 7A 09 66 AD 25 FF FF 0000 EB DA AD 4E 25 FF FF FF 00 3D FF FF FF 00 75 CC ?????????? C3 }
condition:
$a0 or $a1
}
rule Armadillov265b1 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 38 ?????? 68 40 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?????? 33 D2 8A D4 89 15 F4 }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEdition117aPLibAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 ?????????????????????????????? 8D B5 74 1F 0000 8D 9D 1E 03 0000 33 FF ?????????????????????????????? EB 0F FF 74 37 04 FF 34 }
condition:
$a0 at pe.entry_point
}
rule PolyCryptPE214b215JLabSoftwareCreationshoep {
meta: author="malware-lu"
strings:
$a0 = { 91 8B F4 AD FE C9 80 34 08 ?? E2 FA C3 60 E8 ED FF FF FF EB }
condition:
$a0
}
rule yodasProtector10xAshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 E8 03 000000 EB 01 }
condition:
$a0 at pe.entry_point
}
rule Upack_UnknownDLLDwing {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 09 000000 17 CD 0000 E9 06 02 }
condition:
$a0 at pe.entry_point
}
rule AINEXEv21 {
meta: author="malware-lu"
strings:
$a0 = { A1 ???? 2D ???? 8E D0 BC ???? 8C D8 36 A3 ???? 05 ???? 36 A3 ???? 2E A1 ???? 8A D4 B1 04 D2 EA FE C9 }
condition:
$a0 at pe.entry_point
}
rule AppProtectorSilentTeam {
meta: author="malware-lu"
strings:
$a0 = { E9 97 000000 0D 0A 53 69 6C 65 6E 74 20 54 65 61 6D 20 41 70 70 20 50 72 6F 74 65 63 74 6F 72 0D 0A 43 72 65 61 74 65 64 20 62 79 20 53 69 6C 65 6E 74 20 53 6F 66 74 77 61 72 65 0D 0A 54 68 65 6E 6B 7A 20 74 6F 20 44 6F 63 68 74 6F 72 20 58 0D 0A 0D 0A }
condition:
$a0 at pe.entry_point
}
rule RODHighTECHAyman {
meta: author="malware-lu"
strings:
$a0 = { 60 8B 15 1D 13 40 00 F7 E0 8D 82 83 19 0000 E8 58 0C 0000 }
condition:
$a0 at pe.entry_point
}
rule ICrypt10byBuGGz {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 70 3B 00 10 E8 3C FA FF FF 33 C0 55 68 6C 3C 00 10 64 FF 30 64 89 20 6A 0A 68 7C 3C 00 10 A1 50 56 00 10 50 E8 D8 FA FF FF 8B D8 53 A1 50 56 00 10 50 E8 0A FB FF FF 8B F8 53 A1 50 56 00 10 50 E8 D4 FA FF FF 8B D8 53 E8 D4 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 64 56 00 10 E8 25 F6 FF FF B8 64 56 00 10 E8 13 F6 FF FF 8B CF 8B D6 E8 E6 FA FF FF 53 E8 90 FA FF FF 8D 4D EC BA 8C 3C 00 10 A1 64 56 00 10 E8 16 FB FF FF 8B 55 EC B8 64 56 00 10 E8 C5 F4 FF FF B8 64 56 00 10 E8 DB F5 FF FF E8 56 FC FF FF 33 C0 5A 59 59 64 89 10 68 73 3C 00 10 8D 45 EC E8 4D F4 FF FF C3 E9 E3 EE FF FF EB F0 5F 5E 5B E8 4D F3 FF FF 00 53 45 54 ???????? 00 FF FF FF FF 08 000000 76 6F 74 72 65 63 6C 65 }
condition:
$a0 at pe.entry_point
}
rule PEPackv099 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 83 ED 06 80 BD E0 04 ???? 01 0F 84 F2 }
condition:
$a0 at pe.entry_point
}
rule RLPackV115V117LZMA430ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 ???????? 8D 9D ???????? 33 FF E8 83 01 0000 6A ?? 68 ???????? 68 ???????? 6A ?? FF 95 ???????? 89 85 ???????? EB 14 }
condition:
$a0 at pe.entry_point
}
rule VxQuake518 {
meta: author="malware-lu"
strings:
$a0 = { 1E 06 8C C8 8E D8 ?????????????? B8 21 35 CD 21 81 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4UnextractableVirusShield {
meta: author="malware-lu"
strings:
$a0 = { 03 05 40 1B B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule Obsidium13013ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 01 ?? E8 26 000000 EB 02 ???? EB 02 ???? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 21 EB 04 ???????? 33 C0 EB 02 ???? C3 EB 01 ?? EB 04 ???????? 64 67 FF 36 0000 EB 02 ???? 64 67 89 26 0000 EB 01 ?? EB 03 ?????? 50 EB 01 ?? 33 C0 EB 03 ?????? 8B 00 EB 02 ???? C3 EB 02 ???? E9 FA 000000 EB 01 ?? E8 D5 FF FF FF EB 03 ?????? EB 02 ???? 58 EB 03 ?????? EB 04 ???????? 64 67 8F 06 0000 EB 03 ?????? 83 C4 04 EB 03 ?????? E8 13 26 0000 }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV130XObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 03 ?????? E8 2E 000000 EB 04 ???????? EB 04 ???????? 8B ?????? EB 04 ???????? 83 ???????????? EB 01 ?? 33 C0 EB 04 ???????? C3 }
condition:
$a0 at pe.entry_point
}
rule MetrowerksCodeWarriorv20Console {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 55 B8 FF FF FF FF 50 50 68 ???????? 64 FF 35 00000000 64 89 25 00000000 68 ???????? E8 ???????????????????????? E8 ???? 0000 E8 ???? 0000 E8 }
condition:
$a0
}
rule PESpinv07Cyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
condition:
$a0 at pe.entry_point
}
rule SimpleUPXCryptorV3042005MANtiCORE {
meta: author="malware-lu"
strings:
$a0 = { 60 B8 ???????? B9 ???????????????? E2 FA 61 68 ???????? C3 }
condition:
$a0 at pe.entry_point
}
rule WinRAR32bitSFXModule {
meta: author="malware-lu"
strings:
$a0 = { E9 ???? 000000000000 909090 ???????????? 00 ?? 00 ?????????? FF }
condition:
$a0 at pe.entry_point
}
rule iPBProtect013017forgot {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00000000 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeASPack211demadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 02 000000 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule Upackv036alphaDwing {
meta: author="malware-lu"
strings:
$a0 = { AB E2 E5 5D 59 8B 76 68 51 59 46 AD 85 C0 }
condition:
$a0
}
rule CrinklerV03V04RuneLHStubbeandAskeSimonChristensen {
meta: author="malware-lu"
strings:
$a0 = { B8 0000 42 00 31 DB 43 EB 58 }
condition:
$a0 at pe.entry_point
}
rule DingBoysPElockPhantasmv10v11 {
meta: author="malware-lu"
strings:
$a0 = { 55 57 56 52 51 53 66 81 C3 EB 02 EB FC 66 81 C3 EB 02 EB FC }
condition:
$a0 at pe.entry_point
}
rule PECompactV2XBitsumTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 }
condition:
$a0 at pe.entry_point
}
rule CRYPTVersion17cDismember {
meta: author="malware-lu"
strings:
$a0 = { 0E 17 9C 58 F6 ???? 74 ?? E9 }
condition:
$a0 at pe.entry_point
}
rule VxXPEH4768 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5B 81 ?????? 50 56 57 2E ?????????? 2E ???????????? B8 01 00 50 B8 ???? 50 E8 }
condition:
$a0 at pe.entry_point
}
rule PECrypt32v102 {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5B 83 ???? EB ?? 52 4E 44 21 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PESHiELD025Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 2B 000000 9090909090909090909090909090909090909090909090909090909090909090909090909090909090 CCCC E9 }
condition:
$a0 at pe.entry_point
}
rule NETDLLMicrosoft {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 0000 ?? 0000 FF 25 }
condition:
$a0
}
rule MSLRH: Packer PEiD {
meta: author="malware-lu"
note="Added some checks"
strings:
$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 0000 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 }
$b = { EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 0000 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 0000 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 0000 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 0000 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 }
$c = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 0000 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
rule BeRoEXEPackerv100DLLLZMABeRoFarbrausch {
meta: author="malware-lu"
strings:
$a0 = { 83 7C 24 08 01 0F 85 ???????? 60 68 ???????? 68 ???????? 68 ???????? E8 ???????? BE ???????? B9 ???????? 8B F9 81 FE ???????? 7F 10 AC 47 04 18 2C 02 73 F0 29 3E 03 F1 03 F9 EB E8 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02ExeSmasherAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 9C FE 03 90 60 BE 9090 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90909090909090909090909090909090 FE 0B }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV125ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { E8 0E 000000 8B 54 24 0C 83 82 B8 000000 0D 33 C0 C3 }
condition:
$a0 at pe.entry_point
}
rule ASPackv107bDLLAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D ???????????? B8 ???????? 03 C5 }
condition:
$a0 at pe.entry_point
}
rule MicroJoiner17coban2k {
meta: author="malware-lu"
strings:
$a0 = { BF 00 10 40 00 8D 5F 21 6A 0A 58 6A 04 59 60 57 E8 8E 000000 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeVOBProtectCDFEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 5F 81 EF 00000000 BE 0000 40 00 8B 87 00000000 03 C6 57 56 8C A7 00000000 FF 10 89 87 00000000 5E 5F }
condition:
$a0 at pe.entry_point
}
rule CelsiusCrypt21Z3r0 {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 000000 FF 15 84 92 44 00 E8 C8 FE FF FF 90 8D B4 26 00000000 55 89 E5 83 EC 08 C7 04 24 02 000000 FF 15 84 92 44 00 E8 A8 FE FF FF 90 8D B4 26 00000000 55 8B 0D C4 92 44 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D AC 92 44 00 89 E5 5D FF E1 90909090 55 89 E5 5D E9 77 C2 0000 90909090909090 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00000000 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00000000 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 }
$a1 = { 55 89 E5 83 EC 28 8B 45 10 89 04 24 E8 3F 14 01 00 48 89 45 FC 8B 45 0C 48 89 45 F4 8D 45 F4 89 44 24 04 8D 45 FC 89 04 24 E8 12 A3 03 00 8B 00 89 45 F8 8B 45 FC 89 45 F0 C6 45 EF 01 C7 45 E8 00000000 8B 45 E8 3B 45 F8 73 39 80 7D EF 00 74 33 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 1C 1A 01 00 89 C1 8B 45 08 8B 55 E8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 8D 45 E8 FF 00 EB BF 83 7D F0 00 74 34 80 7D EF 00 74 2E 8B 45 F0 89 44 24 04 8B 45 10 89 04 24 E8 DD 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 0F 94 C0 88 45 EF 8D 45 F0 FF 08 EB C6 C7 44 24 04 00000000 8B 45 10 89 04 24 E8 AE 19 01 00 89 C1 8B 45 08 8B 55 F8 01 C2 0F B6 01 3A 02 7F 0C 0F B6 45 EF 83 E0 01 88 45 E7 EB 04 C6 45 E7 00 0F B6 45 E7 88 45 EF 0F B6 45 EF C9 C3 }
condition:
$a0 at pe.entry_point or $a1
}
rule Armadillov260 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 D0 ?????? 68 34 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 68 ?????? 33 D2 8A D4 89 15 84 }
condition:
$a0 at pe.entry_point
}
rule Armadillov261 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 28 ?????? 68 E4 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?????? 33 D2 8A D4 89 15 0C }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeASPack212emadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 000000 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule RatPackerGluestub {
meta: author="malware-lu"
strings:
$a0 = { 40 20 FF 00000000000000 ?? BE 00 60 40 00 8D BE 00 B0 FF FF }
condition:
$a0 at pe.entry_point
}
rule CreateInstallv200335 {
meta: author="malware-lu"
strings:
$a0 = { 81 EC 0C 04 0000 53 56 57 55 68 60 50 40 00 6A 01 6A 00 FF 15 D8 80 40 00 8B F0 FF 15 D4 80 40 00 3D B7 000000 75 0F 56 FF 15 B8 80 40 00 6A 02 FF 15 A4 80 40 00 33 DB E8 F2 FE FF FF 68 02 7F 0000 89 1D 94 74 40 00 53 89 1D 98 74 40 00 FF 15 E4 80 40 }
condition:
$a0
}
rule SPECb3 {
meta: author="malware-lu"
strings:
$a0 = { 5B 53 50 45 43 5D E8 ???????? 5D 8B C5 81 ED 41 24 40 ?? 2B 85 89 26 40 ?? 83 E8 0B 89 85 8D 26 40 ?? 0F B6 B5 91 26 40 ?? 8B FD }
condition:
$a0 at pe.entry_point
}
rule SPECb2 {
meta: author="malware-lu"
strings:
$a0 = { 55 57 51 53 E8 ???????? 5D 8B C5 81 ED ???????? 2B 85 ???????? 83 E8 09 89 85 ???????? 0F B6 }
condition:
$a0 at pe.entry_point
}
rule UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser {
meta: author="malware-lu"
strings:
$a0 = { FF D5 8D 87 ???????? 80 20 ?? 80 60 ???? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
condition:
$a0
}
rule PseudoSigner01MicrosoftVisualBasic5060Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? E8 0A 000000000000000000 30 000000 E9 }
condition:
$a0 at pe.entry_point
}
rule UPXModifiedStubbFarbrauschConsumerConsulting {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? 8D BE ???????? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 000000 73 F6 31 C9 E8 64 000000 73 1C 31 C0 E8 5B 000000 73 23 B3 02 41 B0 10 E8 4F 000000 10 C0 73 F7 75 3F AA EB D4 E8 4D 000000 29 D9 75 10 E8 42 000000 EB 28 AC }
condition:
$a0 at pe.entry_point
}
rule E2CbyDoP {
meta: author="malware-lu"
strings:
$a0 = { BE ???? BF ???? B9 ???? FC 57 F3 A5 C3 }
condition:
$a0 at pe.entry_point
}
rule SVKProtectorv111 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED 06 ?????? 64 A0 23 }
condition:
$a0 at pe.entry_point
}
rule PCShrinkerv071 {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 BD ???????? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ???????? 89 85 }
condition:
$a0 at pe.entry_point
}
rule Petite21 {
meta: author="malware-lu"
strings:
$a0 = { 64 FF 35 00000000 64 89 25 00000000 66 9C 60 50 8B D8 }
condition:
$a0
}
rule BeRoEXEPackerv100DLLLZBRRBeRoFarbrausch {
meta: author="malware-lu"
strings:
$a0 = { 83 7C 24 08 01 0F 85 ???????? 60 BE ???????? BF ???????? FC B2 80 33 DB A4 B3 02 E8 ???????? 73 F6 33 C9 E8 ???????? 73 1C 33 C0 E8 ???????? 73 23 B3 02 41 B0 10 }
condition:
$a0 at pe.entry_point
}
rule hmimysPackerV12hmimys {
meta: author="malware-lu"
strings:
$a0 = { E8 95 000000 ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 5E AD 50 AD 50 97 AD 50 AD 50 AD 50 E8 C0 01 0000 AD 50 AD 93 87 DE B9 ???????? E3 1D 8A 07 47 04 ?? 3C ?? 73 F7 8B 07 3C ?? 75 F3 B0 00 0F C8 05 ???????? 2B C7 AB E2 E3 AD 85 C0 74 2B 97 56 FF 13 8B E8 AC 84 C0 75 FB 66 AD 66 85 C0 74 E9 AC 83 EE 03 84 C0 74 08 56 55 FF 53 04 AB EB E4 AD 50 55 FF 53 04 AB EB E0 C3 8B 0A 3B 4A 04 75 0A C7 42 10 01 000000 0C FF C3 }
condition:
$a0 at pe.entry_point
}
rule EnigmaProtector131Build20070615DllSukhovVladimirSergeNMarkin {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 81 ED ???????? E9 49 000000 ???????????????????????????????????????????????????????????????????????????????? 000000000000000000000000000000000000000000000000000000000000000000 8A 84 24 28 000000 80 F8 01 0F 84 07 000000 B8 ???????? FF E0 E9 04 000000 ???????? B8 ???????? 03 C5 81 C0 ???????? B9 ???????? BA ???????? 30 10 40 49 0F 85 F6 FF FF FF E9 04 000000 }
condition:
$a0 at pe.entry_point
}
rule PureBasicDLLNeilHodgson {
meta: author="malware-lu"
strings:
$a0 = { 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?????? 10 E8 }
condition:
$a0 at pe.entry_point
}
rule HPA {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 8B D6 83 ???? 83 ???? 06 0E 1E 0E 1F 33 FF 8C D3 }
condition:
$a0 at pe.entry_point
}
rule Armadillov310 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 E0 97 44 00 68 20 C0 42 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 4C 41 44 00 33 D2 8A D4 89 15 90 A1 44 00 8B C8 81 E1 FF 000000 89 0D 8C A1 44 00 C1 E1 08 03 CA 89 0D 88 A1 44 00 C1 E8 10 A3 84 A1 }
condition:
$a0 at pe.entry_point
}
rule Upack012betaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 48 01 40 00 AD ?????? A5 ?? C0 33 C9 ?????????????? F3 AB ???? 0A ???????? AD 50 97 51 ?? 87 F5 58 8D 54 86 5C ?? D5 72 ?????????????????????????????? B6 5F FF C1 }
condition:
$a0 at pe.entry_point
}
rule VxNcuLi1688 {
meta: author="malware-lu"
strings:
$a0 = { 0E 1E B8 55 AA CD 21 3D 49 4C 74 ?? 0E 0E 1F 07 E8 }
condition:
$a0 at pe.entry_point
}
rule VProtectorvcasm {
meta: author="malware-lu"
strings:
$a0 = { 00000000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 0000 55 53 45 52 33 32 2E 64 6C 6C 0000 47 44 49 33 32 2E 64 6C 6C 0000000000000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 53 6C 65 65 70 000000 47 65 74 56 65 72 73 69 6F 6E 000000 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 000000 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 000000 47 65 74 41 43 50 000000 43 72 65 61 74 65 54 68 72 65 61 64 000000 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 000000 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 000000 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 000000 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 000000 53 68 6F 77 57 69 6E 64 6F 77 000000 47 65 74 44 43 000000 52 65 6C 65 61 73 65 44 43 000000 46 69 6E 64 57 69 6E 64 6F 77 41 000000 47 65 74 4D 65 73 73 61 67 65 41 000000 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 000000 53 65 74 50 69 78 65 6C }
$a1 = { 00000000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 0000 55 53 45 52 33 32 2E 64 6C 6C 0000 47 44 49 33 32 2E 64 6C 6C 0000000000000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 53 6C 65 65 70 000000 47 65 74 56 65 72 73 69 6F 6E 000000 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 000000 47 65 74 53 74 61 72 74 75 70 49 6E 66 6F 41 000000 47 65 74 41 43 50 000000 43 72 65 61 74 65 54 68 72 65 61 64 000000 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 000000 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 000000 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 000000 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 000000 53 68 6F 77 57 69 6E 64 6F 77 000000 47 65 74 44 43 000000 52 65 6C 65 61 73 65 44 43 000000 46 69 6E 64 57 69 6E 64 6F 77 41 000000 47 65 74 4D 65 73 73 61 67 65 41 000000 44 65 73 74 72 6F 79 57 69 6E 64 6F 77 000000 53 65 74 50 69 78 65 6C 00000000 }
$a2 = { 00000000 55 73 65 72 33 32 2E 64 6C 6C 0000000000000000000000000000000000000000 47 64 69 33 32 2E 64 6C 6C 000000000000000000000000000000000000000000 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000000000000000000000000000000000 08 00 44 65 66 57 69 6E 64 6F 77 50 72 6F 63 41 00000000000000000000000000000000 08 00 52 65 67 69 73 74 65 72 43 6C 61 73 73 45 78 41 0000000000000000000000000000 08 00 43 72 65 61 74 65 57 69 6E 64 6F 77 45 78 41 000000000000000000000000000000 08 00 47 65 74 53 79 73 74 65 6D 4D 65 74 72 69 63 73 0000000000000000000000000000 08 00 53 68 6F 77 57 69 6E 64 6F 77 0000000000000000000000000000000000000000 08 00 47 65 74 44 43 00000000000000000000000000000000000000000000000000 08 00 52 65 6C 65 61 73 65 44 43 000000000000000000000000000000000000000000 08 00 46 69 6E 64 57 69 6E 64 6F 77 41 000000000000000000000000000000000000000000 47 65 74 4D 65 73 73 61 67 65 41 00 }
condition:
$a0 or $a1 or $a2
}
rule XPackv142 {
meta: author="malware-lu"
strings:
$a0 = { 72 ?? C3 8B DE 83 ???? C1 ???? 8C D8 03 C3 8E D8 8B DF 83 ???? C1 ???? 8C C0 03 C3 8E C0 C3 }
condition:
$a0
}
rule W32JeefoPEFileInfector {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A 02 A1 C8 ?????? FF D0 E8 ???????? C9 C3 }
condition:
$a0 at pe.entry_point
}
rule ExeSplitter13SplitCryptMethodBillPrisonerTPOC {
meta: author="malware-lu"
strings:
$a0 = { 15 10 05 23 14 56 57 57 48 12 0B 16 66 66 66 66 66 66 66 66 66 02 C7 56 66 66 66 ED 26 6A ED 26 6A ED 66 E3 A6 69 E2 39 64 66 66 ED 2E 56 E6 5F 0D 12 61 E6 5F 2D 12 64 8D 81 E6 1F 6A 55 12 64 8D B9 ED 26 7E A5 33 ED 8A 8D 69 21 03 12 36 14 09 05 27 02 02 14 03 15 15 27 ED 2B 6A ED 13 6E ED B8 65 10 5A EB 10 7E EB 10 06 ED 50 65 95 30 ED 10 46 65 95 55 B4 ED A0 ED 50 65 95 37 ED 2B 6A EB DF AB 76 26 66 3F DF 68 66 66 66 9A 95 C0 6D AF 13 64 }
$a1 = { E8 00000000 5D 81 ED 05 10 40 00 B9 ???????? 8D 85 1D 10 40 00 80 30 66 40 E2 FA 8F 98 67 66 66 ?????????????? 66 }
condition:
$a0 or $a1 at pe.entry_point
}
rule AntiDote12BetaDemoSISTeam {
meta: author="malware-lu"
strings:
$a0 = { 68 69 D6 0000 E8 C6 FD FF FF 68 69 D6 0000 E8 BC FD FF FF 83 C4 08 E8 A4 FF FF FF 84 C0 74 2F 68 04 01 0000 68 B0 21 60 00 6A 00 FF 15 08 10 60 00 E8 29 FF FF FF 50 68 88 10 60 00 68 78 10 60 00 68 B0 21 60 00 E8 A4 FD FF FF 83 C4 10 33 C0 C2 10 00 909090909090909090909090 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 }
condition:
$a0 at pe.entry_point
}
rule ASPackv211bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 02 000000 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 0000 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor224StrongbitSoftCompleteDevelopmenth1 {
meta: author="malware-lu"
strings:
$a0 = { E8 F7 FE FF FF 05 ???? 0000 FF E0 E8 EB FE FF FF 05 ???? 0000 FF E0 E8 04 000000 FF FF FF FF 5E C3 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor224StrongbitSoftCompleteDevelopmenth2 {
meta: author="malware-lu"
strings:
$a0 = { E8 F7 FE FF FF 05 ???? 0000 FF E0 E8 EB FE FF FF 05 ???? 0000 FF E0 E8 ?? 000000 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor224StrongbitSoftCompleteDevelopmenth3 {
meta: author="malware-lu"
strings:
$a0 = { 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000000000 45 78 69 74 50 72 6F 63 65 73 73 }
condition:
$a0
}
rule ProActivateV10XTurboPowerSoftwareCompany {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 0E 000000 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ???????? 9090909090 33 C0 55 68 ???????? 64 FF 30 64 89 20 A1 ???????? 83 C0 05 A3 ???????? C7 05 ???????? 0D 000000 E8 85 E2 FF FF 81 3D ???????? 21 7E 7E 40 75 7A 81 3D ???????? 43 52 43 33 75 6E 81 3D ???????? 32 40 7E 7E 75 62 81 3D ???????? 21 7E 7E 40 75 56 81 3D ???????? 43 52 43 33 75 4A 81 3D ???????? 32 40 7E 7E 75 3E 81 3D ???????? 21 7E 7E 40 75 32 81 3D ???????? 43 52 43 33 }
condition:
$a0 at pe.entry_point
}
rule PackMasterv10 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 000000 E8 83 C4 04 E8 01 000000 E9 5D 81 ED D3 22 40 00 E8 04 02 0000 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }
$a1 = { 60 E8 01 ?????? E8 83 C4 04 E8 01 ?????? E9 5D 81 ED D3 22 40 ?? E8 04 02 ???? E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule DBPEv153 {
meta: author="malware-lu"
strings:
$a0 = { 9C 55 57 56 52 51 53 9C FA E8 ???????? 5D 81 ED 5B 53 40 ?? B0 ?? E8 ???????? 5E 83 C6 11 B9 27 ?????? 30 06 46 49 75 FA }
condition:
$a0 at pe.entry_point
}
rule FreeJoiner152Stubengine16GlOFF {
meta: author="malware-lu"
strings:
$a0 = { E8 46 FD FF FF 50 E8 0C 000000 FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 }
condition:
$a0 at pe.entry_point
}
rule ASProtectv12AlexeySolodovnikovh1 {
meta: author="malware-lu"
strings:
$a0 = { 90 60 E8 1B 000000 E9 FC 8D B5 0F 06 0000 8B FE B9 97 000000 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?????? 00 }
condition:
$a0
}
rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCx {
meta: author="malware-lu"
strings:
$a0 = { 1B DB E8 02 000000 1A 0D 5B 68 80 ???? 00 E8 01 000000 EA 5A 58 EB 02 CD 20 68 F4 00 }
condition:
$a0 at pe.entry_point
}
rule PENightMare2Beta {
meta: author="malware-lu"
strings:
$a0 = { 60 E9 ???????? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }
condition:
$a0 at pe.entry_point
}
rule MinGWGCC3x {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 C7 04 24 ?? 000000 FF 15 ???????? E8 ???? FF FF ???????????????? 55 }
condition:
$a0 at pe.entry_point
}
rule PIRITv15 {
meta: author="malware-lu"
strings:
$a0 = { B4 4D CD 21 E8 ???? FD E8 ???? B4 51 CD 21 }
condition:
$a0 at pe.entry_point
}
rule Reg2Exe224byJanVorel {
meta: author="malware-lu"
strings:
$a0 = { 6A 00 E8 CF 20 0000 A3 F4 45 40 00 E8 CB 20 0000 6A 0A 50 6A 00 FF 35 F4 45 40 00 E8 07 000000 50 E8 BB 20 0000 CC 68 48 000000 68 00000000 68 F8 45 40 00 E8 06 19 0000 83 C4 0C 8B 44 24 04 A3 FC 45 40 00 68 00000000 68 A0 0F 0000 68 00000000 E8 8C 20 0000 A3 F8 45 40 00 E8 02 20 0000 E8 32 1D 0000 E8 20 19 0000 E8 A3 16 0000 68 01 000000 68 38 46 40 00 68 00000000 8B 15 38 46 40 00 E8 71 4F 0000 B8 0000 10 00 BB 01 000000 E8 82 4F 0000 FF 35 48 41 40 00 B8 00 01 0000 E8 9D 15 0000 8D 0D 1C 46 40 00 5A E8 82 16 0000 68 00 01 0000 FF 35 1C 46 40 00 E8 24 20 0000 A3 24 46 40 00 FF 35 48 41 40 00 FF 35 24 46 40 00 FF 35 1C 46 40 00 E8 DC 10 0000 8D 0D 14 46 40 00 5A E8 4A 16 }
condition:
$a0 at pe.entry_point
}
rule SVKProtectorv13xEngPavolCerven {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 EB 05 B8 ???? 42 00 64 A0 23 000000 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 000000 8D B5 C5 02 0000 56 80 06 44 46 E2 FA 8B 8D C1 02 0000 5E 55 51 6A 00 56 FF 95 0C 61 0000 59 5D 40 85 C0 75 3C 80 3E }
condition:
$a0 at pe.entry_point
}
rule ThinstallEmbedded2609Jitit {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 58 BB AD 19 0000 2B C3 50 68 ???????? 68 B0 1C 0000 68 80 000000 E8 35 FF FF FF E9 99 FF FF FF 00 }
condition:
$a0 at pe.entry_point
}
rule UPXcrypterarchphaseNWC {
meta: author="malware-lu"
strings:
$a0 = { BF ?????? 00 81 FF ?????? 00 74 10 81 2F ?? 000000 83 C7 04 BB 05 ???? 00 FF E3 BE ?????? 00 FF E6 00000000 }
condition:
$a0 at pe.entry_point
}
rule StarForceProtectionDriverProtectionTechnology {
meta: author="malware-lu"
strings:
$a0 = { 57 68 ?? 0D 01 00 68 00 ???? 00 E8 50 ?? FF FF 68 ?????? 00 68 ?????? 00 68 ?????? 00 68 ?????? 00 68 ?????? 00 }
condition:
$a0 at pe.entry_point
}
rule FishPEV10Xhellfish {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? C3 90 09 000000 2C 000000 ???????? C4 03 0000 BC A0 000000 40 01 00 ???????? 00000000000000000000000000000000 99 00000000 8A 000000 10 0000 ???? 0000 ???????? 0000 02 000000 A0 0000 18 01 0000 ???????? 0000 0C 000000 B0 0000 38 0A 0000 ???????? 000000000000 C0 0000 40 39 0000 ???????? 0000 08 00000000 01 00 C8 06 0000 }
condition:
$a0 at pe.entry_point
}
rule PECrypter {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D EB 26 }
condition:
$a0 at pe.entry_point
}
rule tElockv051 {
meta: author="malware-lu"
strings:
$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00000000 5E 83 C6 5E 8B FE 68 79 01 59 EB 01 EB AC 54 E8 03 5C EB 08 }
condition:
$a0 at pe.entry_point
}
rule LY_WGKXwwwszleyucom {
meta: author="malware-lu"
strings:
$a0 = { 4D 79 46 75 6E 00 62 73 }
condition:
$a0
}
rule ASProtect13321RegisteredAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 68 01 ?????? E8 01 000000 C3 C3 }
condition:
$a0 at pe.entry_point
}
rule RLPackV111ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 4A 02 0000 8D 9D 11 01 0000 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMicrosoftVisualC4xLCCWin321x {
meta: author="malware-lu"
strings:
$a0 = { 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ???? 00 80 C9 84 80 C9 68 BB F4 000000 EB 01 EB }
condition:
$a0 at pe.entry_point
}
rule dePACKdeNULL {
meta: author="malware-lu"
strings:
$a0 = { EB 01 DD 60 68 00 ?????? 68 ???? 0000 E8 ?? 000000 }
$a1 = { EB 01 DD 60 68 00 ?????? 68 ?????? 00 E8 ?? 000000 ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? D2 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule EXECryptorv1401 {
meta: author="malware-lu"
strings:
$a0 = { E8 24 000000 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00000000 ???? 00 31 C0 89 41 14 89 41 18 80 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakePELockNT204emadicius {
meta: author="malware-lu"
strings:
$a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB E8 03 000000 E9 EB 04 58 40 50 C3 EB 03 CD 20 EB EB 03 CD 20 03 61 9D 83 C4 04 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule PELockNTv203 {
meta: author="malware-lu"
strings:
$a0 = { EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01 }
condition:
$a0 at pe.entry_point
}
rule Reg2Exe220221byJanVorel {
meta: author="malware-lu"
strings:
$a0 = { 6A 00 E8 7D 12 0000 A3 A0 44 40 00 E8 79 12 0000 6A 0A 50 6A 00 FF 35 A0 44 40 00 E8 0F 000000 50 E8 69 12 0000 CCCCCCCCCCCCCCCCCC 68 2C 02 0000 68 00000000 68 B0 44 40 00 E8 3A 12 0000 83 C4 0C 8B 44 24 04 A3 B8 44 40 00 68 00000000 68 A0 0F 0000 68 00000000 E8 32 12 0000 A3 B0 44 40 00 68 F4 01 0000 68 BC 44 40 00 FF 35 B8 44 40 00 E8 1E 12 0000 B8 BC 44 40 00 89 C1 8A 30 40 80 FE 5C 75 02 89 C1 80 FE 00 75 F1 C6 01 00 E8 EC 18 0000 E8 28 16 0000 E8 4A 12 0000 68 00 FA 0000 68 08 000000 FF 35 B0 44 40 00 E8 E7 11 0000 A3 B4 44 40 00 8B 15 D4 46 40 00 E8 65 0A 0000 BB 0000 10 00 B8 01 000000 E8 72 0A 0000 74 09 C7 00 01 000000 83 C0 04 A3 D4 46 40 00 FF 35 B4 44 40 00 E8 26 05 0000 8D 0D B8 46 40 00 5A E8 CF 0F 0000 FF 35 B4 44 40 00 FF 35 B8 46 40 00 E8 EE 06 0000 8D 0D B4 46 40 00 5A E8 }
condition:
$a0 at pe.entry_point
}
rule PELockNTv201 {
meta: author="malware-lu"
strings:
$a0 = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD }
condition:
$a0 at pe.entry_point
}
rule PELockNTv204 {
meta: author="malware-lu"
strings:
$a0 = { EB ?? CD ?????????? CD ?????????? EB ?? EB ?? EB ?? EB ?? CD ?????????? E8 ???????? E9 ???????? 50 C3 }
condition:
$a0 at pe.entry_point
}
rule UPXFreakv01BorlandDelphiHMX0101 {
meta: author="malware-lu"
strings:
$a0 = { BE ???????? 83 C6 01 FF E6 000000 ?????? 00 03 000000 ???????? 00 10 00000000 ???????? 0000 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?????? 00 ?????? 00 ?????? 00 ?? 24 ?? 00 ?????? 00 }
$a1 = { BE ???????? 83 C6 01 FF E6 000000 ?????? 00 03 000000 ???????? 00 10 00000000 ???????? 0000 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?????? 00 ?????? 00 ?????? 00 ?? 24 ?? 00 ?????? 00 34 50 45 00 ?????? 00 FF FF 0000 ?? 24 ?? 00 ?? 24 ?? 00 ?????? 00 40 0000 C0 0000 ???????? 0000 ?? 000000 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?????????? 000000 ?????????????? 77 ?????? 00 ?????? 00 ?????? 77 ???? 0000 ?????? 00 ???????????? 0000 ?????? 00 ?????????????????????? 00 ???????? 00000000 ?????? 00 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Obsidium13017Obsidiumsoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 28 000000 EB 04 ???????? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 25 EB 02 ???? 33 C0 EB 03 ?????? C3 EB 03 ?????? EB 02 ???? 64 67 FF 36 0000 EB 01 ?? 64 67 89 26 0000 EB 03 ?????? EB 04 ???????? 50 EB 04 }
condition:
$a0 at pe.entry_point
}
rule Petite22c199899IanLuck {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? 64 FF 35 00000000 64 89 25 00000000 66 9C 60 50 68 0000 ???? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 0000 57 6A ?? 6A 06 56 6A 04 68 80 08 0000 57 FF D3 83 EE 08 59 F3 A5 59 66 }
condition:
$a0 at pe.entry_point
}
rule PluginToExev101BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 0000 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 000000 C7 47 20 00 08 0000 C7 47 18 01 000000 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?????? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ???? 0000 FF D3 83 C4 10 83 BD 71 40 40 0000 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 }
condition:
$a0 at pe.entry_point
}
rule Enigmaprotector110unregistered {
meta: author="malware-lu"
strings:
$a0 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 }
$a1 = { 60 72 80 72 88 72 8C 72 90 72 94 72 98 72 9C 72 A0 72 A4 59 A8 B0 5C E8 39 D5 39 E4 39 F1 31 F9 5C 3D 58 CA 5F 56 B1 2D 20 7A 2E 30 16 32 72 2B 72 36 1C A5 33 A9 9C AD 9C B1 9C B5 9C B9 9C BD 9C C1 9C C5 9C C9 9C CD 9C D1 9C D5 9C D9 9C DD 9C E1 9C E5 89 E9 51 0B C4 80 BC 7E 35 09 37 E7 C9 3D C9 45 C9 4D 74 92 BA E4 E9 24 6B DF 3E 0E 38 0C 49 10 27 80 51 A1 8E 3A A3 C8 AE 3B 1C 35 }
condition:
$a0 or $a1
}
rule Obsidium1341ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 01 ?? E8 2A 000000 EB 04 ???????? EB 02 ???? 8B 54 24 0C EB 03 ?????? 83 82 B8 000000 21 EB 02 ???? 33 C0 EB 03 ?????? C3 EB 02 ???? EB 01 ?? 64 67 FF 36 0000 EB 01 ?? 64 67 89 26 0000 EB 02 ???? EB 03 ?????? 50 EB 04 ???????? 33 C0 EB 02 ???? 8B 00 EB 04 ???????? C3 EB 02 ???? E9 FA 000000 EB 02 ???? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?????? EB 04 ???????? 64 67 8F 06 0000 EB 04 ???????? 83 C4 04 EB 02 ???? E8 C3 27 0000 }
condition:
$a0 at pe.entry_point
}
rule WebCopsDLLLINKDataSecurity {
meta: author="malware-lu"
strings:
$a0 = { A8 BE 58 DC D6 CC C4 63 4A 0F E0 02 BB CE F3 5C 50 23 FB 62 E7 3D 2B }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PackMaster10PEXCloneAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 01 0000 E8 83 C4 04 E8 01 909090 E9 5D 81 ED D3 22 40 90 E8 04 02 9090 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 909090909090909090909090909090909090909090909090909090909090909090909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule Upackv037v038BetaStripbaserelocationtableOptionDwing {
meta: author="malware-lu"
strings:
$a0 = { 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 }
condition:
$a0
}
rule AHTeamEPProtector03fakeSVKP13xFEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 60 E8 00000000 5D 81 ED 06 000000 EB 05 B8 00000000 64 A0 23 000000 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 000000 8D B5 C5 02 0000 56 80 06 44 46 E2 FA 8B 8D C1 02 0000 5E 55 51 6A 00 }
condition:
$a0 at pe.entry_point
}
rule InstallShieldCustom {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC 44 56 FF 15 ???? 41 00 8B F0 85 F6 75 08 6A FF FF 15 ???? 41 00 8A 06 57 8B 3D ???? 41 00 3C 22 75 1B 56 FF D7 8B F0 8A 06 3C 22 74 04 84 C0 75 F1 80 3E 22 75 15 56 FF D7 8B }
condition:
$a0 at pe.entry_point
}
rule Petitevafterv14 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 66 9C 60 50 8D ?????????? 68 ???????? 83 }
condition:
$a0 at pe.entry_point
}
rule ExeToolsv21EncruptorbyDISMEMBER {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5D 83 ???? 1E 8C DA 83 ???? 8E DA 8E C2 BB ???? BA ???? 85 D2 74 }
condition:
$a0 at pe.entry_point
}
rule NTkrnlSecureSuiteNTkrnlteam {
meta: author="malware-lu"
strings:
$a0 = { 34 10 0000 28 10 00000000000000000000000000000000000000000000 41 10 0000 50 10 000000000000 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 }
condition:
$a0
}
rule PESpinv0b {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 26 E8 01 000000 EA 5A 33 C9 }
condition:
$a0 at pe.entry_point
}
rule VXTibsZhelatinStormWormvariant {
meta: author="malware-lu"
strings:
$a0 = { FF 74 24 1C 58 8D 80 ???? 77 04 50 68 62 34 35 04 E8 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakePEX099emadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 000000 E8 83 C4 04 E8 01 000000 E9 5D 81 ED FF 22 40 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
condition:
$a0 at pe.entry_point
}
rule NSPack3xLiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D 83 ED 07 8D 85 ???? FF FF ?? 38 01 0F 84 ?? 02 0000 ?? 00 01 }
condition:
$a0 at pe.entry_point
}
rule PECompactv25RetailBitsumTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ?????? 01 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
condition:
$a0 at pe.entry_point
}
rule WARNINGTROJANXiaoHui {
meta: author="malware-lu"
strings:
$a0 = { 60 9C E8 00000000 5D B8 ?? 85 40 00 2D ?? 85 40 00 }
condition:
$a0 at pe.entry_point
}
rule NFOv10 {
meta: author="malware-lu"
strings:
$a0 = { 8D 50 12 2B C9 B1 1E 8A 02 34 77 88 02 42 E2 F7 C8 8C }
condition:
$a0 at pe.entry_point
}
rule PMODEWv112116121133DOSextender {
meta: author="malware-lu"
strings:
$a0 = { FC 16 07 BF ???? 8B F7 57 B9 ???? F3 A5 06 1E 07 1F 5F BE ???? 06 0E A4 }
condition:
$a0 at pe.entry_point
}
rule AaseCrypterbysantasdad {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 B8 A0 3E 00 10 E8 93 DE FF FF 68 F8 42 00 10 E8 79 DF FF FF 68 00 43 00 10 68 0C 43 00 10 E8 42 DF FF FF 50 E8 44 DF FF FF A3 98 66 00 10 83 3D 98 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 1C 43 00 10 6A 00 E8 4B DF FF FF 68 2C 43 00 10 68 0C 43 ???????? DF FF FF 50 E8 0E DF FF FF A3 94 66 00 10 83 3D 94 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 38 43 00 10 6A 00 E8 15 DF FF FF 68 48 43 00 10 68 0C 43 00 10 E8 D6 DE FF FF 50 E8 D8 DE FF FF A3 A0 66 00 10 83 3D A0 66 00 10 00 75 13 6A 00 68 18 43 00 10 68 58 43 00 10 6A 00 E8 DF DE FF FF 68 6C 43 00 10 68 0C 43 00 10 E8 A0 DE FF FF 50 E8 A2 DE FF FF }
condition:
$a0
}
rule aPackv098bJibz {
meta: author="malware-lu"
strings:
$a0 = { 93 07 1F 05 ???? 8E D0 BC ???? EA }
condition:
$a0
}
rule UPackv011Dwing {
meta: author="malware-lu"
strings:
$a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 1C F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 03 B3 00 8D 1C 5B 8D 9C 9E 0C 10 0000 B0 01 67 E3 29 8B D7 }
condition:
$a0
}
rule NsPacKNetLiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 0000 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 0000 5E 00 5F 43 6F 72 ?????? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C }
condition:
$a0
}
rule PseudoSigner02PENightMare2BetaAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E9 10 000000 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01MicrosoftVisualC60DebugVersionAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 51 909090 01 01 90909090 68 ???????? 909090909090909090909090 00 01 90909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090 00 01 9090909090 }
condition:
$a0 at pe.entry_point
}
rule DJoinv07publicRC4encryptiondrmist {
meta: author="malware-lu"
strings:
$a0 = { C6 05 ???? 40 0000 C6 05 ???? 40 0000 ???????????????? 00 ???????? 00 ?????????? 00 }
condition:
$a0 at pe.entry_point
}
rule UPXv103v104 {
meta: author="malware-lu"
strings:
$a0 = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }
condition:
$a0 at pe.entry_point
}
rule PEDiminisherV01Teraphy {
meta: author="malware-lu"
strings:
$a0 = { 53 51 52 56 57 55 E8 00000000 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4ExtrPasswcheckVirshield {
meta: author="malware-lu"
strings:
$a0 = { 03 05 C0 1A B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule ExeGuarderv18Exeiconcom {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 0000 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 0000 EB F1 89 45 FC E8 C8 FF FF FF 2D B2 04 0000 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 }
condition:
$a0 at pe.entry_point
}
rule codeCrypter031Tibbar {
meta: author="malware-lu"
strings:
$a0 = { 50 58 53 5B 90 BB ?????? 00 FF E3 90 CCCCCC 55 8B EC 5D C3 CCCCCCCCCCCCCCCCCCCCCC }
condition:
$a0 at pe.entry_point
}
rule RLPv073betaap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 8B DD E8 00000000 5D 95 32 C0 95 89 9D 80 000000 B8 42 31 40 00 BB 41 30 40 00 2B C3 03 C5 33 D2 8A 10 40 B9 ???? 0000 8B F9 30 10 8A 10 40 49 75 F8 64 EF 86 3D 30 0000 0F B9 FF 4B 89 52 5C 4C BD 77 C2 0C CE 88 4E 2D E8 000000 5D 0D DB 5E 56 }
condition:
$a0
}
rule PEnguinCryptv10 {
meta: author="malware-lu"
strings:
$a0 = { B8 93 ???? 00 55 50 67 64 FF 36 0000 67 64 89 26 0000 BD 4B 48 43 42 B8 04 000000 CC 3C 04 75 04 9090 C3 90 67 64 8F 06 0000 58 5D BB 0000 40 00 33 C9 33 C0 }
condition:
$a0 at pe.entry_point
}
rule MetrowerksCodeWarriorDLLv20 {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 53 56 57 8B 75 0C 8B 5D 10 83 FE 01 74 05 83 FE 02 75 12 53 56 FF 75 08 E8 6E FF FF FF 09 C0 75 04 31 C0 EB 21 53 56 FF 75 08 E8 ???????? 89 C7 09 F6 74 05 83 FE 03 75 0A 53 56 FF 75 08 E8 47 FF FF FF 89 F8 8D 65 F4 5F 5E 5B 5D C2 0C 00 C9 }
condition:
$a0
}
rule PECrc32088ZhouJinYu {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED B6 A4 45 00 8D BD B0 A4 45 00 81 EF 82 000000 }
condition:
$a0 at pe.entry_point
}
rule PECompactv123b3v1241 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 08 }
condition:
$a0 at pe.entry_point
}
rule Noodlecrypt2rsc {
meta: author="malware-lu"
strings:
$a0 = { EB 01 9A E8 76 000000 }
condition:
$a0 at pe.entry_point
}
rule RLPack120BasicEditionLZMAAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 9C 0C 0000 EB 0C 8B 85 98 0C 0000 89 85 9C 0C 0000 8D B5 C4 0C 0000 8D 9D 82 04 0000 33 FF 6A 40 68 00 10 0000 68 00 20 0C 00 6A 00 FF 95 2D 0C 0000 89 85 94 0C 0000 E8 59 01 0000 EB 20 60 8B 85 9C 0C 0000 FF B5 94 0C 0000 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PENightMare2BetaAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E9 10 000000 EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A E9 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeXtremeProtector105FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 E8 00000000 5D 81 0000000000 6A 45 E8 A3 000000 68 00000000 E8 }
condition:
$a0 at pe.entry_point
}
rule RLPackv118BasicDLLLZMAAp0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 ???????? 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 21 0B 0000 8D 9D FF 02 0000 33 FF E8 9F 01 0000 6A 40 68 00 10 0000 68 00 20 0C 00 6A 00 FF 95 AA 0A 0000 89 85 F9 0A 0000 EB 14 60 FF B5 F9 0A }
condition:
$a0 at pe.entry_point
}
rule CrypKeyv5v6 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? 58 83 E8 05 50 5F 57 8B F7 81 EF ???????? 83 C6 39 BA ???????? 8B DF B9 0B ?????? 8B 06 }
condition:
$a0 at pe.entry_point
}
rule InnoSetupModulev109a {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 C0 53 56 57 33 C0 89 45 F0 89 45 C4 89 45 C0 E8 A7 7F FF FF E8 FA 92 FF FF E8 F1 B3 FF FF 33 C0 }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV1300ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 04 ???????? E8 29 000000 }
$a1 = { EB 04 ???????? E8 ?? 000000 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PCryptv351 {
meta: author="malware-lu"
strings:
$a0 = { 50 43 52 59 50 54 FF 76 33 2E 35 31 00 E9 }
condition:
$a0 at pe.entry_point
}
rule ThinstallEmbedded2312Jitit {
meta: author="malware-lu"
strings:
$a0 = { 6A 00 FF 15 ???????? E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 0000 C7 40 0C 01 000000 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 000000 C2 04 00 8B 44 24 04 C7 41 0C 01 000000 89 81 29 04 0000 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 000000 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 000000 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4Extractable {
meta: author="malware-lu"
strings:
$a0 = { 03 05 00 1A B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule RLPackAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 2C 0A 0000 8D 9D 22 02 0000 33 FF E8 83 01 0000 6A 40 68 00 10 0000 68 00 20 0C 00 6A 00 FF 95 CD 09 0000 89 85 14 0A 0000 EB 14 60 FF B5 14 0A }
$a1 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 5A 0A 0000 8D 9D 40 02 0000 33 FF E8 83 01 0000 6A 40 68 00 10 0000 68 00 20 0C 00 6A 00 FF 95 EB 09 0000 89 85 3A 0A 0000 EB 14 60 FF B5 3A 0A }
$a2 = { 60 E8 00000000 8B 2C 24 83 C4 04 EB 03 0C 0000 EB 03 0C 0000 8D B5 CB 22 0000 8D 9D F0 02 0000 33 FF E8 47 02 0000 EB 03 15 0000 6A 40 68 00 10 0000 68 00 20 0C 00 6A 00 FF 95 9B 0A }
$a3 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 2C 0A 0000 8D 9D 22 02 0000 33 FF E8 ???????? 6A 40 68 ???????? 68 ???????? 6A 00 FF 95 CD 09 0000 89 85 ???????? EB 14 60 FF B5 14 0A }
$a4 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 5A 0A 0000 8D 9D 40 02 0000 33 FF E8 ???????? 6A 40 68 ???????? 68 ???????? 6A 00 FF 95 EB 09 0000 89 85 ???????? EB 14 60 FF B5 3A 0A }
$a5 = { 60 E8 00000000 8B 2C 24 83 C4 04 EB 03 ?????? EB 03 ?????? 8D B5 CB 22 0000 8D 9D F0 02 0000 33 FF E8 ???????? EB 03 ?????? 6A 40 68 ???????? 68 ???????? 6A 00 FF 95 9B 0A }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point or $a4 at pe.entry_point or $a5 at pe.entry_point
}
rule PseudoSigner02VOBProtectCD5Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 36 3E 26 8A C0 60 E8 00000000 }
condition:
$a0 at pe.entry_point
}
rule PESpinv04x {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B }
condition:
$a0
}
rule PseudoSigner02WatcomCCDLLAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 53 56 57 55 8B 74 24 14 8B 7C 24 18 8B 6C 24 1C 83 FF 03 0F 87 01 000000 F1 }
condition:
$a0 at pe.entry_point
}
rule yodasCrypter13AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 60 E8 00000000 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
condition:
$a0 at pe.entry_point
}
rule D1NS1GD1N {
meta: author="malware-lu"
strings:
$a0 = { 18 37 000000000000 01 00 0A 000000 18 0000 80 00000000 ???? 18 37 00000000 02 000000 88 0000 80 38 0000 80 96 0000 80 50 0000 80 00000000 ???? 18 37 000000000000 01 0000000000 68 00000000000000 ???? 18 37 000000000000 01 0000000000 78 000000 B0 F0 0000 10 0000000000000000000000 C0 F0 0000 60 0000000000000000000000 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 00000000000000000000000000 }
condition:
$a0
}
rule FSGv110EngdulekxtMicrosoftVisualC6070ASM {
meta: author="malware-lu"
strings:
$a0 = { E8 01 000000 5A 5E E8 02 000000 BA DD 5E 03 F2 EB 01 64 BB 80 ???? 00 8B FA EB 01 A8 }
condition:
$a0 at pe.entry_point
}
rule ASPackv102aAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED 3E D9 43 ?? B8 38 ?????? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ???? 75 15 FE 85 01 DE 43 ?? E8 1D ?????? E8 79 02 ???? E8 12 03 ???? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01MinGWGCC2xAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 E8 02 000000 C9 C3 9090 45 58 45 E9 }
condition:
$a0 at pe.entry_point
}
rule Armadillov253 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 40 ?????? 68 54 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?????? 33 D2 8A D4 89 15 EC }
$a1 = { 55 8B EC 6A FF 68 ???????? 40 ???????? 68 54 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF ?????? 15 58 33 D2 8A D4 89 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Armadillov252 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? E0 ???????? 68 D4 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF ?????? 15 38 }
$a1 = { 55 8B EC 6A FF 68 E0 ?????? 68 D4 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 38 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Armadillov251 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 B8 ?????? 68 D0 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 20 }
condition:
$a0 at pe.entry_point
}
rule Armadillov250 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 B8 ?????? 68 F8 ?????? 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?????? 33 D2 8A D4 89 15 D0 }
condition:
$a0 at pe.entry_point
}
rule Obsidium1331ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 01 ?? E8 29 000000 EB 02 ???? EB 03 ?????? 8B 54 24 0C EB 02 ???? 83 82 B8 000000 24 EB 04 ???????? 33 C0 EB 02 ???? C3 EB 02 ???? EB 02 ???? 64 67 FF 36 0000 EB 04 ???????? 64 67 89 26 0000 EB 01 ?? EB 02 ???? 50 EB 01 ?? 33 C0 EB 04 ???????? 8B 00 EB 03 ?????? C3 EB 03 ?????? E9 FA 000000 EB 02 ???? E8 D5 FF FF FF EB 01 ?? EB 04 ???????? 58 EB 02 ???? EB 04 ???????? 64 67 8F 06 0000 EB 01 ?? 83 C4 04 EB 02 ???? E8 5F 27 0000 }
condition:
$a0 at pe.entry_point
}
rule CExev10a {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 0C 02 ???? 56 BE 04 01 ???? 8D 85 F8 FE FF FF 56 50 6A ?? FF 15 54 10 40 ?? 8A 8D F8 FE FF FF 33 D2 84 C9 8D 85 F8 FE FF FF 74 16 }
condition:
$a0 at pe.entry_point
}
rule DIETv144v145f {
meta: author="malware-lu"
strings:
$a0 = { F8 9C 06 1E 57 56 52 51 53 50 0E FC 8C C8 BA ???? 03 D0 52 }
condition:
$a0 at pe.entry_point
}
rule PECompactv098 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D7 84 40 ?? 87 DD 8B 85 5C 85 }
condition:
$a0 at pe.entry_point
}
rule PECompactv099 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 2F 85 40 ?? 87 DD 8B 85 B4 85 }
condition:
$a0 at pe.entry_point
}
rule NsPacKV30LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 07 000000 2B E8 8D B5 ???????? 66 8B 06 66 83 F8 00 74 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMicrosoftVisualBasic5060 {
meta: author="malware-lu"
strings:
$a0 = { C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ???? EF 80 F3 F6 2B C1 EB 01 DE 68 77 }
condition:
$a0 at pe.entry_point
}
rule PECompactv090 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???? 40 00 C3 9C 60 BD ???? 0000 B9 02 000000 B0 90 8D BD 7A 42 40 00 F3 AA 01 AD D9 43 40 00 FF B5 }
condition:
$a0 at pe.entry_point
}
rule PECompactv092 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 BD ???????? B9 02 ?????? B0 90 8D BD A5 4F 40 ?? F3 AA 01 AD 04 51 40 ?? FF B5 }
condition:
$a0 at pe.entry_point
}
rule PECompactv094 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 ???????? 5D 55 58 81 ED ???????? 2B 85 ???????? 01 85 ???????? 50 B9 02 }
condition:
$a0 at pe.entry_point
}
rule PeX099bartCrackPl {
meta: author="malware-lu"
strings:
$a0 = { E9 F5 ?????? 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV1304ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 ?? 000000 }
condition:
$a0 at pe.entry_point
}
rule SoftwareCompressv14LITEBGSoftwareProtectTechnologies {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 81 2C 24 AA 1A 41 00 5D E8 00000000 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 000000 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A }
$a1 = { E8 00000000 81 2C 24 AA 1A 41 00 5D E8 00000000 83 2C 24 6E 8B 85 5D 1A 41 00 29 04 24 8B 04 24 89 85 5D 1A 41 00 58 8B 85 5D 1A 41 00 8B 50 3C 03 D0 8B 92 80 000000 03 D0 8B 4A 58 89 8D 49 1A 41 00 8B 4A 5C 89 8D 4D 1A 41 00 8B 4A 60 89 8D 55 1A 41 00 8B 4A 64 89 8D 51 1A 41 00 8B 4A 74 89 8D 59 1A 41 00 68 00 20 0000 E8 D2 000000 50 8D 8D 00 1C 41 00 50 51 E8 1B 000000 83 C4 08 58 8D 78 74 8D B5 49 1A 41 00 B9 18 000000 F3 A4 05 A4 000000 50 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 000000 73 F6 33 C9 E8 64 000000 73 1C 33 C0 E8 5B 000000 73 23 B3 02 41 B0 10 E8 4F 000000 12 C0 73 F7 75 3F AA EB D4 E8 4D 000000 2B CB 75 10 E8 42 000000 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 000000 3D 00 7D 0000 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 FF 74 24 24 6A 40 FF 95 4D 1A 41 00 89 44 24 1C 61 C2 04 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule FixupPakv120 {
meta: author="malware-lu"
strings:
$a0 = { 55 E8 00000000 5D 81 ED ???? 0000 BE 00 ?? 0000 03 F5 BA 0000 ???? 2B D5 8B DD 33 C0 AC 3C 00 74 3D 3C 01 74 0E 3C 02 74 0E 3C 03 74 0D 03 D8 29 13 EB E7 66 AD EB F6 AD EB F3 AC 0F B6 C8 3C 00 74 06 3C 01 74 09 EB 0A 66 AD 0F B7 C8 EB 03 AD 8B C8 }
condition:
$a0 at pe.entry_point
}
rule ARCSFXArchive {
meta: author="malware-lu"
strings:
$a0 = { 8C C8 8C DB 8E D8 8E C0 89 ?????? 2B C3 A3 ???? 89 ?????? BE ???? B9 ???? BF ???? BA ???? FC AC 32 C2 8A D8 }
condition:
$a0 at pe.entry_point
}
rule MoleBoxv230Teggo {
meta: author="malware-lu"
strings:
$a0 = { 42 04 E8 ???? 0000 A3 ?????? 00 8B 4D F0 8B 11 89 15 ?????? 00 ?? 45 FC A3 ?????? 00 5F 5E 8B E5 5D C3 CCCCCCCCCCCCCCCCCCCCCC E8 EB FB FF FF 58 E8 ?? 07 0000 58 89 44 24 20 61 58 FF D0 E8 ???? 0000 CCCCCCCCCCCCCC }
condition:
$a0
}
rule VxIgor {
meta: author="malware-lu"
strings:
$a0 = { 1E B8 CD 7B CD 21 81 FB CD 7B 75 03 E9 87 00 33 DB 0E 1F 8C }
condition:
$a0 at pe.entry_point
}
rule FACRYPTv10 {
meta: author="malware-lu"
strings:
$a0 = { B9 ???? B3 ?? 33 D2 BE ???? 8B FE AC 32 C3 AA 49 43 32 E4 03 D0 E3 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01WATCOMCCEXEAnorganix {
meta: author="malware-lu"
strings:
$a0 = { E9 00000000 90909090 57 41 E9 }
condition:
$a0 at pe.entry_point
}
rule RLPackV115V117aPlib043ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 ???????? 8D 9D ???????? 33 FF E8 45 01 0000 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB }
condition:
$a0 at pe.entry_point
}
rule EmbedPEv113cyclotron {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 0000 DC 99 F3 57 05 68 }
condition:
$a0 at pe.entry_point
}
rule eXcaliburv103forgotus {
meta: author="malware-lu"
strings:
$a0 = { E9 00000000 60 E8 14 000000 5D 81 ED 00000000 6A 45 E8 A3 000000 68 00000000 E8 58 61 EB 39 20 45 78 63 61 6C 69 62 75 72 20 28 63 29 20 62 79 20 66 6F 72 67 6F 74 2F 75 53 2F 44 46 43 47 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 }
condition:
$a0 at pe.entry_point
}
rule Petite14 {
meta: author="malware-lu"
strings:
$a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 0000 6A 00 FF 50 14 8B CC }
condition:
$a0
}
rule Petite12 {
meta: author="malware-lu"
strings:
$a0 = { 66 9C 60 E8 CA 000000 03 00 04 00 05 00 06 00 07 00 08 00 }
condition:
$a0 at pe.entry_point
}
rule Petite13 {
meta: author="malware-lu"
strings:
$a0 = { 66 9C 60 50 8D 88 00 F0 0000 8D 90 04 16 0000 8B DC 8B E1 }
condition:
$a0
}
rule Upack021betaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 40 00 AD 8B F8 6A 04 95 A5 33 C0 AB 48 AB F7 D8 59 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 }
condition:
$a0 at pe.entry_point
}
rule WebCopsEXELINKDataSecurity {
meta: author="malware-lu"
strings:
$a0 = { EB 03 05 EB 02 EB FC 55 EB 03 EB 04 05 EB FB EB 53 E8 04 000000 72 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02FSG10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 BB D0 01 40 00 BF 00 10 40 00 BE 90909090 53 E8 0A 000000 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }
condition:
$a0 at pe.entry_point
}
rule ThemidaOreansTechnologies2004 {
meta: author="malware-lu"
strings:
$a0 = { B8 00000000 60 0B C0 74 58 E8 00000000 58 05 43 000000 80 38 E9 75 03 61 EB 35 E8 }
condition:
$a0 at pe.entry_point
}
rule VxNumberOne {
meta: author="malware-lu"
strings:
$a0 = { F9 07 3C 53 6D 69 6C 65 3E E8 }
condition:
$a0 at pe.entry_point
}
rule WinKriptv10MrCrimson {
meta: author="malware-lu"
strings:
$a0 = { 33 C0 8B B8 00 ?????? 8B 90 04 ?????? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 83 C0 08 EB D5 61 E9 ???????? 00000000000000000000000000000000000000000000000000000000000000000000 }
condition:
$a0 at pe.entry_point
}
rule tElockv085f {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 02 000000 CD 20 E8 00000000 5E 2B C9 58 74 02 }
condition:
$a0 at pe.entry_point
}
rule RosAsm2050aBetov {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 60 8B 5D 08 B9 08 000000 BF ???????? 83 C7 07 FD 8A C3 24 0F 04 30 3C 39 76 02 04 07 AA C1 EB 04 E2 EE FC 68 00 10 0000 68 ???????? 68 ???????? 6A 00 FF 15 ???????? 61 8B E5 5D C2 04 00 }
condition:
$a0
}
rule Obsidium13021ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 03 ?????? E8 2E 000000 EB 04 ???????? EB 04 ???????? 8B 54 24 0C EB 04 ???????? 83 82 B8 000000 23 EB 01 ?? 33 C0 EB 04 ???????? C3 EB 03 ?????? EB 02 ???? 64 67 FF 36 0000 EB 01 ?? 64 67 89 26 0000 EB 02 ???? EB 02 ???? 50 EB 01 ?? 33 C0 EB 03 ?????? 8B 00 EB 03 ?????? C3 EB 03 ?????? E9 FA 000000 EB 04 ???????? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ???????? EB 04 ???????? 64 67 8F 06 0000 EB 03 ?????? 83 C4 04 EB 04 ???????? E8 2B 26 0000 }
condition:
$a0 at pe.entry_point
}
rule ASPackv211dAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 02 000000 EB 09 5D 55 }
condition:
$a0 at pe.entry_point
}
rule ASPackv211cAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 02 000000 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 0000 }
condition:
$a0 at pe.entry_point
}
rule ACProtect14xRISCOsoft {
meta: author="malware-lu"
strings:
$a0 = { 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 45 78 69 74 50 72 6F 63 65 73 73 000000 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 }
condition:
$a0
}
rule SplashBitmapv100BoBBobsoft {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 60 8B 6C 24 20 55 81 ED ???????? 8D BD ???????? 8D 8D ???????? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 0000 75 E8 89 85 ???????? 8D BD ???????? 6A 00 }
condition:
$a0 at pe.entry_point
}
rule PEZipv10byBaGIE {
meta: author="malware-lu"
strings:
$a0 = { D9 D0 F8 74 02 23 DB F5 F5 50 51 52 53 8D 44 24 10 50 55 56 57 D9 D0 22 C9 C1 F7 A0 55 66 C1 C8 B0 5D 81 E6 FF FF FF FF F8 77 07 52 76 03 72 01 90 5A C1 E0 60 90 BD 1F 01 0000 87 E8 E2 07 E3 05 17 5D 47 E4 42 41 7F 06 50 66 83 EE 00 58 25 FF FF FF FF 51 }
condition:
$a0
}
rule LamerStopv10ccStefanEsser {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 05 ???? CD 21 33 C0 8E C0 26 ?????? 2E ?????? 26 ?????? 2E ?????? BA ???? FA }
condition:
$a0 at pe.entry_point
}
rule ACProtectV14Xrisco {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 000000 7C 83 04 24 06 C3 }
condition:
$a0 at pe.entry_point
}
rule VxGRUNT2Family {
meta: author="malware-lu"
strings:
$a0 = { 48 E2 F7 C3 51 53 52 E8 DD FF 5A 5B 59 C3 B9 0000 E2 FE C3 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeMicrosoftVisualC70FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 6A 00 68 ???????? E8 ???????? BF ???????? 8B C7 E8 ???????? 89 65 00 8B F4 89 3E 56 FF 15 ???????? 8B 4E ?? 89 0D ?????? 00 8B 46 00 A3 }
condition:
$a0 at pe.entry_point
}
rule InstallStub32bit {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 14 ?? 0000 53 56 57 6A 00 FF 15 ???????? 68 ???????? FF 15 ???????? 85 C0 74 29 }
condition:
$a0 at pe.entry_point
}
rule VcasmProtector10evcasm {
meta: author="malware-lu"
strings:
$a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakePEBundle20x24xemadicius {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 02 000000 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 83 BD 9C 38 40 00 01 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule Armadillov190b4 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 B4 96 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule UPXv103v104Modified {
meta: author="malware-lu"
strings:
$a0 = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 000000 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }
condition:
$a0 at pe.entry_point
}
rule NsPackV2XLiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 6E 73 70 61 63 6B 24 40 }
condition:
$a0
}
rule ThemidaWinLicenseV1000V1800OreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 00000000 60 0B C0 74 58 E8 00000000 58 05 ?? 000000 80 38 E9 75 ?? 61 EB ?? E8 00000000 }
condition:
$a0 at pe.entry_point
}
rule PACKWINv101p {
meta: author="malware-lu"
strings:
$a0 = { 8C C0 FA 8E D0 BC ???? FB 06 0E 1F 2E ???????? 8B F1 4E 8B FE 8C DB 2E ???????? 8E C3 FD F3 A4 53 B8 ???? 50 CB }
condition:
$a0 at pe.entry_point
}
rule PECompactv110b1 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 28 63 40 ?? 87 DD 8B 85 AD 63 }
condition:
$a0 at pe.entry_point
}
rule MicroJoiner15coban2k {
meta: author="malware-lu"
strings:
$a0 = { BF 05 10 40 00 83 EC 30 8B EC E8 C8 FF FF FF E8 C3 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule ANDpakk2018byDmitryANDAndreev {
meta: author="malware-lu"
strings:
$a0 = { FC BE D4 00 40 00 BF 00 ???? 00 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 }
condition:
$a0 at pe.entry_point
}
rule PECompactv110b2 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 94 60 }
condition:
$a0 at pe.entry_point
}
rule PECompactv110b5 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 9090 BB 49 }
condition:
$a0 at pe.entry_point
}
rule NJoy10NEX {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 B8 9C 3B 40 00 E8 8C FC FF FF 6A 00 68 E4 39 40 00 6A 0A 6A 00 E8 40 FD FF FF E8 EF F5 FF FF 8D 40 00 }
condition:
$a0 at pe.entry_point
}
rule PECompactv110b7 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 9090 01 85 92 60 40 ?? BB 14 }
condition:
$a0 at pe.entry_point
}
rule PECompactv110b6 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 ?? 00 87 DD 8B 85 9A 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 9090 01 85 92 60 40 ?? BB B7 }
condition:
$a0 at pe.entry_point
}
rule KBysPacker028BetaShoooo {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5E 83 EE 0A 8B 06 03 C2 8B 08 89 4E F3 83 EE 0F 56 52 8B F0 AD AD 03 C2 8B D8 6A 04 BF 00 10 0000 57 57 6A 00 FF 53 08 5A 59 BD 00 80 0000 55 6A 00 50 51 52 50 89 06 AD AD 03 C2 50 AD 03 C2 FF D0 6A 04 57 AD 50 6A 00 FF 53 }
condition:
$a0
}
rule nPack113002006BetaNEOx {
meta: author="malware-lu"
strings:
$a0 = { 83 3D ?????????? 75 05 E9 01 000000 C3 E8 46 000000 E8 73 000000 B8 ???????? 2B 05 ???????? A3 ???????? E8 9C 000000 E8 2D 02 0000 E8 DD 06 0000 E8 2C 06 0000 A1 ???????? C7 05 ???????????????? 01 05 ???????? FF 35 ???????? C3 C3 56 57 68 ???????? FF 15 ???????? 8B 35 ???????? 8B F8 68 ???????? 57 FF D6 68 ???????? 57 A3 ???????? FF D6 5F A3 ???????? 5E C3 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02BorlandC1999Anorganix {
meta: author="malware-lu"
strings:
$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90909090 A1 ???????? A3 }
condition:
$a0 at pe.entry_point
}
rule ASPackv100bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }
condition:
$a0 at pe.entry_point
}
rule SEAAXEv22 {
meta: author="malware-lu"
strings:
$a0 = { FC BC ???? 0E 1F A3 ???? E8 ???? A1 ???? 8B ?????? 2B C3 8E C0 B1 03 D3 E3 8B CB BF ???? 8B F7 F3 A5 }
condition:
$a0 at pe.entry_point
}
rule PureBasic4xDLLNeilHodgson {
meta: author="malware-lu"
strings:
$a0 = { 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?????? 10 E8 22 000000 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 000000 83 7C 24 08 03 75 00 B8 01 000000 C2 0C 00 68 00000000 68 00 10 0000 68 00000000 E8 ?? 0F 0000 A3 }
condition:
$a0 at pe.entry_point
}
rule EXEPackerv70byTurboPowerSoftware {
meta: author="malware-lu"
strings:
$a0 = { 1E 06 8C C3 83 ???? 2E ???????? B9 ???? 8C C8 8E D8 8B F1 4E 8B FE }
condition:
$a0 at pe.entry_point
}
rule VxSYP {
meta: author="malware-lu"
strings:
$a0 = { 47 8B C2 05 1E 00 52 8B D0 B8 02 3D CD 21 8B D8 5A }
condition:
$a0 at pe.entry_point
}
rule DSHIELD: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { 06 E8 ???? 5E 83 EE ?? 16 17 9C 58 B9 ???? 25 ???? 2E }
condition:
$a0 at pe.entry_point
}
rule kkrunchy023alphaRyd {
meta: author="malware-lu"
strings:
$a0 = { BD 08 ???? 00 C7 45 00 ?????? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?????? 00 57 BE ?????? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 000000 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 8D 9D A0 08 0000 E8 ?? 000000 8B 45 10 EB 42 8D 9D A0 04 0000 E8 ?? 000000 49 49 78 40 8D 5D 20 74 03 83 C3 40 31 D2 42 E8 ?? 000000 8D 0C 48 F6 C2 10 74 F3 41 91 8D 9D A0 08 0000 E8 ?? 000000 3D 00 08 0000 83 D9 FF 83 F8 60 83 D9 FF 89 45 10 56 89 FE 29 C6 F3 A4 5E EB 90 BE ?????? 00 BB ?????? 00 55 46 AD 85 C0 74 ?? 97 56 FF 13 85 C0 74 16 95 AC 84 C0 75 FB 38 06 74 E8 78 ?? 56 55 FF 53 04 AB 85 C0 }
condition:
$a0 at pe.entry_point
}
rule NJoy12NEX {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 B8 A4 32 40 00 E8 E8 F1 FF FF 6A 00 68 54 2A 40 00 6A 0A 6A 00 E8 A8 F2 FF FF E8 C7 EA FF FF 8D 40 00 }
condition:
$a0 at pe.entry_point
}
rule AntiDote12DemoSISTeam {
meta: author="malware-lu"
strings:
$a0 = { E8 F7 FE FF FF 05 CB 22 0000 FF E0 E8 EB FE FF FF 05 BB 19 0000 FF E0 E8 BD 000000 08 B2 62 00 01 52 17 0C 0F 2C 2B 20 7F 52 79 01 30 07 17 29 4F 01 3C 30 2B 5A 3D C7 26 11 26 06 59 0E 78 2E 10 14 0B 13 1A 1A 3F 64 1D 71 33 57 21 09 24 8B 1B 09 37 08 61 0F 1D 1D 2A 01 87 35 4C 07 39 0B }
condition:
$a0
}
rule EXE32Packv137 {
meta: author="malware-lu"
strings:
$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ???????? 02 81 ?????????????? 3B DB 74 01 BE 5D 8B D5 81 ED 4C 8E 40 }
condition:
$a0 at pe.entry_point
}
rule EXE32Packv136 {
meta: author="malware-lu"
strings:
$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ???????? 02 81 ?????????????? 3B DB 74 01 BE 5D 8B D5 81 ED CC 8D 40 }
condition:
$a0 at pe.entry_point
}
rule AINEXEv230 {
meta: author="malware-lu"
strings:
$a0 = { 0E 07 B9 ???? BE ???? 33 FF FC F3 A4 A1 ???? 2D ???? 8E D0 BC ???? 8C D8 }
condition:
$a0 at pe.entry_point
}
rule ThinstallEmbedded20XJitit {
meta: author="malware-lu"
strings:
$a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ???????? E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 0000 C7 40 0C 01 000000 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 000000 C2 04 00 8B 44 24 04 C7 41 0C 01 000000 89 81 29 04 0000 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 000000 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 000000 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
condition:
$a0 at pe.entry_point
}
rule EXECryptorv151x {
meta: author="malware-lu"
strings:
$a0 = { E8 24 ?????? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?????????????? 31 C0 89 41 14 89 41 18 80 A1 C1 ?????? FE C3 31 C0 64 FF 30 64 89 20 CC C3 }
condition:
$a0 at pe.entry_point
}
rule Obsidiumv1304ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 25 000000 EB 04 ???????? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 23 EB 01 ?? 33 C0 EB 02 ???? C3 EB 02 ???? EB 04 ???????? 64 67 FF 36 0000 EB 03 ?????? 64 67 89 26 0000 EB 02 ???? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }
$a1 = { EB 02 ???? E8 25 000000 EB 04 ???????? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 23 EB 01 ?? 33 C0 EB 02 ???? C3 EB 02 ???? EB 04 ???????? 64 67 FF 36 0000 EB 03 ?????? 64 67 89 26 0000 EB 02 ???? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ???? E9 FA 000000 EB 02 ???? E8 D5 FF FF FF EB 03 ?????? EB 04 ???????? 58 EB 02 ???? EB 04 ???????? 64 67 8F 06 0000 EB 03 ?????? 83 C4 04 EB 01 ?? E8 3B 26 0000 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule CopyProtectorv20 {
meta: author="malware-lu"
strings:
$a0 = { 2E A2 ???? 53 51 52 1E 06 B4 ?? 1E 0E 1F BA ???? CD 21 1F }
condition:
$a0 at pe.entry_point
}
rule EXE32Packv139 {
meta: author="malware-lu"
strings:
$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ???????? 02 81 ?????????????? 3B DB 74 01 BE 5D 8B D5 81 ED EC 8D 40 }
condition:
$a0 at pe.entry_point
}
rule EXE32Packv138 {
meta: author="malware-lu"
strings:
$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC ???????? 02 81 ?????????????? 3B DB 74 01 BE 5D 8B D5 81 ED DC 8D 40 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtBorlandC1999 {
meta: author="malware-lu"
strings:
$a0 = { EB 02 CD 20 2B C8 68 80 ???? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 }
condition:
$a0 at pe.entry_point
}
rule ThinstallEmbedded2547V2600Jitit {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 58 BB BC 18 0000 2B C3 50 68 ???????? 68 60 1B 0000 68 60 000000 E8 35 FF FF FF E9 99 FF FF FF 0000 }
condition:
$a0 at pe.entry_point
}
rule FSGv131Engdulekxt {
meta: author="malware-lu"
strings:
$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?????? 00 53 BB ?????? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 000000 02 F6 83 D9 01 75 10 E8 38 000000 EB 28 AC D1 E8 74 48 13 C9 EB }
condition:
$a0 at pe.entry_point
}
rule SDProtectorBasicProEdition110RandyLi {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00000000 50 64 89 25 00000000 58 64 A3 00000000 58 58 58 58 8B E8 50 83 EC 08 64 A1 00000000 64 FF 35 00000000 64 89 25 00000000 83 C4 08 50 64 FF 35 00000000 64 89 25 00000000 64 }
condition:
$a0 at pe.entry_point
}
rule Petite12c1998IanLuck {
meta: author="malware-lu"
strings:
$a0 = { 66 9C 60 E8 CA 000000 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 000000000000000000000000 01 01 01 01 02 02 02 }
condition:
$a0 at pe.entry_point
}
rule PcSharev40 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 90 34 40 00 68 B6 28 40 00 64 A1 }
condition:
$a0 at pe.entry_point
}
rule VProtector0X12Xvcasm {
meta: author="malware-lu"
strings:
$a0 = { 0000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 0000000000 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F ???????????????????? 00000000000000000000000000000000000000000000000000 33 F6 E8 10 000000 8B 64 24 08 64 8F 05 00000000 58 EB 13 C7 83 64 FF 35 00000000 64 89 25 00000000 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 000000 E8 1F 000000 EB FA E8 16 000000 E9 EB F8 0000 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 000000 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 }
condition:
$a0
}
rule STNPEE113 {
meta: author="malware-lu"
strings:
$a0 = { 55 57 56 52 51 53 E8 00000000 5D 8B D5 81 ED 97 3B 40 00 }
condition:
$a0 at pe.entry_point
}
rule SoftDefenderV11xRandyLi {
meta: author="malware-lu"
strings:
$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 }
condition:
$a0 at pe.entry_point
}
rule CDCopsII {
meta: author="malware-lu"
strings:
$a0 = { 53 60 BD ???????? 8D 45 ?? 8D 5D ?? E8 ???????? 8D }
condition:
$a0 at pe.entry_point
}
rule RLPack11BasicEditionap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 4A 02 0000 8D 9D 11 01 0000 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 0000 68 }
condition:
$a0 at pe.entry_point
}
rule EXE32Packv13x {
meta: author="malware-lu"
strings:
$a0 = { 3B ?? 74 02 81 83 55 3B ?? 74 02 81 ?? 53 3B ?? 74 01 ?????????? 02 81 ???? E8 ???????? 3B 74 01 ?? 5D 8B D5 81 ED }
condition:
$a0 at pe.entry_point
}
rule VxInvoluntary1349 {
meta: author="malware-lu"
strings:
$a0 = { BA ???? B9 ???? 8C DD ?? 8C C8 ?? 8E D8 8E C0 33 F6 8B FE FC ???? AD ?? 33 C2 AB }
condition:
$a0 at pe.entry_point
}
rule WinZip32bit6x {
meta: author="malware-lu"
strings:
$a0 = { FF 15 FC 81 40 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 }
condition:
$a0 at pe.entry_point
}
rule NsPacKV36LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D 83 ED 07 8D ?????????? 83 38 01 0F 84 47 02 0000 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02LCCWin321xAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 64 A1 01 000000 55 89 E5 6A FF 68 ???????? 68 9A 10 40 90 50 }
condition:
$a0 at pe.entry_point
}
rule EXECrypt10ReBirth {
meta: author="malware-lu"
strings:
$a0 = { 9090 60 E8 00000000 5D 81 ED D1 27 40 00 B9 15 000000 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 0000 B9 96 0C 0000 90 8D BD 4E 28 40 00 8B F7 AC }
condition:
$a0 at pe.entry_point
}
rule NJoy11NEX {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 B8 0C 3C 40 00 E8 24 FC FF FF 6A 00 68 28 3A 40 00 6A 0A 6A 00 E8 D8 FC FF FF E8 7F F5 FF FF 8D 40 00 }
condition:
$a0 at pe.entry_point
}
rule PEcryptbyarchphase {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 E0 53 56 33 C0 89 45 E4 89 45 E0 89 45 EC ???????? 64 82 40 00 E8 7C C7 FF FF 33 C0 55 68 BE 84 40 00 64 FF 30 64 89 20 68 CC 84 40 00 ???????? 00 A1 10 A7 40 00 50 E8 1D C8 FF FF 8B D8 85 DB 75 39 E8 3A C8 FF FF 6A 00 6A 00 68 A0 A9 40 00 68 00 04 0000 50 6A 00 68 00 13 0000 E8 FF C7 FF FF 6A 00 68 E0 84 40 00 A1 A0 A9 40 00 50 6A 00 E8 ???????? E9 7D 01 0000 53 A1 10 A7 40 00 50 E8 42 C8 FF FF 8B F0 85 F6 75 18 6A 00 68 E0 84 40 00 68 E4 84 40 00 6A 00 E8 71 C8 FF FF E9 53 01 0000 53 6A 00 E8 2C C8 FF FF A3 ???????? 83 3D 48 A8 40 0000 75 18 6A 00 68 E0 84 40 00 68 F8 84 40 00 6A 00 E8 43 C8 FF FF E9 25 01 0000 56 E8 F8 C7 FF FF A3 4C A8 40 00 A1 48 A8 40 00 E8 91 A1 FF FF 8B D8 8B 15 48 A8 40 00 85 D2 7C 16 42 33 C0 8B 0D 4C A8 40 00 03 C8 8A 09 8D 34 18 88 0E 40 4A 75 ED 8B 15 48 A8 40 00 85 D2 7C 32 42 33 C0 8D 34 18 8A 0E 80 F9 01 75 05 C6 06 FF EB 1C 8D 0C 18 8A 09 84 ?????????? 00 EB 0E 8B 0D 4C A8 40 00 03 C8 0F B6 09 49 88 0E 40 4A 75 D1 8D ???????? E8 A5 A3 FF FF 8B 45 E8 8D 55 EC E8 56 D5 FF FF 8D 45 EC BA 18 85 40 00 E8 79 BA FF FF 8B 45 EC E8 39 BB FF FF 8B D0 B8 54 A8 40 00 E8 31 A6 FF FF BA 01 000000 B8 54 A8 40 00 E8 12 A9 FF FF E8 DD A1 FF FF 68 50 A8 40 00 8B D3 8B 0D 48 A8 40 00 B8 54 A8 40 00 E8 56 A7 FF FF E8 C1 A1 FF FF }
condition:
$a0 at pe.entry_point
}
rule CrunchPEv30xx {
meta: author="malware-lu"
strings:
$a0 = { EB 10 ???????????????????????????????? 55 E8 ???????? 5D 81 ED 18 ?????? 8B C5 55 60 9C 2B 85 ???????? 89 85 ???????? FF 74 }
condition:
$a0 at pe.entry_point
}
rule LameCryptLaZaRus {
meta: author="malware-lu"
strings:
$a0 = { 60 66 9C BB 00 ???? 00 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 B8 ???? 40 00 FF E0 }
condition:
$a0 at pe.entry_point
}
rule NsPack29NorthStar {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 07 000000 2B E8 8D B5 ???? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ???? FF FF 8A 06 3C 01 0F 84 42 02 0000 C6 06 01 8B D5 2B 95 ???? FF FF 89 95 ???? FF FF 01 95 ???? FF FF 8D B5 ???? FF FF 01 16 60 6A 40 68 00 10 0000 68 00 10 0000 6A 00 FF 95 ???? FF FF 85 C0 0F 84 6A 03 0000 89 85 ???? FF FF E8 00000000 5B B9 68 03 0000 03 D9 50 53 E8 B1 02 0000 61 8B 36 8B FD 03 BD ???? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00000000 EB 16 B9 01 000000 03 3B 83 C3 04 83 3B 00 74 36 }
condition:
$a0 at pe.entry_point
}
rule BeRoEXEPackerv100LZBRSBeRoFarbrausch {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? BF ???????? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ???????? 72 03 A4 EB F2 E8 ???????? 8D 51 FF E8 ???????? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtBorlandC {
meta: author="malware-lu"
strings:
$a0 = { 23 CA EB 02 5A 0D E8 02 000000 6A 35 58 C1 C9 10 BE 80 ???? 00 0F B6 C9 EB 02 CD 20 BB }
$a1 = { 23 CA EB 02 5A 0D E8 02 000000 6A 35 58 C1 C9 10 BE 80 ???? 00 0F B6 C9 EB 02 CD 20 BB F4 000000 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule VIRUSIWormKLEZ {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 40 D2 40 ?? 68 04 AC 40 ?? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 BC D0 }
condition:
$a0
}
rule YZPack12UsAr {
meta: author="malware-lu"
strings:
$a0 = { 4D 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02LocklessIntroPackAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 2C E8 EB 1A 9090 5D 8B C5 81 ED F6 73 9090 2B 85 90909090 83 E8 06 89 85 FF 01 EC AD }
condition:
$a0 at pe.entry_point
}
rule PKLITE3211 {
meta: author="malware-lu"
strings:
$a0 = { 50 4B 4C 49 54 45 33 32 20 43 6F 70 79 72 69 67 68 74 20 31 }
condition:
$a0 at pe.entry_point
}
rule FSGv20bartxt {
meta: author="malware-lu"
strings:
$a0 = { 87 25 ?????? 00 61 94 55 A4 B6 80 FF 13 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeSVKP111emadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 64 A0 23 000000 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMASM32TASM32MicrosoftVisualBasic {
meta: author="malware-lu"
strings:
$a0 = { F7 D8 0F BE C2 BE 80 ???? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor239DLLminimumprotection {
meta: author="malware-lu"
strings:
$a0 = { 51 68 ???????? 87 2C 24 8B CD 5D 81 E1 ???????? E9 ?????? 00 89 45 F8 51 68 ???????? 59 81 F1 ???????? 0B 0D ???????? 81 E9 ???????? E9 ?????? 00 81 C2 ???????? E8 ?????? 00 87 0C 24 59 51 64 8B 05 30 000000 8B 40 0C 8B 40 0C E9 ?????? 00 F7 D6 2B D5 E9 ?????? 00 87 3C 24 8B CF 5F 87 14 24 1B CA E9 ?????? 00 83 C4 08 68 ???????? E9 ?????? 00 C3 E9 ?????? 00 E9 ?????? 00 50 8B C5 87 04 24 8B EC 51 0F 88 ?????? 00 FF 05 ???????? E9 ?????? 00 87 0C 24 59 99 03 04 24 E9 ?????? 00 C3 81 D5 ???????? 9C E9 ?????? 00 81 FA ???????? E9 ?????? 00 C1 C3 15 81 CB ???????? 81 F3 ???????? 81 C3 ???????? 87 }
condition:
$a0 at pe.entry_point
}
rule Frusionbiff {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 0C 53 55 56 57 68 04 01 0000 C7 44 24 14 }
condition:
$a0 at pe.entry_point
}
rule OpenSourceCodeCrypterp0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 09 000000 6A 00 6A 00 49 75 F9 53 56 57 B8 34 44 40 00 E8 28 F8 FF FF 33 C0 55 68 9F 47 40 00 64 FF 30 64 89 20 BA B0 47 40 00 B8 1C 67 40 00 E8 07 FD FF FF 8B D8 85 DB 75 07 6A 00 E8 C2 F8 FF FF BA 28 67 40 00 8B C3 8B 0D 1C 67 40 00 E8 F0 E0 FF FF BE 01 000000 B8 2C 68 40 00 E8 E1 F0 FF FF BF 0A 000000 8D 55 EC 8B C6 E8 92 FC FF FF 8B 4D EC B8 2C 68 40 00 BA BC 47 40 00 E8 54 F2 FF FF A1 2C 68 40 00 E8 52 F3 FF FF 8B D0 B8 20 67 40 00 E8 A2 FC FF FF 8B D8 85 DB 0F 84 52 02 0000 B8 24 67 40 00 8B 15 20 67 40 00 E8 78 F4 FF FF B8 24 67 40 00 E8 7A F3 FF FF 8B D0 8B C3 8B 0D 20 67 40 00 E8 77 E0 FF FF 8D 55 E8 A1 24 67 40 00 E8 42 FD FF FF 8B 55 E8 B8 24 67 40 00 }
condition:
$a0
}
rule QrYPt0rbyNuTraL {
meta: author="malware-lu"
strings:
$a0 = { 80 F9 00 0F 84 8D 01 0000 8A C3 ???????????????????????????????????????????????????????????????????????????????????????????????????? 32 C1 3C F3 75 89 ???????????????????????????????????????????????????????????????????????????????????????????????????? BA D9 04 0000 E8 00000000 5F 81 C7 16 01 0000 80 2C 3A 01 }
$a1 = { 86 18 CC 64 FF 35 00000000 ???????????????????????????????????????????????????????????????????????????????????????????????????? 64 89 25 00000000 BB 0000 F7 BF ???????????????????????????????????????????????????????????????????????????????????????????????????? B8 78 56 34 12 87 03 E8 CD FE FF FF E8 B3 }
$a2 = { EB 00 E8 B5 000000 E9 2E 01 0000 64 FF 35 00000000 ???????????????????????????????????????????????????????????????????????????????????????????????????? 64 89 25 00000000 8B 44 24 04 }
condition:
$a0 or $a1 or $a2 at pe.entry_point
}
rule EXECryptor2xxmaxcompressedresources {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC FC 53 57 56 89 45 FC 89 55 F8 89 C6 89 D7 66 81 3E 4A 43 0F 85 23 01 0000 83 C6 0A C7 45 F4 08 000000 31 DB BA 000000 80 43 31 C0 E8 11 01 0000 73 0E 8B 4D F0 E8 1F 01 0000 02 45 EF AA EB E9 E8 FC 000000 0F 82 97 000000 E8 F1 000000 73 5B B9 04 000000 E8 FD 000000 48 74 DE 0F 89 C7 000000 E8 D7 000000 73 1B 55 BD 00 01 0000 E8 D7 000000 88 07 47 4D 75 F5 E8 BF 000000 72 E9 5D EB A2 B9 01 000000 E8 C8 000000 83 C0 07 89 45 F0 C6 45 EF 00 83 F8 08 74 89 E8 A9 000000 88 45 EF E9 7C FF FF FF B9 07 000000 E8 A2 000000 50 }
condition:
$a0
}
rule Upackv024v028AlphaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 40 00 AD ???? 95 AD 91 F3 A5 AD }
condition:
$a0 at pe.entry_point
}
rule ThinstallEmbedded24222428Jitit {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B8 ???????? BB ???????? 50 E8 00000000 58 2D 9B 1A 0000 B9 84 1A 0000 BA 14 1B 0000 BE 00 10 0000 BF B0 53 0000 BD E0 1A 0000 03 E8 81 75 00 ???????? 81 75 04 ???????? 81 75 08 ???????? 81 75 0C ???????? 81 75 10 }
condition:
$a0 at pe.entry_point
}
rule SVKProtectorv1051 {
meta: author="malware-lu"
strings:
$a0 = { 60 EB 03 C7 84 E8 EB 03 C7 84 9A E8 00000000 5D 81 ED 10 000000 EB 03 C7 84 E9 64 A0 23 000000 EB }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeZCode101FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 E9 12 000000000000000000000000000000 E9 FB FF FF FF C3 68 00000000 64 FF 35 }
condition:
$a0 at pe.entry_point
}
rule PEPacker {
meta: author="malware-lu"
strings:
$a0 = { FC 8B 35 70 01 40 ?? 83 EE 40 6A 40 68 ?? 30 10 }
condition:
$a0 at pe.entry_point
}
rule ProgramProtectorXPv10 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? 58 83 D8 05 89 C3 81 C3 ???????? 8B 43 64 50 }
condition:
$a0 at pe.entry_point
}
rule SimplePack111Method2NTbagieTMX {
meta: author="malware-lu"
strings:
$a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 0000 50 45 0000 4C 01 02 00000000000000000000000000 E0 00 0F 03 0B 01 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032aemadicius {
meta: author="malware-lu"
strings:
$a0 = { E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 }
$a1 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 }
$a2 = { E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF FF FF 00 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C }
condition:
$a0 or $a1 or $a2 at pe.entry_point
}
rule VxHafen1641 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 01 ?????? CE CC 25 ???? 25 ???? 25 ???? 40 51 D4 ?????? CC 47 CA ???? 46 8A CC 44 88 CC }
condition:
$a0 at pe.entry_point
}
rule NativeUDPacker11ModdedPoisonIvyShellcodeokkixot {
meta: author="malware-lu"
strings:
$a0 = { 31 C0 31 DB 31 C9 EB 0E 6A 00 6A 00 6A 00 6A 00 FF 15 28 41 40 00 FF 15 94 40 40 00 89 C7 68 88 13 0000 FF 15 98 40 40 00 FF 15 94 40 40 00 81 C7 88 13 0000 39 F8 73 05 E9 84 000000 6A 40 68 00 10 0000 FF 35 04 30 40 00 6A 00 FF 15 A4 40 40 00 89 C7 FF 35 04 30 40 00 68 CA 10 40 00 50 FF 15 A8 40 40 00 6A 40 68 00 10 0000 FF 35 08 30 40 00 6A 00 FF 15 A4 40 40 00 89 C6 68 00 30 40 00 FF 35 04 30 40 00 57 FF 35 08 30 40 00 50 6A 02 FF 15 4E 41 40 00 6A 00 6A 00 6A 00 56 6A 00 6A 00 FF 15 9C 40 40 00 50 6A 00 6A 00 6A 11 50 FF 15 4A 41 40 00 58 6A FF 50 FF 15 AC 40 40 00 6A 00 FF 15 A0 40 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor2xxcompressedresources {
meta: author="malware-lu"
strings:
$a0 = { 56 57 53 31 DB 89 C6 89 D7 0F B6 06 89 C2 83 E0 1F C1 EA 05 74 2D 4A 74 15 8D 5C 13 02 46 C1 E0 08 89 FA 0F B6 0E 46 29 CA 4A 29 C2 EB 32 C1 E3 05 8D 5C 03 04 46 89 FA 0F B7 0E 29 CA 4A 83 C6 02 EB 1D C1 E3 04 46 89 C1 83 E1 0F 01 CB C1 E8 05 73 07 43 89 F2 01 DE EB 06 85 DB 74 0E EB A9 56 89 D6 89 D9 F3 A4 31 DB 5E EB 9D 89 F0 5B 5F 5E C3 }
condition:
$a0
}
rule NXPEPackerv10 {
meta: author="malware-lu"
strings:
$a0 = { FF 60 FF CA FF 00 BA DC 0D E0 40 00 50 00 60 00 70 00 80 00 }
condition:
$a0 at pe.entry_point
}
rule PolyBoxCAnskya {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 56 B8 E4 41 00 10 E8 3A E1 FF FF 33 C0 55 68 11 44 00 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 6A 0A 68 20 44 00 10 A1 1C 71 00 10 50 E8 CC E1 ???????? 85 DB 0F 84 77 01 0000 53 A1 1C 71 00 10 50 E8 1E E2 FF FF 8B F0 85 F6 0F 84 61 01 0000 53 A1 1C 71 00 10 50 E8 E0 E1 FF FF 85 C0 0F 84 4D 01 0000 50 E8 DA E1 FF FF 8B D8 85 DB 0F 84 3D 01 0000 56 B8 70 80 00 10 B9 01 000000 8B 15 98 41 00 10 E8 9E DE FF FF 83 C4 04 A1 70 80 00 10 8B CE 8B D3 E8 E1 E1 FF FF 6A 00 6A 00 A1 70 80 00 10 B9 30 44 00 10 8B D6 E8 F8 FD FF FF }
condition:
$a0
}
rule UPolyXv05 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC ?? 00 BD 46 00 8B ?? B9 ?? 000000 80 ???? 51 ???????? 00 ???????????????????????????????????????????????????? 0000000000000000000000000000000000000000000000000000000000000000000000 }
$a1 = { 83 EC 04 89 14 24 59 BA ?? 000000 52 ???????????????????????????????????????????????????????????????????????????????????????????????????????????????? 00 ?????????????????????????? 00 }
$a2 = { BB 00 BD 46 00 83 EC 04 89 1C 24 ?? B9 ?? 000000 80 33 ???????????? 00 ?????????????????????????? 00 ???????????????????????? 000000000000000000000000000000000000000000000000000000000000000000 }
$a3 = { E8 00000000 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 83 EC 04 89 ?? 24 B9 ?? 000000 81 ???????? 00 ?????????????????????????????????????????? 000000000000000000000000000000000000000000000000000000000000 }
$a4 = { E8 00000000 59 83 C1 07 51 C3 C3 ?? 00 BD 46 00 ?? B9 ?? 000000 ?????????????????????????????????????????????????????? 0000000000000000000000000000000000000000000000000000000000000000000000 }
$a5 = { EB 01 C3 ?? 00 BD 46 00 ???????????????????????????????????????????????????????????????????????????????????????????? 00000000000000000000000000000000000000000000000000000000000000 }
condition:
$a0 or $a1 or $a2 or $a3 or $a4 or $a5
}
rule beriav007publicWIPsymbiont {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 18 53 8B 1D 00 30 ???? 55 56 57 68 30 07 0000 33 ED 55 FF D3 8B F0 3B F5 74 0D 89 AE 20 07 0000 E8 88 0F 0000 EB 02 33 F6 6A 10 55 89 35 30 40 ???? FF D3 8B F0 3B F5 74 09 89 2E E8 3C FE FF FF EB 02 33 F6 6A 18 55 89 35 D8 43 ???? FF D3 8B F0 }
condition:
$a0 at pe.entry_point
}
rule PCGuardv405dv410dv415d {
meta: author="malware-lu"
strings:
$a0 = { FC 55 50 E8 00000000 5D EB 01 }
condition:
$a0 at pe.entry_point
}
rule asscrypterbysantasdad {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC 53 ???????? 89 45 EC B8 98 40 00 10 E8 AC EA FF FF 33 C0 55 68 78 51 00 10 64 ???????? 20 6A 0A 68 88 51 00 10 A1 E0 97 00 10 50 E8 D8 EA FF FF 8B D8 53 A1 E0 97 00 10 50 E8 12 EB FF FF 8B F8 53 A1 E0 97 00 10 50 E8 DC EA FF FF 8B D8 53 E8 DC EA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 F0 97 00 10 E8 C9 E7 FF FF B8 F0 97 00 10 E8 B7 E7 FF FF 8B CF 8B D6 E8 EE EA FF FF 53 E8 98 EA FF FF 8D 4D EC BA 9C 51 00 10 A1 F0 97 00 10 E8 22 EB FF FF 8B 55 EC B8 F0 97 00 10 E8 89 E6 FF FF B8 F0 97 00 10 E8 7F E7 FF FF E8 6E EC FF FF 33 C0 5A 59 59 64 89 10 68 7F 51 00 10 8D 45 EC E8 11 E6 FF FF C3 E9 FF DF FF FF EB F0 5F 5E 5B E8 0D E5 FF FF 00 53 45 54 54 49 4E 47 53 00000000 FF FF FF FF 1C 000000 45 4E 54 45 52 20 59 4F 55 52 20 4F 57 4E 20 50 41 53 53 57 4F 52 44 20 48 45 52 45 }
condition:
$a0 at pe.entry_point
}
rule CopyControlv303 {
meta: author="malware-lu"
strings:
$a0 = { CC 9090 EB 0B 01 50 51 52 53 54 61 33 61 2D 35 CA D1 07 52 D1 A1 3C }
condition:
$a0 at pe.entry_point
}
rule FSGv110Engbartxt {
meta: author="malware-lu"
strings:
$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?????? 00 53 E8 0A 000000 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 000000 2B CB 75 10 E8 38 00 }
condition:
$a0 at pe.entry_point
}
rule Elanguage {
meta: author="malware-lu"
strings:
$a0 = { E8 06 000000 50 E8 ?? 01 0000 55 8B EC 81 C4 F0 FE FF FF }
condition:
$a0 at pe.entry_point
}
rule EXELOCK66615 {
meta: author="malware-lu"
strings:
$a0 = { BA ???? BF ???? EB ?? EA ???????? 79 ?? 7F ?? 7E ?? 1C ?? 48 78 ?? E3 ?? 45 14 ?? 5A E9 }
condition:
$a0 at pe.entry_point
}
rule AdysGluev010 {
meta: author="malware-lu"
strings:
$a0 = { 2E 8C 06 ???? 0E 07 33 C0 8E D8 BE ???? BF ???? FC B9 ???? 56 F3 A5 1E 07 5F }
condition:
$a0 at pe.entry_point
}
rule SVKProtectorv132 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 EB 05 B8 06 36 42 00 64 A0 23 }
condition:
$a0 at pe.entry_point
}
rule PKLITEv114v115v1203 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? BA ???? 05 ???? 3B ?????? 72 ?? B4 09 BA ?? 01 CD 21 CD 20 4E 6F }
condition:
$a0 at pe.entry_point
}
rule SafeGuardV10Xsimonzh2000 {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 EB 29 ???????????????????????????????????????????????????? 59 9C 81 C1 E2 FF FF FF EB 01 ?? 9D FF E1 }
condition:
$a0 at pe.entry_point
}
rule PEiDBundlev102v103DLLBoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 83 7C 24 08 01 0F 85 ???????? 60 E8 9C 000000000000000000000000000000 41 00 08 00 39 00 08 000000000000000000000000000000000000000000 01 0000 80 000000 }
condition:
$a0 at pe.entry_point
}
rule FreeJoinerSmallbuild023GlOFF {
meta: author="malware-lu"
strings:
$a0 = { E8 E1 FD FF FF 6A 00 E8 0C 000000 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
condition:
$a0 at pe.entry_point
}
rule PrivatePersonalPackerPPP102ConquestOfTroycom {
meta: author="malware-lu"
strings:
$a0 = { E8 17 000000 E8 68 000000 FF 35 2C 37 00 10 E8 ED 01 0000 6A 00 E8 2E 04 0000 E8 41 04 0000 A3 74 37 00 10 6A 64 E8 5F 04 0000 E8 30 04 0000 A3 78 37 00 10 6A 64 E8 4E 04 0000 E8 1F 04 0000 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 000000 73 07 6A 00 E8 D9 03 0000 C3 6A 0A 6A 07 6A 00 E8 D3 03 0000 A3 20 37 00 10 50 6A 00 E8 DE 03 0000 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 0000 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 0000 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 }
condition:
$a0
}
rule DIETv102bv110av120 {
meta: author="malware-lu"
strings:
$a0 = { BE ???? BF ???? B9 ???? 3B FC 72 ?? B4 4C CD 21 FD F3 A5 FC }
condition:
$a0 at pe.entry_point
}
rule UPXECLiPSElayer {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? B9 ???????? 33 D2 EB 01 0F 56 EB 01 0F E8 03 000000 EB 01 0F EB 01 0F 5E EB 01 }
condition:
$a0 at pe.entry_point
}
rule Obsidium1334ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 29 000000 EB 03 ?????? EB 02 ???? 8B 54 24 0C EB 03 ?????? 83 82 B8 000000 25 EB 02 ???? 33 C0 EB 02 ???? C3 EB 03 ?????? EB 01 ?? 64 67 FF 36 0000 EB 02 ???? 64 67 89 26 0000 EB 02 ???? EB 04 ???????? 50 EB 02 ???? 33 }
$a1 = { EB 02 ???? E8 29 000000 EB 03 ?????? EB 02 ???? 8B 54 24 0C EB 03 ?????? 83 82 B8 000000 25 EB 02 ???? 33 C0 EB 02 ???? C3 EB 03 ?????? EB 01 ?? 64 67 FF 36 0000 EB 02 ???? 64 67 89 26 0000 EB 02 ???? EB 04 ???????? 50 EB 02 ???? 33 C0 EB 01 ?? 8B 00 EB 04 ???????? C3 EB 03 ?????? E9 FA 000000 EB 02 ???? E8 D5 FF FF FF EB 02 ???? EB 03 ?????? 58 EB 02 ???? EB 03 ?????? 64 67 8F 06 0000 EB 03 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PKLITEv150Devicedrivercompression {
meta: author="malware-lu"
strings:
$a0 = { B4 09 BA 14 01 CD 21 B8 00 4C CD 21 F8 9C 50 53 51 52 56 57 55 1E 06 BB }
condition:
$a0 at pe.entry_point
}
rule VxGrazie883 {
meta: author="malware-lu"
strings:
$a0 = { 1E 0E 1F 50 06 BF 70 03 B4 1A BA 70 03 CD 21 B4 47 B2 00 BE 32 04 CD 21 }
condition:
$a0 at pe.entry_point
}
rule PROTECTEXECOMv60 {
meta: author="malware-lu"
strings:
$a0 = { 1E B4 30 CD 21 3C 02 73 ?? CD 20 BE ???? E8 }
condition:
$a0 at pe.entry_point
}
rule ENIGMAProtectorSukhovVladimir {
meta: author="malware-lu"
strings:
$a0 = { 45 6E 69 67 6D 61 20 70 72 6F 74 65 63 74 6F 72 20 76 31 }
condition:
$a0
}
rule CRYPToCRACksPEProtectorV093LukasFleischer {
meta: author="malware-lu"
strings:
$a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 0000 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 0000 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 0000 03 C1 }
condition:
$a0 at pe.entry_point
}
rule PECompactv147v150 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 9090 01 85 9E A0 40 ?? BB 5B 12 }
condition:
$a0 at pe.entry_point
}
rule PocketPCMIB {
meta: author="malware-lu"
strings:
$a0 = { E8 FF BD 27 14 00 BF AF 18 00 A4 AF 1C 00 A5 AF 20 00 A6 AF 24 00 A7 AF ?????? 0C 00000000 18 00 A4 8F 1C 00 A5 8F 20 00 A6 8F ?????? 0C 24 00 A7 8F ?????? 0C 25 20 40 00 14 00 BF 8F 08 00 E0 03 18 00 BD 27 ?? FF BD 27 18 00 ?? AF ?? 00 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4ExtractableVirusShield {
meta: author="malware-lu"
strings:
$a0 = { 03 05 40 1A B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule VxNoon1163 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5B 50 56 B4 CB CD 21 3C 07 ???? 81 ?????? 2E ???? 4D 5A ???? BF 00 01 89 DE FC }
condition:
$a0 at pe.entry_point
}
rule PuNkMoD1xPuNkDuDe {
meta: author="malware-lu"
strings:
$a0 = { 94 B9 ???? 0000 BC ???????? 80 34 0C }
condition:
$a0
}
rule PECrypt32Consolev10v101v102 {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB }
condition:
$a0 at pe.entry_point
}
rule InnoSetupModulev2018 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 73 71 FF FF E8 DA 85 FF FF E8 81 A7 FF FF E8 C8 }
condition:
$a0
}
rule Nakedbind10nakedcrew {
meta: author="malware-lu"
strings:
$a0 = { 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B 4D 5A 74 08 81 EB 0000 }
condition:
$a0 at pe.entry_point
}
rule NsPacKV31LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D 83 ED 07 8D 9D ???????? 8A 03 3C 00 74 }
condition:
$a0 at pe.entry_point
}
rule AntiVirusVaccinev103 {
meta: author="malware-lu"
strings:
$a0 = { FA 33 DB B9 ???? 0E 1F 33 F6 FC AD 35 ???? 03 D8 E2 }
condition:
$a0 at pe.entry_point
}
rule VxKuku448 {
meta: author="malware-lu"
strings:
$a0 = { AE 75 ED E2 F8 89 3E ???? BA ???? 0E 07 BF ???? EB }
condition:
$a0 at pe.entry_point
}
rule ASProtectv12xNewStrain {
meta: author="malware-lu"
strings:
$a0 = { 68 01 ?????? E8 01 ?????? C3 C3 }
condition:
$a0 at pe.entry_point
}
rule SimpleUPXCryptorv3042005OnelayerencryptionMANtiCORE {
meta: author="malware-lu"
strings:
$a0 = { 60 B8 ?????? 00 B9 ?? 01 0000 80 34 08 ?? E2 FA 61 68 ?????? 00 C3 }
condition:
$a0 at pe.entry_point
}
rule AntiDote10Demo12SISTeam {
meta: author="malware-lu"
strings:
$a0 = { 00000000 09 01 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 00 DB 01 47 65 74 56 65 72 73 69 6F 6E 45 78 41 00 73 01 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 0000 7A 03 57 61 69 74 46 6F 72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 00 BF 02 52 65 73 75 6D 65 54 68 72 65 61 64 0000 29 03 53 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 0000 94 03 57 72 69 74 65 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 0000 6B 03 56 69 72 74 75 61 6C 41 6C 6C 6F 63 45 78 0000 A6 02 52 65 61 64 50 72 6F 63 65 73 73 4D 65 6D 6F 72 79 00 CA 01 47 65 74 54 68 72 65 61 64 43 6F 6E 74 65 78 74 0000 62 00 43 72 65 61 74 65 50 72 6F 63 65 73 73 41 0000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C }
condition:
$a0
}
rule FSGv110EngbartxtWinRARSFX {
meta: author="malware-lu"
strings:
$a0 = { 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0 }
$a1 = { EB 01 02 EB 02 CD 20 B8 80 ?? 42 00 EB 01 55 BE F4 000000 13 DF 13 D8 0F B6 38 D1 F3 F7 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule BJFntv11b {
meta: author="malware-lu"
strings:
$a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 }
condition:
$a0 at pe.entry_point
}
rule ThinstallEmbedded26202623Jitit {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 58 BB AC 1E 0000 2B C3 50 68 ???????? 68 B0 21 0000 68 C4 000000 E8 C3 FE FF FF E9 99 FF FF FF 0000 }
condition:
$a0 at pe.entry_point
}
rule SLVc0deProtector11xSLVICU {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 58 C6 00 EB C6 40 01 08 FF E0 E9 4C ???? 00 }
condition:
$a0 at pe.entry_point
}
rule RJoinerbyVaskaSignfrompinch250320071700 {
meta: author="malware-lu"
strings:
$a0 = { E8 03 FD FF FF 6A 00 E8 0C 000000 FF 25 6C 10 40 00 FF 25 70 10 40 00 FF 25 74 10 40 00 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 }
condition:
$a0 at pe.entry_point
}
rule AverCryptor10os1r1s {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 75 17 40 00 8B BD 9C 18 40 00 8B 8D A4 18 40 00 B8 BC 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 000000 75 62 8B 57 0C 03 95 A0 18 40 00 33 C0 51 33 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 A0 18 40 00 8B 85 A8 18 40 00 83 F8 02 75 06 81 C2 00 02 0000 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 0000 57 BF C8 000000 8B F1 E8 27 000000 8B C8 5F B8 BC 18 40 00 03 C5 E8 24 000000 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 98 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 }
condition:
$a0 at pe.entry_point
}
rule nSpackV23LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 70 61 63 6B 24 40 }
condition:
$a0
}
rule SENDebugProtector {
meta: author="malware-lu"
strings:
$a0 = { BB ???????? 00 ?????????? 29 ???? 4E E8 }
condition:
$a0 at pe.entry_point
}
rule xPEP03xxIkUg {
meta: author="malware-lu"
strings:
$a0 = { 55 53 56 51 52 57 E8 16 000000 }
condition:
$a0 at pe.entry_point
}
rule AntiDote14SESISTeam {
meta: author="malware-lu"
strings:
$a0 = { 68 90 03 0000 E8 C6 FD FF FF 68 90 03 0000 E8 BC FD FF FF 68 90 03 0000 E8 B2 FD FF FF 50 E8 AC FD FF FF 50 E8 A6 FD FF FF 68 69 D6 0000 E8 9C FD FF FF 50 E8 96 FD FF FF 50 E8 90 FD FF FF 83 C4 20 E8 78 FF FF FF 84 C0 74 4F 68 04 01 0000 68 10 22 60 00 6A 00 FF 15 08 10 60 00 68 90 03 0000 E8 68 FD FF FF 68 69 D6 0000 E8 5E FD FF FF 50 E8 58 FD FF FF 50 E8 52 FD FF FF E8 DD FE FF FF 50 68 A4 10 60 00 68 94 10 60 00 68 10 22 60 00 E8 58 FD FF FF 83 C4 20 33 C0 C2 10 00 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 }
condition:
$a0 at pe.entry_point
}
rule NsPack30NorthStar {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 07 000000 2B E8 8D B5 ???? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ???? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 0000 C6 06 01 8B D5 2B 95 ???? FF FF 89 95 ???? FF FF 01 95 ???? FF FF 8D B5 ???? FF FF 01 16 60 6A 40 68 00 10 0000 68 00 10 0000 6A 00 FF 95 ???? FF FF 85 C0 0F 84 6A 03 0000 89 85 ???? FF FF E8 00000000 5B B9 68 03 0000 03 D9 50 53 E8 B1 02 0000 61 8B 36 8B FD 03 BD ???? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00000000 EB 16 B9 01 000000 03 3B 83 C3 04 83 3B 00 74 36 }
condition:
$a0 at pe.entry_point
}
rule ORiENV212FisunAV {
meta: author="malware-lu"
strings:
$a0 = { E9 5D 01 0000 CE D1 CE CD 0D }
condition:
$a0 at pe.entry_point
}
rule NsPackv23NorthStar {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 07 000000 2B E8 8D B5 ???? FF FF 8B 06 83 F8 00 74 11 8D B5 ???? FF FF 8B 06 83 F8 01 0F 84 4B 02 0000 C7 06 01 000000 8B D5 8B 85 ???? FF FF 2B D0 89 95 ???? FF FF 01 95 ???? FF FF 8D B5 ???? FF FF 01 16 8B 36 8B FD }
$a1 = { 9C 60 E8 00000000 5D B8 07 000000 2B E8 8D B5 ???? FF FF 8B 06 83 F8 00 74 11 8D B5 ???? FF FF 8B 06 83 F8 01 0F 84 4B 02 0000 C7 06 01 000000 8B D5 8B 85 ???? FF FF 2B D0 89 95 ???? FF FF 01 95 ???? FF FF 8D B5 ???? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 0000 68 00 10 0000 6A 00 FF 95 ???? FF FF 85 C0 0F 84 56 03 0000 89 85 ???? FF FF E8 00000000 5B B9 54 03 0000 03 D9 50 53 E8 9D 02 0000 61 }
condition:
$a0 or $a1
}
rule ObsidiumV1342ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 26 000000 EB 03 ?????? EB 01 ?? 8B 54 24 0C EB 02 ???? 83 82 B8 000000 24 EB 03 ?????? 33 C0 EB 01 ?? C3 EB 02 ???? EB 02 ???? 64 67 FF 36 0000 EB 03 ?????? 64 67 89 26 0000 EB 03 ?????? EB 03 ?????? 50 EB 04 ???????? 33 C0 EB 03 ?????? 8B 00 EB 03 ?????? C3 EB 03 ?????? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 01 ?? EB 03 ?????? 58 EB 04 ???????? EB 04 ???????? 64 67 8F 06 0000 EB 04 ???????? 83 C4 04 EB 01 ?? E8 C3 27 0000 }
condition:
$a0 at pe.entry_point
}
rule SplashBitmapv100WithUnpackCodeBoBBobsoft {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 60 8B 6C 24 20 55 81 ED ???????? 8D BD ???????? 8D 8D ???????? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 0000 75 E8 89 85 ???????? 6A 40 }
condition:
$a0 at pe.entry_point
}
rule KBySV028shoooo {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? E8 01 000000 C3 C3 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV12XObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { E8 0E 000000 33 C0 8B 54 24 0C 83 82 B8 000000 0D C3 64 67 FF 36 0000 64 67 89 26 0000 50 33 C0 8B 00 C3 E9 FA 000000 E8 D5 FF FF FF 58 64 67 8F 06 0000 83 C4 04 E8 2B 13 0000 }
condition:
$a0 at pe.entry_point
}
rule NsPackV13LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 B3 85 40 00 2D AC 85 40 00 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PENinja131Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 909090909090909090909090909090909090909090909090909090909090909090909090 E9 }
condition:
$a0 at pe.entry_point
}
rule Obsidiumv1300ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 04 25 80 34 CA E8 29 000000 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 000000 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 0000 EB 04 0D F6 A8 7F 64 67 89 26 0000 EB 04 8D 68 C7 FB EB 01 6B }
$a1 = { EB 04 25 80 34 CA E8 29 000000 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 000000 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 0000 EB 04 0D F6 A8 7F 64 67 89 26 0000 EB 04 8D 68 C7 FB EB 01 6B 50 EB 03 8A 0B 93 33 C0 EB 02 28 B9 8B 00 EB 01 04 C3 EB 04 65 B3 54 0A E9 FA 000000 EB 01 A2 E8 D5 FF FF FF EB 02 2B 49 EB 03 7C 3E 76 58 EB 04 B8 94 92 56 EB 01 72 64 67 8F 06 0000 EB 02 23 72 83 C4 04 EB 02 A9 CB E8 47 26 0000 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Feokt {
meta: author="malware-lu"
strings:
$a0 = { 89 25 A8 11 40 00 BF ?????? 00 31 C0 B9 ?????? 00 29 F9 FC F3 AA ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? E8 }
condition:
$a0 at pe.entry_point
}
rule NTkrnlSecureSuite01015NTkrnlSoftware {
meta: author="malware-lu"
strings:
$a0 = { 000000000000000000000000 34 10 0000 28 10 00000000000000000000000000000000000000000000 ???????????????? 00000000 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 68 ???????? E8 01 000000 C3 C3 }
condition:
$a0
}
rule PEPROTECT09 {
meta: author="malware-lu"
strings:
$a0 = { E9 CF 000000 0D 0A 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
condition:
$a0 at pe.entry_point
}
rule EXERefactorV01random {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 90 0B 0000 53 56 57 E9 58 8C 01 00 55 53 43 41 54 49 4F 4E }
condition:
$a0 at pe.entry_point
}
rule CrunchPEv40 {
meta: author="malware-lu"
strings:
$a0 = { EB 10 ???????????????????????????????? 55 E8 ???????? 5D 81 ED 18 ?????? 8B C5 55 60 9C 2B 85 E9 06 ???? 89 85 E1 06 ???? FF 74 24 2C E8 BB 01 0000 0F 82 92 05 0000 E8 F1 03 0000 49 0F 88 86 05 0000 68 6C D9 B2 96 33 C0 50 E8 24 }
condition:
$a0
}
rule NullsoftPIMPInstallSystemv1x {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 5C 53 55 56 57 FF 15 ?????? 00 }
condition:
$a0 at pe.entry_point
}
rule Pohernah100byKas {
meta: author="malware-lu"
strings:
$a0 = { 58 60 E8 00000000 5D 81 ED 20 25 40 00 8B BD 86 25 40 00 8B 8D 8E 25 40 00 6B C0 05 83 F0 04 89 85 92 25 40 00 83 F9 00 74 2D 81 7F 1C AB 000000 75 1E 8B 77 0C 03 B5 8A 25 40 00 31 C0 3B 47 10 74 0E 50 8B 85 92 25 40 00 30 06 58 40 46 EB ED 83 C7 28 49 EB CE 8B 85 82 25 40 00 89 44 24 1C 61 FF E0 }
condition:
$a0 at pe.entry_point
}
rule dUP2diablo2oo2 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? E8 ???????? 8B F0 6A 00 68 ???????? 56 E8 ???????? A2 ???????? 6A 00 68 ???????? 56 E8 ???????? A2 ???????? 6A 00 68 ???????? 56 E8 ???????? A2 ???????? 68 ???????? 68 ???????? 56 E8 ???????? 3C 01 75 19 BE ???????? 68 00 02 0000 56 68 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01ASPack2xxHeuristicAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 A8 03 0000 61 75 08 B8 01 000000 C2 0C 00 68 00000000 C3 8B 85 26 04 0000 8D 8D 3B 04 0000 51 50 FF 95 }
condition:
$a0 at pe.entry_point
}
rule eXpressorv145CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C }
condition:
$a0 at pe.entry_point
}
rule hmimysProtectv10 {
meta: author="malware-lu"
strings:
$a0 = { E8 BA 000000 ?? 00000000 ???? 0000 10 40 00 ?????? 00 ?????? 0000 ???? 00 ?????? 00 ?????? 00 ?????? 00 ?????? 00 ?????? 00 ?? 00000000000000 ?????? 000000000000000000 ?????? 00 ?????? 000000000000000000000000000000000000000000 ?????? 00 ?????? 00 ?????? 00 ?????? 0000000000 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 56 69 72 74 75 61 6C 46 72 65 65 000000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 0000 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 }
$a1 = { E8 BA 000000 ?? 00000000 ???? 0000 10 40 00 ?????? 00 ?????? 0000 ???? 00 ?????? 00 ?????? 00 ?????? 00 ?????? 00 ?????? 00 ?? 00000000000000 ?????? 000000000000000000 ?????? 00 ?????? 000000000000000000000000000000000000000000 ?????? 00 ?????? 00 ?????? 00 ?????? 0000000000 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 56 69 72 74 75 61 6C 46 72 65 65 000000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 0000 AD 8B DE 8B F0 83 C3 44 AD 85 C0 74 32 8B F8 56 FF 13 8B E8 AC 84 C0 75 FB AC 84 C0 74 EA 4E AD A9 000000 }
condition:
$a0 at pe.entry_point or $a1
}
rule VProtectorV10Evcasm {
meta: author="malware-lu"
strings:
$a0 = { EB 0A 5B 56 50 72 6F 74 65 63 74 5D E8 24 000000 8B 44 24 04 8B 00 3D 04 0000 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00000000 74 F3 75 F1 EB 24 64 FF 35 00000000 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01LCCWin32DLLAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 909090 FF 75 10 FF 75 0C FF 75 08 A1 ???????? E9 }
condition:
$a0 at pe.entry_point
}
rule CodeCryptv014b {
meta: author="malware-lu"
strings:
$a0 = { E9 C5 02 0000 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
condition:
$a0 at pe.entry_point
}
rule PellesC450DLLX86CRTLIB {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 85 DB 75 0D 83 3D ???????? 00 75 04 31 C0 EB 57 83 FB 01 74 05 83 FB 02 75 }
condition:
$a0 at pe.entry_point
}
rule EEXEVersion112 {
meta: author="malware-lu"
strings:
$a0 = { B4 30 CD 21 3C 03 73 ?? BA 1F 00 0E 1F B4 09 CD 21 B8 FF 4C CD 21 }
condition:
$a0 at pe.entry_point
}
rule FSGv120EngdulekxtMASM32TASM32 {
meta: author="malware-lu"
strings:
$a0 = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 000000 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 000000 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 000000 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 000000 9D CE }
condition:
$a0 at pe.entry_point
}
rule PEDiminisherv01Teraphy {
meta: author="malware-lu"
strings:
$a0 = { 53 51 52 56 57 55 E8 00000000 5D 8B D5 81 ED A2 30 40 00 2B 95 91 33 40 00 81 EA 0B 000000 89 95 9A 33 40 00 80 BD 99 33 40 0000 74 50 E8 02 01 0000 8B FD 8D 9D 9A 33 40 00 8B 1B 8D 87 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02VBOX43MTEAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 }
condition:
$a0 at pe.entry_point
}
rule SEAAXE {
meta: author="malware-lu"
strings:
$a0 = { FC BC ???? 0E 1F E8 ???? 26 A1 ???? 8B 1E ???? 2B C3 8E C0 B1 ?? D3 E3 }
condition:
$a0 at pe.entry_point
}
rule UpackV010V011Dwing {
meta: author="malware-lu"
strings:
$a0 = { BE ???????? AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 ?? F3 AB C1 E0 ?? B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C ?? 73 ?? B0 ?? 3C ?? 72 02 2C ?? 50 0F B6 5F FF C1 E3 ?? B3 ?? 8D 1C 5B 8D ???????????? B0 ?? 67 E3 29 8B D7 2B 56 0C 8A 2A 33 D2 84 E9 0F 95 C6 52 FE C6 8A D0 8D 14 93 FF D5 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakePCGuard403415FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 FC 55 50 E8 00000000 5D EB 01 E3 60 E8 03 000000 D2 EB 0B 58 EB 01 48 40 EB 01 }
condition:
$a0 at pe.entry_point
}
rule SimplePack111Method1bagieTMX {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5B 8D 5B FA BD 0000 ???? 8B 7D 3C 8D 74 3D 00 8D BE F8 000000 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 0000 FF 77 10 6A 00 FF 93 38 03 0000 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC }
$a1 = { 60 E8 00000000 5B 8D 5B FA BD 0000 ???? 8B 7D 3C 8D 74 3D 00 8D BE F8 000000 0F B7 76 06 4E 8B 47 10 09 C0 74 55 0F B7 47 22 09 C0 74 4D 6A 04 68 00 10 0000 FF 77 10 6A 00 FF 93 38 03 0000 50 56 57 89 EE 03 77 0C 8B 4F 10 89 C7 89 C8 C1 E9 02 FC F3 A5 89 C1 83 E1 03 F3 A4 5F 5E 8B 04 24 89 EA 03 57 0C E8 3F 01 0000 58 68 00 40 0000 FF 77 10 50 FF 93 3C 03 0000 83 C7 28 4E 75 9E BE ???????? 09 F6 0F 84 0C 01 0000 01 EE 8B 4E 0C 09 C9 0F 84 FF 000000 01 E9 89 CF 57 FF 93 30 03 0000 09 C0 75 3D 6A 04 68 00 10 0000 68 00 10 0000 6A 00 FF 93 38 03 0000 89 C6 8D 83 6F 02 0000 57 50 56 FF 93 44 03 0000 6A 10 6A 00 56 6A 00 FF 93 48 03 0000 89 E5 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule MASM32: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { 6A ?? 68 00 30 40 00 68 ?? 30 40 00 6A 00 E8 07 000000 6A 00 E8 06 000000 FF 25 08 20 }
condition:
$a0 at pe.entry_point
}
rule SoftDefenderv10v11 {
meta: author="malware-lu"
strings:
$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD ?? 59 9C 50 74 0A 75 08 E8 59 C2 04 ?? 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 ???????? 58 05 BA 01 ???? 03 C8 74 BE 75 BC E8 }
condition:
$a0 at pe.entry_point
}
rule XtremeProtectorv106 {
meta: author="malware-lu"
strings:
$a0 = { B8 ?????? 00 B9 75 ???? 00 50 51 E8 05 000000 E9 4A 01 0000 60 8B 74 24 24 8B 7C 24 28 FC B2 80 8A 06 46 88 07 47 BB 02 000000 02 D2 75 05 8A 16 46 12 D2 73 EA 02 D2 75 05 8A 16 46 12 D2 73 4F 33 C0 02 D2 75 05 8A 16 46 12 D2 0F 83 DF 000000 02 }
condition:
$a0 at pe.entry_point
}
rule VcasmProtector1112vcasm {
meta: author="malware-lu"
strings:
$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D }
condition:
$a0 at pe.entry_point
}
rule Obsidiumv1111 {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 E7 1C 0000 }
condition:
$a0 at pe.entry_point
}
rule VxEddie1530 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 81 EE ???? FC 2E ???????? 4D 5A ???? FA 8B E6 81 C4 ???? FB 3B ?????????? 2E ???????? 50 06 56 1E 33 C0 50 1F C4 ?????? 2E ???????? 2E }
condition:
$a0 at pe.entry_point
}
rule KBySV028DLLshoooo {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? BA ???????? 03 C2 FF E0 ???????? 60 E8 00000000 }
condition:
$a0 at pe.entry_point
}
rule PEncrypt10JunkCode {
meta: author="malware-lu"
strings:
$a0 = { 60 9C BE 00 10 40 00 8B FE B9 ???????? BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 E9 ?????? FF }
condition:
$a0 at pe.entry_point
}
rule PEPasswordv02SMTSMF {
meta: author="malware-lu"
strings:
$a0 = { E8 04 ?????? 8B EC 5D C3 33 C0 5D 8B FD 81 ED 33 26 40 ?? 81 EF ???????? 83 EF 05 89 AD 88 27 40 ?? 8D 9D 07 29 40 ?? 8D B5 62 28 40 ?? 46 80 }
condition:
$a0 at pe.entry_point
}
rule EncryptPE22006710220061025WFS {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 73 01 0000000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????????????????????????????????????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 47 65 74 54 65 6D 70 50 61 74 68 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 000000 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 }
condition:
$a0 at pe.entry_point
}
rule RCryptorv16Vaska {
meta: author="malware-lu"
strings:
$a0 = { 33 D0 68 ???????? FF D2 }
$a1 = { 33 D0 68 ???????? FF D2 B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PEPaCKv10CCopyright1998byANAKiN {
meta: author="malware-lu"
strings:
$a0 = { C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 0D 0A 20 2D 3D FE 20 50 45 2D 50 41 43 4B 20 76 31 2E 30 20 2D FE 2D 20 28 43 29 20 43 6F 70 }
condition:
$a0
}
rule YodasProtectorv1032Beta2AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 ?? BB 55 000000 E8 03 000000 EB 01 ?? E8 8F 000000 E8 03 000000 EB 01 ?? E8 82 000000 E8 03 000000 EB 01 ?? E8 B8 000000 }
condition:
$a0 at pe.entry_point
}
rule VxMTEnonencrypted {
meta: author="malware-lu"
strings:
$a0 = { F7 D9 80 E1 FE 75 02 49 49 97 A3 ???? 03 C1 24 FE 75 02 48 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01FSG131Anorganix {
meta: author="malware-lu"
strings:
$a0 = { BE 909090 00 BF 909090 00 BB 909090 00 53 BB 909090 00 B2 80 E9 }
condition:
$a0 at pe.entry_point
}
rule ASPackv212AlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 }
$a1 = { 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 000000 EB 5D BB ED FF FF FF 03 DD 81 EB }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Upack022023betaDwing {
meta: author="malware-lu"
strings:
$a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 }
$a1 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 59 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 0000 }
$a2 = { AD 8B F8 59 95 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 ?? 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 0000 }
condition:
$a0 or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule PseudoSigner01CodeLockAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B E9 }
condition:
$a0 at pe.entry_point
}
rule PKLITEv100c1 {
meta: author="malware-lu"
strings:
$a0 = { 2E 8C 1E ???? 8B 1E ???? 8C DA 81 C2 ???? 3B DA 72 ?? 81 EB ???? 83 EB ?? FA 8E D3 BC ???? FB FD BE ???? 8B FE }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakenSPack13emadicius {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 0000 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
condition:
$a0 at pe.entry_point
}
rule PKLITEv100c2 {
meta: author="malware-lu"
strings:
$a0 = { BA ???? A1 ???? 2D ???? 8C CB 81 C3 ???? 3B C3 77 ?? 05 ???? 3B C3 77 ?? B4 09 BA ???? CD 21 CD 20 90 }
condition:
$a0 at pe.entry_point
}
rule kkrunchyv017FGiesen {
meta: author="malware-lu"
strings:
$a0 = { FC FF 4D 08 31 D2 8D 7D 30 BE }
condition:
$a0
}
rule ACProtectv190gRiscosoftwareInc {
meta: author="malware-lu"
strings:
$a0 = { 60 0F 87 02 000000 1B F8 E8 01 000000 73 83 04 24 06 C3 }
condition:
$a0 at pe.entry_point
}
rule UPX293300LZMAMarkusOberhumerLaszloMolnarJohnReiser {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? 8D BE ???????? 57 89 E5 8D 9C 24 ???????? 31 C0 50 39 DC 75 FB 46 46 53 68 ???????? 57 83 C3 04 53 68 ???????? 56 83 C3 04 53 50 C7 03 03 00 02 00 9090909090 }
condition:
$a0 at pe.entry_point
}
rule Obsidium133720070623ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 27 000000 EB 03 ?????? EB 01 ?? 8B 54 24 0C EB 03 ?????? 83 82 B8 000000 23 EB 03 ?????? 33 C0 EB 02 ???? C3 EB 01 ?? EB 03 ?????? 64 67 FF 36 0000 EB 04 ???????? 64 67 89 26 0000 EB 01 ?? EB 01 ?? 50 EB 02 ???? 33 C0 EB 01 ?? 8B 00 EB 04 ???????? C3 EB 02 ???? E9 FA 000000 EB 04 ???????? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ???????? EB 01 ?? 64 67 8F 06 0000 EB 02 ???? 83 C4 04 EB 01 ?? E8 F7 26 0000 }
condition:
$a0 at pe.entry_point
}
rule ASPackv2000AlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 70 05 0000 EB 4C }
condition:
$a0 at pe.entry_point
}
rule Armadillov4000053SiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 20 8B 4B 00 68 80 E4 48 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4B 00 33 D2 8A D4 89 15 A4 A1 4B 00 8B C8 81 E1 FF 000000 89 0D A0 A1 4B 00 C1 E1 08 03 CA 89 0D 9C A1 4B 00 C1 E8 10 A3 98 A1 }
condition:
$a0 at pe.entry_point
}
rule Armadillov160a {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 98 71 40 00 68 48 2D 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule ACProtectUltraProtect10X20XRiSco {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 ???????????????????????? 0000000000000000 ?????????????????????????? 000000000000000000000000000000 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ???????????????????????????????? 00000000 55 53 45 52 33 32 2E 44 4C 4C 00 ???????? 00000000 ???????????????????????????????????????? 000000000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 45 78 69 74 50 72 6F 63 65 73 73 000000 4D 65 73 73 61 67 65 42 6F 78 41 00 90 4D 69 6E 65 49 6D 70 6F 72 74 5F 45 6E 64 73 73 00 }
condition:
$a0
}
rule Thinstall3035Jtit {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00000000 58 BB 37 1F 0000 2B C3 50 68 ???????? 68 00 28 0000 68 04 01 0000 E8 BA FE FF FF E9 90 FF FF FF CCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 00 }
$a1 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00000000 58 BB 37 1F 0000 2B C3 50 68 ???????? 68 00 28 0000 68 04 01 0000 E8 BA FE FF FF E9 90 FF FF FF CCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 000000 80 43 33 C0 E8 19 01 0000 73 0E 8B 4D F8 E8 27 01 0000 02 45 F7 AA EB E9 E8 04 01 0000 0F 82 96 000000 E8 F9 000000 73 5B B9 04 000000 E8 05 01 0000 48 74 DE 0F 89 C6 000000 E8 DF 000000 73 1B 55 BD 00 01 0000 E8 DF 000000 88 07 47 4D 75 F5 E8 C7 000000 72 E9 5D EB A2 B9 01 000000 E8 D0 000000 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 000000 88 45 F7 E9 7C FF FF FF B9 07 000000 E8 AA 000000 50 33 C9 B1 02 E8 A0 000000 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 000000 89 45 FC E9 48 FF FF FF E8 87 000000 49 E2 09 8B C3 E8 7D 000000 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 000000 0B C5 5D 8B D8 E8 5F 000000 3D 0000 01 00 73 14 3D FF 37 0000 73 0E 3D 7F 02 0000 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 C3 B9 08 000000 E8 01 000000 C3 33 C0 E8 E1 FF FF FF 13 C0 E2 F7 C3 33 C9 41 E8 D4 FF FF FF 13 C9 E8 CD FF FF FF 72 F2 C3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PENinjav10DzAkRAkerTNT {
meta: author="malware-lu"
strings:
$a0 = { BE 5B 2A 40 00 BF 35 12 0000 E8 40 12 0000 3D 22 83 A3 C6 0F 85 67 0F 0000 90909090909090909090909090909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule ThinstallEmbedded19XJitit {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 ???????? 50 E8 87 FC FF FF 59 59 A1 ???????? 8B 40 10 03 05 ???????? 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 000000 }
condition:
$a0 at pe.entry_point
}
rule EXECryptorv13045 {
meta: author="malware-lu"
strings:
$a0 = { E8 24 000000 8B 4C 24 0C C7 01 17 00 01 00 C7 81 ?????????????? 31 C0 89 41 14 89 41 18 80 A1 }
$a1 = { E8 24 ?????? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 ?????????????? 31 C0 89 41 14 89 41 18 80 A1 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Obsidium1338ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 04 ???????? E8 28 000000 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ???????? 83 82 B8 000000 ?? EB 04 ???????? 33 C0 EB 03 ?????? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 0000 EB 03 ?????? 64 67 89 26 0000 EB 02 ???? EB 01 ?? 50 EB 04 ???????? 33 C0 EB 02 ???? 8B 00 EB 03 ?????? C3 EB 03 ?????? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 02 ???? EB 04 ???????? 58 EB 04 ???????? EB 02 ???? 64 67 8F 06 0000 EB 04 ???????? 83 C4 04 EB 04 ???????? E8 57 27 0000 }
condition:
$a0 at pe.entry_point
}
rule RLPV073betaap0x {
meta: author="malware-lu"
strings:
$a0 = { 2E 72 6C 70 0000000000 50 0000 ???????????????????????? 000000000000000000000000 20 0000 E0 }
condition:
$a0
}
rule yCv13byAshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC C0 000000 53 56 57 8D BD 40 FF FF FF B9 30 000000 B8 CCCCCCCC F3 AB 60 E8 00000000 5D 81 ED 84 52 41 00 B9 75 5E 41 00 81 E9 DE 52 41 00 8B D5 81 C2 DE 52 41 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC }
condition:
$a0
}
rule PCPECalphapreview {
meta: author="malware-lu"
strings:
$a0 = { 53 51 52 56 57 55 E8 00000000 5D 8B CD 81 ED 33 30 40 00 }
condition:
$a0 at pe.entry_point
}
rule AlexProtectorv10Alex {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 10 40 00 E8 24 000000 EB 01 E9 8B }
condition:
$a0 at pe.entry_point
}
rule Shrinkv10 {
meta: author="malware-lu"
strings:
$a0 = { 50 9C FC BE ???? BF ???? 57 B9 ???? F3 A4 8B ?????? BE ???? BF ???? F3 A4 C3 }
condition:
$a0 at pe.entry_point
}
rule AHPack01FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 60 68 54 ???? 00 B8 48 ???? 00 FF 10 68 B3 ???? 00 50 B8 44 ???? 00 FF 10 68 00 }
condition:
$a0 at pe.entry_point
}
rule SentinelSuperProAutomaticProtectionv640Safenet {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? 6A 01 6A 00 FF 15 ???????? A3 ???????? FF 15 ???????? 33 C9 3D B7 000000 A1 ???????? 0F 94 C1 85 C0 89 0D ???????? 0F 85 ???????? 55 56 C7 05 ???????? 01 000000 FF 15 ???????? 01 05 ???????? FF 15 }
condition:
$a0 at pe.entry_point
}
rule DxPack10 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 8B FD 81 ED ???????? 2B B9 ???????? 81 EF ???????? 83 BD ?????????? 0F 84 }
condition:
$a0 at pe.entry_point
}
rule Pohernah103byKas {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 2A 27 40 00 31 C0 40 83 F0 06 40 3D 40 1F 0000 75 07 BE 6A 27 40 00 EB 02 EB EB 8B 85 9E 28 40 00 83 F8 01 75 17 31 C0 01 EE 3D 99 000000 74 0C 8B 8D 86 28 40 00 30 0E 40 46 EB ED ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 000000 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 000000 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV1258ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 01 ?? E8 ?? 000000 }
condition:
$a0 at pe.entry_point
}
rule nPackv11150200BetaNEOx {
meta: author="malware-lu"
strings:
$a0 = { 83 3D 40 ?????? 00 75 05 E9 01 000000 C3 E8 41 000000 B8 80 ?????? 2B 05 08 ?????? A3 3C ???? 00 E8 5E 000000 E8 E0 01 0000 E8 EC 06 0000 E8 F7 05 0000 }
condition:
$a0 at pe.entry_point
}
rule PerlApp602ActiveState {
meta: author="malware-lu"
strings:
$a0 = { 68 2C EA 40 00 FF D3 83 C4 0C 85 C0 0F 85 CD 000000 6A 09 57 68 20 EA 40 00 FF D3 83 C4 0C 85 C0 75 12 8D 47 09 50 FF 15 1C D1 40 00 59 A3 B8 07 41 00 EB 55 6A 08 57 68 14 EA 40 00 FF D3 83 C4 0C 85 C0 75 11 8D 47 08 50 FF 15 1C D1 40 00 59 89 44 24 10 EB 33 6A 09 57 68 08 EA 40 00 FF D3 83 C4 0C 85 C0 74 22 6A 08 57 68 FC E9 40 00 FF D3 83 C4 0C 85 C0 74 11 6A 0B 57 68 F0 E9 40 00 FF D3 83 C4 0C 85 C0 75 55 }
$a1 = { 68 9C E1 40 00 FF 15 A4 D0 40 00 85 C0 59 74 0F 50 FF 15 1C D1 40 00 85 C0 59 89 45 FC 75 62 6A 00 8D 45 F8 FF 75 0C F6 45 14 01 50 8D 45 14 50 E8 9B 01 0000 83 C4 10 85 C0 0F 84 E9 000000 8B 45 F8 83 C0 14 50 FF D6 85 C0 59 89 45 FC 75 0E FF 75 14 FF 15 78 D0 40 00 E9 C9 000000 68 8C E1 40 00 FF 75 14 50 }
condition:
$a0 or $a1
}
rule UPXProtectorv10x2 {
meta: author="malware-lu"
strings:
$a0 = { EB ?????????? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }
condition:
$a0
}
rule ThinstallEmbedded2501Jitit {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B8 ???????? BB ???????? 50 E8 00000000 58 2D A8 1A 0000 B9 6D 1A 0000 BA 21 1B 0000 BE 00 10 0000 BF C0 53 0000 BD F0 1A 0000 03 E8 81 75 00 ???????? 81 75 04 ???????? 81 75 08 ???????? 81 75 0C ???????? 81 75 10 }
condition:
$a0 at pe.entry_point
}
rule CodeVirtualizer1310OreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { 60 9C FC E8 00000000 5F 81 EF ???????? 8B C7 81 C7 ???????? 3B 47 2C 75 02 EB 2E 89 47 2C B9 A7 000000 EB 05 01 44 8F ?? 49 0B C9 75 F7 83 7F 40 00 74 15 8B 77 40 03 F0 EB 09 8B 1E 03 D8 01 03 83 C6 04 83 3E 00 75 F2 8B 74 24 24 8B DE 03 F0 B9 01 000000 33 C0 F0 0F B1 4F 30 75 F7 AC }
condition:
$a0
}
rule VProtector13Xvcasm {
meta: author="malware-lu"
strings:
$a0 = { 0000000000 ???????? 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 60 8B B4 24 24 000000 8B BC 24 28 000000 FC C6 C2 80 33 DB A4 C6 C3 02 E8 A9 000000 0F 83 F1 FF FF FF 33 C9 E8 9C 000000 0F 83 2D 000000 33 C0 E8 8F 000000 0F 83 37 000000 C6 C3 02 41 C6 C0 10 E8 7D 000000 10 C0 0F 83 F3 FF FF FF }
$a1 = { E9 B9 16 0000 55 8B EC 81 EC 74 04 0000 57 68 00000000 68 0000 C2 14 68 FF FF 0000 68 ???????? 9C 81 ???????????????????? 9D 54 FF 14 24 68 00000000 68 0000 C2 10 68 ???????? 9C 81 ???????????????????? 9D 54 FF 14 24 68 00000000 68 ???????? 9C 81 ???????????????????? 9D 54 FF 14 24 68 00000000 68 FF FF C2 10 68 ???????? 9C 81 ???????????????????? 9D 54 FF 14 24 68 00000000 68 ???????? 9C 81 ???????????????????? 9D 54 FF 14 24 68 00000000 68 0000 C2 14 68 FF FF 0000 68 ???????? 9C 81 ???????????????????? 9D 54 FF 14 24 68 00000000 68 ???????? 9C 81 ???????????????????? 9D 54 FF 14 24 68 00000000 }
condition:
$a0 or $a1 at pe.entry_point
}
rule Packman0001bubba {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 58 8D A8 ?? FE FF FF 8D 98 ?????? FF 8D ???? 01 0000 }
condition:
$a0 at pe.entry_point
}
rule SimplePackV11XV12XMethod1bagie {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5B 8D 5B FA BD ???????? 8B 7D 3C 8D 74 3D 00 8D BE F8 000000 0F B7 76 06 4E 8B 47 10 09 C0 }
condition:
$a0 at pe.entry_point
}
rule PEEncryptv40bJunkCode {
meta: author="malware-lu"
strings:
$a0 = { 66 ???? 00 66 83 ?? 00 }
condition:
$a0 at pe.entry_point
}
rule PEQuake006forgat {
meta: author="malware-lu"
strings:
$a0 = { E8 A5 000000 2D ???? 000000000000000000 3D ???? 00 2D ???? 000000000000000000000000000000000000000000 4A ???? 00 5B ???? 00 6E ???? 0000000000 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 ???? 0000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 000000000000 }
condition:
$a0
}
rule Kryptonv02 {
meta: author="malware-lu"
strings:
$a0 = { 8B 0C 24 E9 0A 7C 01 ?? AD 42 40 BD BE 9D 7A 04 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakePELockNT204FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 EB 03 CD 20 EB EB 01 EB }
condition:
$a0 at pe.entry_point
}
rule eXPressorPacK150XCGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC ???????? 53 56 57 83 A5 ?????????? F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 35 2E 00 83 7D 0C ?? 75 23 8B 45 08 A3 ???????? 6A 04 68 00 10 0000 68 20 03 0000 6A 00 FF 15 ???????? A3 ???????? EB 04 }
condition:
$a0 at pe.entry_point
}
rule D1S1Gv11BetaScrambledEXED1N {
meta: author="malware-lu"
strings:
$a0 = { E8 07 000000 E8 1E 000000 C3 90 58 89 C2 89 C2 25 00 F0 FF FF 50 83 C0 55 8D 00 FF 30 8D 40 04 FF 30 52 C3 8D 40 00 55 8B EC 83 C4 E8 53 56 57 8B 4D 10 8B 45 08 89 45 F8 8B 45 0C 89 45 F4 8D 41 61 8B 38 8D 41 65 8B 00 03 C7 89 45 FC 8D 41 69 8B 00 03 C7 8D 51 6D 8B 12 03 D7 83 C1 71 8B 09 03 CF 2B CA 72 0A 41 87 D1 80 31 FF 41 4A 75 F9 89 45 F0 EB 71 8B }
condition:
$a0
}
rule ReversingLabsProtector074betaAp0x {
meta: author="malware-lu"
strings:
$a0 = { 68 0000 41 00 E8 01 000000 C3 C3 }
condition:
$a0 at pe.entry_point
}
rule ACProtect109gRiscosoftwareInc {
meta: author="malware-lu"
strings:
$a0 = { 60 F9 50 E8 01 000000 7C 58 58 49 50 E8 01 000000 7E 58 58 79 04 66 B9 B8 72 E8 01 000000 7A 83 C4 04 85 C8 EB 01 EB C1 F8 BE 72 03 73 01 74 0F 81 01 000000 F9 EB 01 75 F9 E8 01 0000 }
condition:
$a0 at pe.entry_point
}
rule NorthStarPEShrinker13Liuxingping {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 }
condition:
$a0 at pe.entry_point
}
rule eXPressorV13CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 }
condition:
$a0 at pe.entry_point
}
rule FreeJoinerSmallbuild035GlOFF {
meta: author="malware-lu"
strings:
$a0 = { 51 33 CB 86 C9 59 E8 9E FD FF FF 66 87 DB 6A 00 E8 0C 000000 FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
condition:
$a0 at pe.entry_point
}
rule Upack020betaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 }
condition:
$a0 at pe.entry_point
}
rule UPX20030XMarkusOberhumerLaszloMolnarJohnReiser {
meta: author="malware-lu"
strings:
$a0 = { 5E 89 F7 B9 ???????? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?????????? 8B 07 09 C0 74 3C 8B 5F 04 8D ???????????? 01 F3 50 83 C7 08 FF ?????????? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?????????? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?????????? 8B AE ???????? 8D BE 00 F0 FF FF BB 00 10 0000 50 54 6A 04 53 57 FF D5 8D 87 ???????? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }
condition:
$a0
}
rule WinUpackv039finalByDwingc2005h1 {
meta: author="malware-lu"
strings:
$a0 = { BE B0 11 ???? AD 50 FF 76 34 EB 7C 48 01 ???? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 18 10 0000 10 00000000 ?????? 0000 ???? 00 10 000000 02 0000 04 0000000000 39 00 04 0000000000000000 ?????? 00 02 000000000000 }
condition:
$a0 at pe.entry_point
}
rule UnnamedScrambler12Bp0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 D8 53 56 57 33 C0 89 45 D8 89 45 DC 89 45 E0 89 45 E4 89 45 E8 B8 70 3A 40 00 E8 C4 EC FF FF 33 C0 55 68 5C 3F 40 00 64 FF 30 64 89 20 E8 C5 D7 FF FF E8 5C F5 FF FF B8 20 65 40 00 33 C9 BA 04 01 0000 E8 D3 DB FF FF 68 04 01 0000 68 20 65 40 00 6A 00 FF 15 10 55 40 00 BA 6C 3F 40 00 B8 14 55 40 00 E8 5A F4 FF FF 85 C0 0F 84 1B 04 0000 BA 18 55 40 00 8B 0D 14 55 40 00 E8 16 D7 FF FF 8B 05 88 61 40 00 8B D0 B8 54 62 40 00 E8 D4 E3 FF FF B8 54 62 40 00 E8 F2 E2 FF FF 8B D0 B8 18 55 40 00 8B 0D 88 61 40 00 E8 E8 D6 FF FF FF 35 34 62 40 00 FF 35 30 62 40 00 FF 35 3C 62 40 00 FF 35 38 62 40 00 8D 55 E8 A1 88 61 40 00 E8 E3 F0 FF FF 8B 55 E8 }
condition:
$a0
}
rule Upack010012betaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 48 01 40 00 AD 8B F8 95 A5 33 C0 33 C9 AB 48 AB F7 D8 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB AD 50 97 51 AD 87 F5 58 8D 54 86 5C FF D5 72 5A 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 }
condition:
$a0 at pe.entry_point
}
rule PEArmorV07Xhying {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED ???????? 8D B5 ???????? 55 56 81 C5 ???????? 55 C3 }
condition:
$a0 at pe.entry_point
}
rule LauncherGeneratorv103 {
meta: author="malware-lu"
strings:
$a0 = { 68 00 20 40 00 68 10 20 40 00 6A 00 6A 00 6A 20 6A 00 6A 00 6A 00 68 F0 22 40 00 6A 00 E8 93 000000 85 C0 0F 84 7E 000000 B8 00000000 3B 05 68 20 40 00 74 13 6A ?? 68 60 23 40 00 68 20 23 40 00 6A 00 E8 83 000000 A1 58 20 40 00 3B 05 6C 20 40 00 }
condition:
$a0
}
rule yodasProtector102103AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 ?? BB 55 000000 E8 03 000000 EB 01 ?? E8 8F 000000 E8 03 000000 EB 01 ?? E8 82 000000 E8 03 000000 EB 01 ?? E8 B8 000000 E8 03 000000 EB 01 ?? E8 AB 0000 }
condition:
$a0 at pe.entry_point
}
rule NakedPacker10byBigBoote {
meta: author="malware-lu"
strings:
$a0 = { 60 FC 0F B6 05 34 ?????? 85 C0 75 31 B8 50 ?????? 2B 05 04 ?????? A3 30 ?????? A1 00 ?????? 03 05 30 ?????? A3 38 ?????? E8 9A 000000 A3 50 ?????? C6 05 34 ?????? 01 83 3D 50 ?????? 00 75 07 61 FF 25 38 ?????? 61 FF 74 24 04 6A 00 FF 15 44 ?????? 50 FF 15 40 ?????? C3 FF 74 24 04 6A 00 FF 15 44 ?????? 50 FF 15 48 ?????? C3 8B 4C 24 04 56 8B 74 24 10 57 85 F6 8B F9 74 0D 8B 54 24 10 8A 02 88 01 }
condition:
$a0
}
rule tElockv080 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 F9 11 0000 C3 83 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01YodasProtector102Anorganix {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 9090 E9 }
condition:
$a0 at pe.entry_point
}
rule VProtector11Xvcasm {
meta: author="malware-lu"
strings:
$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 000000 8B 44 24 04 8B 00 3D 04 0000 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00000000 74 F3 75 F1 EB 24 64 FF 35 00000000 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 0000 9D 90 EB F4 64 89 25 00000000 EB E6 E8 16 000000 8B 5C 24 0C 8B A3 C4 000000 64 8F 05 00000000 83 C4 04 EB 14 64 FF 35 00000000 64 89 25 00000000 33 C9 99 F7 F1 E9 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 000000 8B 5C 24 0C 8B A3 C4 000000 64 8F 05 00000000 83 C4 04 EB 14 64 FF 35 00000000 64 89 25 00000000 33 C9 99 F7 F1 E9 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMASM32 {
meta: author="malware-lu"
strings:
$a0 = { EB 01 DB E8 02 000000 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A }
condition:
$a0 at pe.entry_point
}
rule Pohernah102byKas {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED DE 26 40 00 8B BD 05 28 40 00 8B 8D 0D 28 40 00 B8 25 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 000000 75 62 8B 57 0C 03 95 09 28 40 00 31 C0 51 31 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 09 28 40 00 8B 85 11 28 40 00 83 F8 02 75 06 81 C2 00 02 0000 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 0000 57 BF C8 000000 89 CE E8 27 000000 89 C1 5F B8 25 28 40 00 01 E8 E8 24 000000 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 01 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 000000 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 000000 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
condition:
$a0 at pe.entry_point
}
rule ActiveMARK5xTrymediaSystemsInc {
meta: author="malware-lu"
strings:
$a0 = { 20 2D 2D 4D 50 52 4D 4D 47 56 41 2D 2D 00 75 73 65 72 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 78 41 00 54 68 69 73 20 61 70 70 6C 69 63 61 74 69 6F 6E 20 63 61 6E 6E 6F 74 20 72 75 6E 20 77 69 74 68 20 61 6E 20 61 63 74 69 76 65 20 64 65 62 75 67 }
condition:
$a0
}
rule RCryptorv20HideEPVaska {
meta: author="malware-lu"
strings:
$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 DC 20 ?? 00 F7 D1 83 F1 FF E8 00000000 F7 D1 83 F1 FF C3 }
condition:
$a0 at pe.entry_point
}
rule Armadillov172v173 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 E8 C1 ???? 68 F4 86 ???? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule AsCryptv01SToRM2 {
meta: author="malware-lu"
strings:
$a0 = { 80 ?????? 83 ???????? 909090 83 ???? E2 }
condition:
$a0
}
rule AsCryptv01SToRM3 {
meta: author="malware-lu"
strings:
$a0 = { 80 ?????? 83 ???????? 909090 51 ?????? 01 000000 83 ???? E2 }
condition:
$a0
}
rule ASProtectV2XDLLAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 03 000000 E9 ???? 5D 45 55 C3 E8 01 000000 EB 5D BB ???????? 03 DD }
condition:
$a0 at pe.entry_point
}
rule AsCryptv01SToRM4 {
meta: author="malware-lu"
strings:
$a0 = { 80 ?????? 83 ???????? 909090 E2 }
condition:
$a0
}
rule yzpack20UsAr {
meta: author="malware-lu"
strings:
$a0 = { 25 ???????? 61 87 CC 55 45 45 55 81 ED CA 000000 55 A4 B3 02 FF 14 24 73 F8 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 1F B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3C AA EB DC FF 54 24 04 2B CB 75 0F FF 54 24 08 EB 27 AC D1 E8 74 30 13 C9 EB 1B 91 48 C1 E0 08 AC FF 54 24 08 3D 00 7D 0000 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 99 BD ???????? FF 65 28 }
condition:
$a0 at pe.entry_point
}
rule PasswordprotectormySMT {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? 5D 8B FD 81 ?????????? 81 ?????????? 83 ???? 89 ?????????? 8D ?????????? 8D ?????????? 46 80 ???? 74 }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV1258V133XObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 01 ?? E8 ?? 000000 EB 02 ???? EB }
condition:
$a0 at pe.entry_point
}
rule ReflexiveArcadeWrapper {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 98 68 42 00 68 14 FA 41 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 F8 50 42 00 33 D2 8A D4 89 15 3C E8 42 00 8B C8 81 E1 FF 000000 89 0D 38 E8 42 00 C1 E1 08 03 CA 89 0D 34 E8 42 00 C1 E8 10 A3 30 E8 }
condition:
$a0 at pe.entry_point
}
rule VxTrojanTelefoon {
meta: author="malware-lu"
strings:
$a0 = { 60 1E E8 3B 01 BF CC 01 2E 03 3E CA 01 2E C7 05 }
condition:
$a0 at pe.entry_point
}
rule Upackv030betaDwing {
meta: author="malware-lu"
strings:
$a0 = { E9 ???????? 42 79 44 77 69 6E 67 40 000000 50 45 0000 4C 01 02 ???????????????????????????????????????? 30 }
condition:
$a0 at pe.entry_point
}
rule VxACMEClonewarMutant {
meta: author="malware-lu"
strings:
$a0 = { FC AD 3D FF FF 74 20 E6 42 8A C4 E6 42 E4 61 0C 03 E6 61 AD B9 40 1F E2 FE }
condition:
$a0 at pe.entry_point
}
rule Armadillov2xxCopyMemII {
meta: author="malware-lu"
strings:
$a0 = { 6A ?? 8B B5 ???????? C1 E6 04 8B 85 ???????? 25 07 ???? 80 79 05 48 83 C8 F8 40 33 C9 8A 88 ???????? 8B 95 ???????? 81 E2 07 ???? 80 79 05 4A 83 CA F8 42 33 C0 8A 82 }
condition:
$a0 at pe.entry_point
}
rule TPACKv05cm1 {
meta: author="malware-lu"
strings:
$a0 = { 68 ???? FD 60 BE ???? BF ???? B9 ???? F3 A4 8B F7 BF ???? FC 46 E9 8E FE }
condition:
$a0 at pe.entry_point
}
rule EXEStealthv271 {
meta: author="malware-lu"
strings:
$a0 = { EB 00 60 EB 00 E8 00000000 5D 81 ED B0 27 40 }
condition:
$a0 at pe.entry_point
}
rule TPACKv05cm2 {
meta: author="malware-lu"
strings:
$a0 = { 68 ???? FD 60 BE ???? BF ???? B9 ???? F3 A4 8B F7 BF ???? FC 46 E9 CE FD }
condition:
$a0 at pe.entry_point
}
rule ExeJoiner10Yodaf2f {
meta: author="malware-lu"
strings:
$a0 = { 68 00 10 40 00 68 04 01 0000 E8 39 03 0000 05 00 10 40 00 C6 00 5C 68 04 01 0000 68 04 11 40 00 6A 00 E8 1A 03 0000 6A 00 68 80 000000 6A 03 6A 00 6A 01 68 000000 80 68 04 11 40 00 E8 EC 02 0000 83 F8 FF 0F 84 83 02 0000 A3 08 12 40 00 6A 00 50 }
condition:
$a0 at pe.entry_point
}
rule ASPackv101bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }
condition:
$a0 at pe.entry_point
}
rule MacromediaWindowsFlashProjectorPlayerv30 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC 44 56 FF 15 94 13 42 00 8B F0 B1 22 8A 06 3A C1 75 13 8A 46 01 46 3A C1 74 04 84 C0 75 F4 38 0E 75 0D 46 EB 0A 3C 20 7E 06 }
condition:
$a0 at pe.entry_point
}
rule PESpinV11cyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E }
condition:
$a0 at pe.entry_point
}
rule RLPack118aPlib043ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 ?? 8D B5 1A 04 0000 8D 9D C1 02 0000 33 FF E8 61 01 0000 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 000000 74 0E 83 BD 0A 04 000000 74 05 E8 D7 01 0000 8D 74 37 04 53 6A ?? 68 ???????? 68 ???????? 6A 00 FF 95 A7 03 0000 89 85 16 04 0000 5B FF B5 16 04 0000 56 FF D3 83 C4 ?? 8B B5 16 04 0000 8B C6 EB 01 }
condition:
$a0 at pe.entry_point
}
rule DotFixNiceProtectvna {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 55 000000 8D BD 00 10 40 00 68 ?????? 00 03 3C 24 8B F7 90 68 31 10 40 00 9B DB E3 55 DB 04 24 8B C7 DB 44 24 04 DE C1 DB 1C 24 8B 1C 24 66 AD 51 DB 04 24 9090 DA 8D 77 10 40 00 DB 1C 24 D1 E1 29 }
condition:
$a0 at pe.entry_point
}
rule Upackv032betaDwing {
meta: author="malware-lu"
strings:
$a0 = { E9 ???????? 42 79 44 77 69 6E 67 40 000000 50 45 0000 4C 01 02 ???????????????????????????????????????? 32 }
condition:
$a0 at pe.entry_point
}
rule PackItBitch10archphase {
meta: author="malware-lu"
strings:
$a0 = { 000000000000000000000000 28 ?????? 35 ?????? 0000000000000000000000000000000000000000 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 41 ?????? 50 ?????? 000000000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 ?????????????? 79 ?????? 7D ?????? 0000000000000000000000000000000000000000 }
condition:
$a0
}
rule JDPack2xJDPack {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 68 51 40 00 68 04 25 40 00 64 A1 00000000 }
condition:
$a0 at pe.entry_point
}
rule RPolyCryptv10personalpolycryptorsignfrompinch {
meta: author="malware-lu"
strings:
$a0 = { 50 58 97 97 60 61 8B 04 24 80 78 F3 6A E8 00000000 58 E8 00000000 58 91 91 EB 00 0F 85 6B F4 76 6F E8 00000000 83 C4 04 E8 00000000 58 90 E8 00000000 83 C4 04 8B 04 24 80 78 F1 }
condition:
$a0 at pe.entry_point
}
rule Upackv031betaDwing {
meta: author="malware-lu"
strings:
$a0 = { E9 ???????? 42 79 44 77 69 6E 67 40 000000 50 45 0000 4C 01 02 ???????????????????????????????????????? 31 }
condition:
$a0 at pe.entry_point
}
rule Packmanv0001 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 58 8D A8 ???? FF FF 8D 98 ?????? FF 8D ???? 01 0000 ???????????????????????????????????????????????????????? 0000 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PEPack099Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 11 000000 5D 83 ED 06 80 BD E0 04 9090 01 0F 84 F2 FF CC 0A E9 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor239minimumprotection {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? E9 ?????? FF 50 C1 C8 18 89 05 ???????? C3 C1 C0 18 51 E9 ?????? FF 84 C0 0F 84 6A F9 FF FF E9 ?????? FF C3 E9 ?????? FF E8 CF E9 FF FF B8 01 000000 E9 ?????? FF 2B D0 68 A0 36 80 D4 59 81 C9 64 98 FF 99 E9 ?????? FF 84 C0 0F 84 8E EC FF FF E9 ?????? FF C3 87 3C 24 5F 8B 00 03 45 FC 83 C0 18 E9 ?????? FF 87 0C 24 59 B8 01 000000 D3 E0 23 D0 E9 02 18 0000 0F 8D DB 000000 C1 E8 14 E9 CA 000000 9D 87 0C 24 59 87 1C 24 68 AE 73 B9 96 E9 C5 10 0000 0F 8A ???????? E9 ?????? FF 81 FD F5 FF 8F 07 E9 4F 10 0000 C3 E9 5E 12 0000 87 3C 24 E9 ?????? FF E8 ?????? FF 83 3D ???????? 00 0F 85 ???????? 8D 55 EC B8 ???????? E9 ?????? FF E8 A7 1A 0000 E8 2A CB FF FF E9 ?????? FF C3 E9 ?????? FF 59 89 45 E0 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMicrosoftVisualC60ASM {
meta: author="malware-lu"
strings:
$a0 = { F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ???? FB C1 C1 03 33 F7 EB 02 CD 20 68 }
condition:
$a0 at pe.entry_point
}
rule HaspdongleAlladin {
meta: author="malware-lu"
strings:
$a0 = { 50 53 51 52 57 56 8B 75 1C 8B 3E ?????????? 8B 5D 08 8A FB ???? 03 5D 10 8B 45 0C 8B 4D 14 8B 55 18 80 FF 32 }
condition:
$a0 at pe.entry_point
}
rule SafeDiscv4 {
meta: author="malware-lu"
strings:
$a0 = { 000000000000000000000000 42 6F 47 5F }
condition:
$a0
}
rule PKLITEv112v115v1201 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? BA ???? 05 ???? 3B 06 ???? 73 ?? 2D ???? FA 8E D0 FB 2D ???? 8E C0 50 B9 ???? 33 FF 57 BE ???? FC F3 A5 CB B4 09 BA ???? CD 21 CD 20 }
condition:
$a0 at pe.entry_point
}
rule PKLITEv112v115v1202 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? BA ???? 3B C4 73 }
condition:
$a0 at pe.entry_point
}
rule EXECryptorv153 {
meta: author="malware-lu"
strings:
$a0 = { E8 24 000000 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00000000 ???? 00 31 C0 89 41 14 89 41 18 80 A1 C1 000000 FE C3 31 C0 64 FF 30 64 89 20 CC C3 }
condition:
$a0
}
rule MSLRHv032afakeEXE32Pack13xemadicius {
meta: author="malware-lu"
strings:
$a0 = { 3B C0 74 02 81 83 55 3B C0 74 02 81 83 53 3B C9 74 01 BC 56 3B D2 74 02 81 85 57 E8 00000000 3B DB 74 01 90 83 C4 14 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule eXpressorv11CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { E9 15 13 0000 E9 F0 12 0000 E9 58 12 0000 E9 AF 0C 0000 E9 AE 02 0000 E9 B4 0B 0000 E9 E0 0C 0000 }
condition:
$a0 at pe.entry_point
}
rule NsPackV11LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 57 84 40 00 2D 50 84 40 00 }
condition:
$a0 at pe.entry_point
}
rule PrivatePersonalPackerPPPv102ConquestOfTroycom {
meta: author="malware-lu"
strings:
$a0 = { E8 17 000000 E8 68 000000 FF 35 2C 37 00 10 E8 ED 01 0000 6A 00 E8 2E 04 0000 E8 41 04 0000 A3 74 37 00 10 6A 64 E8 5F 04 0000 E8 30 04 0000 A3 78 37 00 10 6A 64 E8 4E 04 0000 E8 1F 04 0000 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 000000 73 07 6A 00 E8 D9 03 0000 C3 6A 0A 6A 07 6A 00 }
condition:
$a0 at pe.entry_point
}
rule VxHorse1776 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5D 83 ???? 06 1E 26 ???????? BF ???? 1E 0E 1F 8B F7 01 EE B9 ???? FC F3 A6 1F 1E 07 }
condition:
$a0 at pe.entry_point
}
rule PEShit: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? B9 ???????? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?????? FF }
condition:
$a0 at pe.entry_point
}
rule DrWebVirusFindingEngineInSoftEDVSysteme {
meta: author="malware-lu"
strings:
$a0 = { B8 01 000000 C2 0C 00 8D 80 00000000 8B D2 8B ?? 24 04 }
condition:
$a0 at pe.entry_point
}
rule PluginToExev100BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?????? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?????? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 }
condition:
$a0 at pe.entry_point
}
rule RCryptorv15PrivateVaska {
meta: author="malware-lu"
strings:
$a0 = { 83 2C 24 4F 68 ???????? FF 54 24 04 83 44 24 04 4F B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point
}
rule NeoLitev200 {
meta: author="malware-lu"
strings:
$a0 = { 8B 44 24 04 23 05 ???????? 50 E8 ???????? 83 C4 04 FE 05 ???????? 0B C0 74 }
condition:
$a0 at pe.entry_point
}
rule PKLITEv200bextra {
meta: author="malware-lu"
strings:
$a0 = { 50 B8 ???? BA ???? 05 ???? 3B 06 02 00 72 ?? B4 09 BA ???? CD 21 B8 01 4C CD 21 ???????????????????????????????????????????????????????????? EA ???????? F3 A5 C3 59 2D ???? 8E D0 51 2D ???? 50 80 }
condition:
$a0 at pe.entry_point
}
rule Crunch5Fusion4 {
meta: author="malware-lu"
strings:
$a0 = { EB 15 03 ?????? 06 ?????????????????????? 68 ???????? 55 E8 }
condition:
$a0
}
rule MSLRHv032afakePEBundle023xemadicius {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 02 000000 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule PEMangle {
meta: author="malware-lu"
strings:
$a0 = { 60 9C BE ???????? 8B FE B9 ???????? BB 44 52 4F 4C AD 33 C3 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv302v302av304Relocationspack {
meta: author="malware-lu"
strings:
$a0 = { BE ???? BF ???? B9 ???? 8C CD 81 ED ???? 8B DD 81 EB ???? 8B D3 FC FA 1E 8E DB 01 15 33 C0 2E AC }
condition:
$a0 at pe.entry_point
}
rule UPXProtectorv10x {
meta: author="malware-lu"
strings:
$a0 = { EB EC ???????? 8A 06 46 88 07 47 01 DB 75 07 }
condition:
$a0 at pe.entry_point
}
rule NorthStarPEShrinkerv13byLiuxingping {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 73 ?? FF FF 8B 06 83 F8 00 74 11 8D B5 7F ?? FF FF 8B 06 83 F8 01 0F 84 F1 01 0000 C7 06 01 000000 8B D5 8B 85 4F ?? FF FF 2B D0 89 95 4F ?? FF FF 01 95 67 ?? FF FF 8D B5 83 ?? FF FF 01 }
condition:
$a0
}
rule CodeCryptv015b {
meta: author="malware-lu"
strings:
$a0 = { E9 31 03 0000 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEdition117Ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 ?????????????????????????????? 8D B5 ???????? 8D 9D ???????? 33 FF }
condition:
$a0 at pe.entry_point
}
rule PECompactv100 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB C4 84 40 ?? 87 DD 8B 85 49 85 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeASProtect10FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 60 E8 01 000000 90 5D 81 ED 00000000 BB 00000000 03 DD 2B 9D }
condition:
$a0 at pe.entry_point
}
rule KGCryptvxx {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? 5D 81 ED ???????? 64 A1 30 ?????? 84 C0 74 ?? 64 A1 20 ?????? 0B C0 74 }
condition:
$a0 at pe.entry_point
}
rule VxKBDflags1024 {
meta: author="malware-lu"
strings:
$a0 = { 8B EC 2E 89 2E 24 03 BC 00 04 8C D5 2E 89 2E 22 }
condition:
$a0 at pe.entry_point
}
rule yodasProtectorV102AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 ?? BB 55 000000 E8 03 000000 EB 01 ?? E8 8F 000000 E8 03 000000 EB 01 ?? E8 82 000000 E8 03 000000 EB 01 ?? E8 B8 000000 E8 03 000000 EB 01 ?? E8 AB 000000 E8 03 000000 EB 01 ?? 83 FB 55 E8 03 000000 EB 01 ?? 75 2E E8 03 000000 EB 01 ?? C3 60 E8 00000000 5D 81 ED 23 3F 42 00 8B D5 81 C2 72 3F 42 00 52 E8 01 000000 C3 C3 E8 03 000000 EB 01 ?? E8 0E 000000 E8 D1 FF FF FF C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 000000 EB 01 ?? 33 DB B9 3A 66 42 00 81 E9 1D 40 42 00 8B D5 81 C2 1D 40 42 00 8D 3A 8B F7 33 C0 E8 03 000000 EB 01 ?? E8 17 000000 909090 E9 C3 1F 0000 33 C0 64 FF 30 64 89 20 43 CC C3 }
condition:
$a0 at pe.entry_point
}
rule Obsidium1311ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 27 000000 EB 02 ???? EB 03 ?????? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 22 EB 04 ???????? 33 C0 EB 01 ?? C3 EB 02 ???? EB 02 ???? 64 67 FF 36 0000 EB 04 ???????? 64 67 89 26 0000 EB 01 ?? EB 03 ?????? 50 EB 03 ?????? 33 C0 EB 01 ?? 8B 00 EB 03 ?????? C3 EB 01 ?? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 01 ?? EB 03 ?????? 58 EB 03 ?????? EB 01 ?? 64 67 8F 06 0000 EB 01 ?? 83 C4 04 EB 03 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01MicrosoftVisualC620Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 55 8B EC 83 EC 50 53 56 57 BE 90909090 8D 7D F4 A5 A5 66 A5 8B }
condition:
$a0 at pe.entry_point
}
rule MEGALITEv120a {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? BA ???? 05 ???? 3B 2D 73 ?? 72 ?? B4 09 BA ???? CD 21 CD 90 }
condition:
$a0 at pe.entry_point
}
rule GoatsMutilatorV16Goat_e0f {
meta: author="malware-lu"
strings:
$a0 = { E8 EA 0B 0000 ?????? 8B 1C 79 F6 63 D8 8D 22 B0 BF F6 49 08 C3 02 BD 3B 6C 29 46 13 28 5D }
condition:
$a0 at pe.entry_point
}
rule Armadillo430aSiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 41 4E 53 49 29 2C 20 61 70 70 20 73 74 72 69 6E 67 73 20 61 72 65 20 27 25 73 27 20 61 6E 64 20 27 25 73 27 000000 44 64 65 44 61 74 61 20 69 6E 69 74 69 61 6C 69 7A 65 64 20 28 55 4E 49 43 }
condition:
$a0
}
rule Upackv038betaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE B0 11 ???? AD 50 FF 76 34 EB 7C 48 01 ???? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 18 10 0000 10 00000000 ?????? 0000 ???? 00 10 000000 02 0000 04 0000000000 38 00 04 0000000000000000 ?????? 00 02 000000000000 }
$a1 = { BE B0 11 ???? AD 50 FF 76 34 EB 7C 48 01 ???? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 18 10 0000 10 00000000 ?????? 0000 ???? 00 10 000000 02 0000 04 0000000000 38 00 04 0000000000000000 ?????? 00 02 000000000000 ?? 0000 ?? 0000 ?? 0000 ???? 000000 10 0000 10 000000000000 0A 0000000000000000000000 EE ?????? 14 00000000 ???????????? 00 FF 76 38 AD 50 8B 3E BE F0 ?????? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 ?????????? 000000 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ???????? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 97 FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule DCryptPrivate09bdrmist {
meta: author="malware-lu"
strings:
$a0 = { B9 ?????? 00 E8 00000000 58 68 ?????? 00 83 E8 0B 0F 18 00 D0 00 48 E2 FB C3 }
condition:
$a0 at pe.entry_point
}
rule kkrunchyV02XRyd {
meta: author="malware-lu"
strings:
$a0 = { BD ???????? C7 45 ?????????? FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ???????? 57 BE ???????? 31 C9 41 FF 4D 0C 8D 9C 8D A0 000000 FF D6 }
condition:
$a0 at pe.entry_point
}
rule SkDUndetectabler3NoFSG2MethodSkD {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 10 02 0000 68 00 02 0000 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00000000 EB 0F 8B 8D F4 FD FF FF 83 C1 01 89 8D F4 FD FF FF 8B 95 F4 FD FF FF 3B 15 ?? 16 00 01 73 1C 8B 85 F4 FD FF FF 8B 0D ?? 16 00 01 8D 54 01 07 81 FA 74 10 00 01 75 02 EB 02 EB C7 8B 85 F4 FD FF FF 50 E8 ?? 000000 83 C4 04 89 85 F0 FD FF FF 8B 8D F0 FD FF FF 89 4D FC C7 45 F8 00000000 EB 09 8B 55 F8 83 C2 01 89 55 F8 8B 45 F8 3B 85 F4 FD FF FF 73 15 8B 4D FC 03 4D F8 8B 15 ?? 16 00 01 03 55 F8 8A 02 88 01 EB D7 83 3D ?? 16 00 01 00 74 }
condition:
$a0 at pe.entry_point
}
rule NTPacker10ErazerZ {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 E0 53 33 C0 89 45 E0 89 45 E4 89 45 E8 89 45 EC B8 ???? 40 00 E8 ???? FF FF 33 C0 55 68 ???? 40 00 64 FF 30 64 89 20 8D 4D EC BA ???? 40 00 A1 ???? 40 00 E8 ?? FC FF FF 8B 55 EC B8 ???? 40 00 E8 ???? FF FF 8D 4D E8 BA ???? 40 00 A1 ???? 40 00 E8 ?? FE FF FF 8B 55 E8 B8 ???? 40 00 E8 ???? FF FF B8 ???? 40 00 E8 ?? FB FF FF 8B D8 A1 ???? 40 00 BA ???? 40 00 E8 ???? FF FF 75 26 8B D3 A1 ???? 40 00 E8 ???? FF FF 84 C0 75 2A 8D 55 E4 33 C0 E8 ???? FF FF 8B 45 E4 8B D3 E8 ???? FF FF EB 14 8D 55 E0 33 C0 E8 ???? FF FF 8B 45 E0 8B D3 E8 ???? FF FF 6A 00 E8 ???? FF FF 33 C0 5A 59 59 64 89 10 68 ???? 40 00 8D 45 E0 BA 04 000000 E8 ???? FF FF C3 E9 ???? FF FF EB EB 5B E8 ???? FF FF 000000 FF FF FF FF 01 000000 25 000000 FF FF FF FF 01 000000 5C 000000 FF FF FF FF 06 000000 53 45 52 56 45 52 0000 FF FF FF FF 01 000000 31 }
condition:
$a0 at pe.entry_point
}
rule SexeCrypter11bysantasdad {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC 53 56 57 33 C0 89 45 EC B8 D8 39 00 10 E8 30 FA FF FF 33 C0 55 68 D4 3A 00 10 64 FF 30 64 89 ???????? E4 3A 00 10 A1 00 57 00 10 50 E8 CC FA FF FF 8B D8 53 A1 00 57 00 10 50 E8 FE FA FF FF 8B F8 53 A1 00 57 00 10 50 E8 C8 FA FF FF 8B D8 53 E8 C8 FA FF FF 8B F0 85 F6 74 26 8B D7 4A B8 14 57 00 10 E8 AD F6 FF FF B8 14 57 00 10 E8 9B F6 FF FF 8B CF 8B D6 E8 DA FA FF FF 53 E8 84 FA FF FF 8D 4D EC BA F8 3A 00 10 A1 14 57 00 10 E8 0A FB FF FF 8B 55 EC B8 14 57 00 10 E8 65 F5 FF FF B8 14 57 00 10 E8 63 F6 FF FF E8 52 FC FF FF 33 C0 5A 59 59 64 89 10 68 DB 3A 00 10 8D 45 EC E8 ED F4 FF FF C3 E9 83 EF FF FF EB F0 5F 5E 5B E8 ED F3 FF FF 00 53 45 54 54 49 4E 47 53 00000000 FF FF FF FF 12 000000 6B 75 74 68 37 36 67 62 62 67 36 37 34 76 38 38 67 79 }
condition:
$a0 at pe.entry_point
}
rule VxGotcha879 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5B 81 EB ???? 9C FC 2E ?????????????? 8C D8 05 ???? 2E ???????? 50 2E ???????????? 8B C3 05 ???? 8B F0 BF 00 01 B9 20 00 F3 A4 0E B8 00 01 50 B8 DA DA CD 21 }
condition:
$a0 at pe.entry_point
}
rule MZ0oPE106bTaskFall {
meta: author="malware-lu"
strings:
$a0 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ???????? C3 }
$a1 = { EB CA 89 03 83 C3 04 87 FE 32 C0 AE 75 FD 87 FE 80 3E FF 75 E2 46 5B 83 C3 04 53 8B 1B 80 3F FF 75 C9 8B E5 61 68 ???????? C3 FC B2 80 33 DB A4 B3 02 E8 6D 000000 73 F6 33 C9 E8 64 000000 73 1C 33 C0 E8 5B 000000 73 23 B3 02 41 B0 10 E8 4F 000000 12 C0 73 F7 75 3F AA EB D4 E8 4D 000000 2B CB 75 10 E8 42 000000 EB 28 AC D1 E8 74 4C 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 000000 3D 00 7D 0000 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule SoftDefenderv11xRandyLi {
meta: author="malware-lu"
strings:
$a0 = { 74 07 75 05 ?????????? 74 1F 75 1D ?? 68 ?????? 00 59 9C 50 74 0A 75 08 ?? 59 C2 04 00 ?????? E8 F4 FF FF FF ?????? 78 0F 79 0D }
condition:
$a0 at pe.entry_point
}
rule Upackv010v012BetaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 48 01 ?????????? 95 A5 33 C0 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeBorlandDelphi6070FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 53 8B D8 33 C0 A3 00000000 6A 00 E8 000000 FF A3 00000000 A1 00000000 A3 00000000 33 C0 A3 00000000 33 C0 A3 00000000 E8 }
condition:
$a0 at pe.entry_point
}
rule STProtectorV15SilentSoftware {
meta: author="malware-lu"
strings:
$a0 = { 00000000 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 0000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 }
condition:
$a0
}
rule ASPackv105bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor226minimumprotection {
meta: author="malware-lu"
strings:
$a0 = { 50 68 ???????? 58 81 E0 ???????? E9 ?????? 00 87 0C 24 59 E8 ?????? 00 89 45 F8 E9 ???????? 0F 83 ?????? 00 E9 ???????? 87 14 24 5A 57 68 ???????? E9 ???????? 58 81 C0 ???????? 2B 05 ???????? 81 C8 ???????? 81 E0 ???????? E9 ?????? 00 C3 E9 ???????? C3 BF ???????? 81 CB ???????? BA ???????? 52 E9 ?????? 00 E8 ?????? 00 E9 ?????? 00 E9 ???????? 87 34 24 5E 66 8B 00 66 25 ???? E9 ???????? 8B CD 87 0C 24 8B EC 51 89 EC 5D 8B 05 ???????? 09 C0 E9 ???????? 59 81 C1 ???????? C1 C1 ?? 23 0D ???????? 81 F9 ???????? E9 ???????? C3 E9 ?????? 00 13 D0 0B F9 E9 ???????? 51 E8 ???????? 8B 64 24 08 31 C0 64 8F 05 00000000 5A E9 ???????? 3C A4 0F 85 ?????? 00 8B 45 FC 66 81 38 ???? 0F 84 05 000000 E9 ???????? 0F 84 ???????? E9 ???????? 87 3C 24 5F 31 DB 31 C9 31 D2 68 ???????? E9 ???????? 89 45 FC 33 C0 89 45 F4 83 7D FC 00 E9 ???????? 53 52 8B D1 87 14 24 81 C0 ???????? 0F 88 ???????? 3B CB }
condition:
$a0 at pe.entry_point
}
rule PEProtector093CRYPToCRACk {
meta: author="malware-lu"
strings:
$a0 = { 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 33 8B F3 03 73 3C 81 3E 50 45 0000 75 26 0F B7 46 18 8B C8 69 C0 AD 0B 0000 F7 E0 2D AB 5D 41 4B 69 C9 DE C0 0000 03 C1 75 09 83 EC 04 0F 85 DD 0000 }
condition:
$a0 at pe.entry_point
}
rule PellesC300400450EXEX86CRTLIB {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 6A FF 68 ???????? 68 ???????? 64 FF 35 ???????? 64 89 25 ???????? 83 EC ?? 53 56 57 89 65 E8 68 000000 02 E8 ???????? 59 A3 }
condition:
$a0 at pe.entry_point
}
rule RLPackv118BasicaPLibAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 1A 04 0000 8D 9D C1 02 0000 33 FF E8 61 01 0000 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 000000 74 0E 83 }
condition:
$a0 at pe.entry_point
}
rule vfpexeNcV500WangJianGuo {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D ???????????????????????? 50 64 FF 35 00000000 64 89 25 00000000 CC }
condition:
$a0 at pe.entry_point
}
rule FreeJoiner153Stubengine17GlOFF {
meta: author="malware-lu"
strings:
$a0 = { E8 33 FD FF FF 50 E8 0D 000000 CC FF 25 08 20 40 00 FF 25 0C 20 40 00 FF 25 10 20 40 00 FF 25 14 20 40 00 FF 25 18 20 40 00 FF 25 1C 20 40 00 FF 25 20 20 40 00 FF 25 24 20 40 00 FF 25 28 20 40 00 FF 25 00 20 40 00 }
condition:
$a0 at pe.entry_point
}
rule TheHypersprotectorTheHyper {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC 14 8B FC E8 14 000000 ???? 01 01 ???? 01 01 ?????? 00 ???? 01 01 ???? 02 01 5E E8 0D 000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 8B 46 04 FF 10 8B D8 E8 0D 000000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 53 8B 06 FF 10 89 07 E8 }
condition:
$a0 at pe.entry_point
}
rule ANDpakk2006DmitryAndreev {
meta: author="malware-lu"
strings:
$a0 = { 60 FC BE D4 00 40 00 BF 00 10 00 01 57 83 CD FF 33 C9 F9 EB 05 A4 02 DB 75 05 8A 1E 46 12 DB 72 F4 33 C0 40 02 DB 75 05 8A 1E 46 12 DB 13 C0 02 DB 75 05 8A 1E 46 12 DB 72 0E 48 02 DB 75 05 8A 1E 46 12 DB 13 C0 EB DC 83 E8 03 72 0F C1 E0 08 AC 83 F0 FF 74 4D D1 F8 8B E8 EB 09 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 13 C9 75 1A 41 02 DB 75 05 8A 1E 46 12 DB 13 C9 02 DB 75 05 8A 1E 46 12 DB 73 EA 83 C1 02 81 FD 00 FB FF FF 83 D1 01 56 8D 34 2F F3 A4 5E E9 73 FF FF FF C3 }
condition:
$a0
}
rule Thinstall2628Jtit {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 58 BB 34 1D 0000 2B C3 50 68 0000 40 00 68 00 40 0000 68 BC 000000 E8 C3 FE FF FF E9 99 FF FF FF CCCCCCCCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 000000 80 43 33 C0 E8 19 01 }
$a1 = { E8 00000000 58 BB 34 1D 0000 2B C3 50 68 0000 40 00 68 00 40 0000 68 BC 000000 E8 C3 FE FF FF E9 99 FF FF FF CCCCCCCCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 000000 80 43 33 C0 E8 19 01 0000 73 0E 8B 4D F8 E8 27 01 0000 02 45 F7 AA EB E9 E8 04 01 0000 0F 82 96 000000 E8 F9 000000 73 5B B9 04 000000 E8 05 01 0000 48 74 DE 0F 89 C6 000000 E8 DF 000000 73 1B 55 BD 00 01 0000 E8 DF 000000 88 07 47 4D 75 F5 E8 C7 000000 72 E9 5D EB A2 B9 01 000000 E8 D0 000000 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 000000 88 45 F7 E9 7C FF FF FF B9 07 000000 E8 AA 000000 50 33 C9 B1 02 E8 A0 000000 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 000000 89 45 FC E9 48 FF FF FF E8 87 000000 49 E2 09 8B C3 E8 7D 000000 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 000000 0B C5 5D 8B D8 E8 5F 000000 3D 0000 01 00 73 14 3D FF 37 0000 73 0E 3D 7F 02 0000 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule UPXModifierv01x {
meta: author="malware-lu"
strings:
$a0 = { 50 BE ???????? 8D BE ???????? 57 83 CD }
condition:
$a0 at pe.entry_point
}
rule Obsidium1333ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 29 000000 EB 03 ?????? EB 03 ?????? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 28 EB 03 ?????? 33 C0 EB 01 ?? C3 EB 04 ???????? EB 02 ???? 64 67 FF 36 0000 EB 04 ???????? 64 67 89 26 0000 EB 02 ???? EB 04 ???????? 50 EB 04 }
$a1 = { EB 02 ???? E8 29 000000 EB 03 ?????? EB 03 ?????? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 28 EB 03 ?????? 33 C0 EB 01 ?? C3 EB 04 ???????? EB 02 ???? 64 67 FF 36 0000 EB 04 ???????? 64 67 89 26 0000 EB 02 ???? EB 04 ???????? 50 EB 04 ???????? 33 C0 EB 01 ?? 8B 00 EB 03 ?????? C3 EB 03 ?????? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 04 ???????? EB 04 ???????? 58 EB 01 ?? EB 03 ?????? 64 67 8F 06 0000 EB 04 ???????? 83 C4 04 EB 04 ???????? E8 2B 27 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PureBasic4xNeilHodgson {
meta: author="malware-lu"
strings:
$a0 = { 68 ???? 0000 68 00000000 68 ?????? 00 E8 ?????? 00 83 C4 0C 68 00000000 E8 ?????? 00 A3 ?????? 00 68 00000000 68 00 10 0000 68 00000000 E8 ?????? 00 A3 }
condition:
$a0 at pe.entry_point
}
rule VxAugust16thIronMaiden {
meta: author="malware-lu"
strings:
$a0 = { BA 79 02 03 D7 B4 1A CD 21 B8 24 35 CD 21 5F 57 89 9D 4E 02 8C 85 50 02 }
condition:
$a0 at pe.entry_point
}
rule VProtector10Xvcasm {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 ???????? 64 A1 00000000 50 64 89 25 00000000 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 000000 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 E8 B9 04 000000 E8 1F 000000 EB FA E8 16 000000 E9 EB F8 0000 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 E8 16 000000 8B 5C 24 0C 8B A3 C4 000000 64 8F 05 00000000 83 C4 04 EB 14 64 FF 35 00000000 64 89 25 00000000 33 C9 99 F7 F1 E9 E8 05 0000 }
condition:
$a0 at pe.entry_point
}
rule PEPACK099 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 83 ED 06 80 BD E0 04 0000 01 0F 84 F2 }
condition:
$a0 at pe.entry_point
}
rule Freshbindv20gFresh {
meta: author="malware-lu"
strings:
$a0 = { 64 A1 00000000 55 89 E5 6A FF 68 1C A0 41 00 }
condition:
$a0 at pe.entry_point
}
rule UPXSCRAMBLER306OnToL {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 59 83 C1 07 51 C3 C3 BE ???????? 83 EC 04 89 34 24 B9 80 000000 81 36 ???????? 50 B8 04 000000 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }
condition:
$a0 at pe.entry_point
}
rule PECompact2xxBitSumTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
condition:
$a0 at pe.entry_point
}
rule PESpinv01Cyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
$a1 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 000000 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 000000 B9 A5 08 0000 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 0000 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 000000 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 000000 68 E8 1A 000000 8D 34 28 B8 ???????? 2B C9 83 C9 15 0F A3 C8 0F 83 81 000000 8D B4 0D C4 28 40 00 8B D6 B9 10 000000 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00000000 59 81 C1 1D 000000 52 51 C1 E9 05 23 D1 FF }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule VxEddie2100 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 4F 4F 0E E8 ???? 47 47 1E FF ???? CB E8 ???? 84 C0 ???? 50 53 56 57 1E 06 B4 51 CD 21 8E C3 ?????????????? 8B F2 B4 2F CD 21 AC }
condition:
$a0 at pe.entry_point
}
rule NETexecutableMicrosoft {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 0000000000 FF 25 }
condition:
$a0
}
rule tElockv098 {
meta: author="malware-lu"
strings:
$a0 = { E9 25 E4 FF FF 000000 ???????? 1E }
condition:
$a0 at pe.entry_point
}
rule AZProtect0001byAlexZakaAZCRC {
meta: author="malware-lu"
strings:
$a0 = { EB 70 FC 60 8C 80 4D 11 00 70 25 81 00 40 0D 91 BB 60 8C 80 4D 11 00 70 21 81 1D 61 0D 81 00 40 CE 60 8C 80 4D 11 00 70 25 81 25 81 25 81 25 81 29 61 41 81 31 61 1D 61 00 40 B7 30 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 60 BE 00 ???? 00 BF 0000 40 00 EB 17 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 0000000000 FF 25 ?????? 00 8B C6 03 C7 8B F8 57 55 8B EC 05 7F 000000 50 E8 E5 FF FF FF BA 8C ???? 00 89 02 E9 1A 01 0000 ?? 000000 47 65 74 4D 6F 64 75 6C 65 46 69 6C 65 4E 61 6D 65 41 00 47 65 74 56 6F 6C 75 6D 65 49 6E 66 6F 72 6D 61 74 69 6F 6E 41 00 4D 65 73 73 61 67 65 42 6F 78 41 00 45 78 69 74 50 72 6F 63 65 73 73 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 }
$a1 = { FC 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 8B C2 C1 C0 10 66 8B C1 C3 F0 DA 55 8B EC 53 56 33 C9 33 DB 8B 4D 0C 8B 55 10 8B 75 08 4E 4A 83 FB 08 72 05 33 DB 43 EB 01 43 33 C0 8A 04 31 8A 24 13 2A C4 88 04 31 E2 E6 5E 5B C9 C2 0C }
condition:
$a0 at pe.entry_point or $a1
}
rule UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? 8D BE ???????? 57 83 CD FF 89 E5 8D 9C 24 ???????? 31 C0 50 39 DC 75 FB 46 46 53 68 ???????? 57 83 C3 04 53 68 ???????? 56 83 C3 04 53 50 C7 03 ???????? 9090 }
$a1 = { 60 BE ???????? 8D BE ???????? 57 83 CD FF EB 10 909090909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule MEW510Northfox {
meta: author="malware-lu"
strings:
$a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 }
condition:
$a0 at pe.entry_point
}
rule tElockv090 {
meta: author="malware-lu"
strings:
$a0 = { E8 02 000000 E8 00 E8 00000000 5E 2B }
condition:
$a0 at pe.entry_point
}
rule Obsidium1258ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 01 ?? E8 29 000000 EB 02 ???? EB 01 ?? 8B 54 24 0C EB 04 ???????? 83 82 B8 000000 24 EB 04 ???????? 33 C0 EB 02 ???? C3 EB 02 ???? EB 03 ?????? 64 67 FF 36 0000 EB 01 ?? 64 67 89 26 0000 EB 03 ?????? EB 01 ?? 50 EB 03 ?????? 33 C0 EB 04 ???????? 8B 00 EB 03 ?????? C3 EB 01 ?? E9 FA 000000 EB 02 ???? E8 D5 FF FF FF EB 04 ???????? EB 03 ?????? EB 01 ?? 58 EB 01 ?? EB 02 ???? 64 67 8F 06 0000 EB 04 ???????? 83 C4 04 EB 01 ?? E8 7B 21 0000 }
condition:
$a0 at pe.entry_point
}
rule SVKProtectorv132EngPavolCerven {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 EB 05 B8 06 36 42 00 64 A0 23 000000 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 000000 8D B5 C5 02 0000 56 80 06 44 46 E2 FA 8B 8D C1 02 0000 5E 55 51 6A 00 56 FF 95 0C 61 0000 59 5D 40 85 C0 75 3C 80 3E }
condition:
$a0 at pe.entry_point
}
rule ExeSplitter12BillPrisonerTPOC {
meta: author="malware-lu"
strings:
$a0 = { E9 95 02 0000 64 A1 00000000 83 38 FF 74 04 8B 00 EB F7 8B 40 04 C3 55 8B EC B8 00000000 8B 75 08 81 E6 0000 FF FF B9 06 000000 56 56 E8 B0 000000 5E 83 F8 01 75 06 8B C6 C9 C2 04 00 81 EE 0000 01 00 E2 E5 C9 C2 04 00 55 8B EC 8B 75 0C 8B DE 03 76 3C 8D 76 18 8D 76 60 8B 36 03 F3 56 8B 76 20 03 F3 33 D2 8B C6 8B 36 03 F3 8B 7D 08 B9 0E 000000 FC F3 A6 0B C9 75 02 EB 08 }
condition:
$a0
}
rule COPv10c1988 {
meta: author="malware-lu"
strings:
$a0 = { BF ???? BE ???? B9 ???? AC 32 ?????? AA E2 ?? 8B ?????? EB ?? 90 }
condition:
$a0 at pe.entry_point
}
rule PECompactv25RetailSlimLoaderBitsumTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ?????? 01 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 32 00 }
condition:
$a0 at pe.entry_point
}
rule Morphinev27Holy_FatherRatter29A {
meta: author="malware-lu"
strings:
$a0 = { 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 0000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000000000000000000000000000000000000000000000000000000000000000000000000000 }
$a1 = { 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????? 00000000 ???????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 0000 47 65 74 50 72 6F 63 }
condition:
$a0 or $a1
}
rule diPackerV1XdiProtectorSoftware {
meta: author="malware-lu"
strings:
$a0 = { 0F 00 2D E9 01 00 A0 E3 68 01 00 EB 8C 0000 EB 2B 0000 EB 0000 20 E0 1C 10 8F E2 8E 20 8F E2 00 30 A0 E3 67 01 00 EB 0F 00 BD E8 00 C0 8F E2 00 F0 9C E5 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01REALBasicAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 90909090909090909090 50 9090909090 00 01 E9 }
condition:
$a0 at pe.entry_point
}
rule PPCPROTECT11XAlexeyGorchakov {
meta: author="malware-lu"
strings:
$a0 = { FF 5F 2D E9 20 00 9F E5 0000 90 E5 18 00 8F E5 18 00 9F E5 0000 90 E5 10 00 8F E5 01 00 A0 E3 000000 EB 02 0000 EA 04 F0 1F E5 }
condition:
$a0 at pe.entry_point
}
rule nPackV111502006BetaNEOxuinC {
meta: author="malware-lu"
strings:
$a0 = { 83 3D 40 ?????? 00 75 05 E9 01 000000 C3 E8 41 000000 B8 80 ?????? 2B 05 08 ?????? A3 3C ?????? E8 5E 000000 E8 E0 01 0000 E8 EC 06 0000 E8 F7 05 0000 A1 3C ?????? C7 05 40 ?????? 01 000000 01 05 00 ?????? FF 35 00 ?????? C3 C3 }
condition:
$a0 at pe.entry_point
}
rule EnigmaProtector11X13XSukhovVladimirSergeNMarkin {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 B8 00 10 40 00 E8 01 000000 9A 83 C4 10 8B E5 5D E9 }
condition:
$a0
}
rule HardlockdongleAlladin {
meta: author="malware-lu"
strings:
$a0 = { 5C 5C 2E 5C 48 41 52 44 4C 4F 43 4B 2E 56 58 44 00000000 5C 5C 2E 5C 46 45 6E 74 65 44 65 76 }
condition:
$a0 at pe.entry_point
}
rule Armadillov190c {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 74 9D 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule Upack_PatchDwing {
meta: author="malware-lu"
strings:
$a0 = { 81 3A 000000 02 00000000 }
condition:
$a0 at pe.entry_point
}
rule ExeJoinerV10Yodaf2f {
meta: author="malware-lu"
strings:
$a0 = { 68 00 10 40 00 68 04 01 0000 E8 39 03 0000 05 00 10 40 00 C6 00 5C 68 04 01 0000 }
condition:
$a0 at pe.entry_point
}
rule PCShrink071beta {
meta: author="malware-lu"
strings:
$a0 = { 01 AD 54 3A 40 00 FF B5 50 3A 40 00 6A 40 FF 95 88 3A 40 00 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMASM32TASM32 {
meta: author="malware-lu"
strings:
$a0 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 000000 83 EE 05 2B }
$a1 = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 000000 83 EE 05 2B F2 81 F6 EE 000000 EB 02 CD 20 8A 0B E8 02 000000 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PEiDBundlev101BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 23 02 0000 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 0000 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
condition:
$a0 at pe.entry_point
}
rule UPX072 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 83 CD FF 31 DB 5E }
condition:
$a0 at pe.entry_point
}
rule AdFlt2: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { 68 00 01 9C 0F A0 0F A8 60 FD 6A 00 0F A1 BE ???? AD }
condition:
$a0 at pe.entry_point
}
rule RLPack120BasicEditionaPLibAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 92 05 0000 EB 0C 8B 85 8E 05 0000 89 85 92 05 0000 8D B5 BA 05 0000 8D 9D 41 04 0000 33 FF E8 38 01 0000 EB 1B 8B 85 92 05 0000 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 9E 05 000000 74 0E 83 BD A2 05 000000 74 05 E8 D6 01 0000 }
condition:
$a0 at pe.entry_point
}
rule AsCryptv01SToRM1 {
meta: author="malware-lu"
strings:
$a0 = { 81 ???????????? 83 ?????????????? 83 ???? E2 ?? EB }
condition:
$a0
}
rule SmartEMicrosoft {
meta: author="malware-lu"
strings:
$a0 = { EB 15 03 000000 ?? 0000000000000000000000 68 00000000 55 E8 00000000 5D 81 ED 1D 000000 8B C5 55 60 9C 2B 85 8F 07 0000 89 85 83 07 0000 FF 74 24 2C E8 BB 01 0000 0F 82 2F 06 0000 E8 8E 04 0000 49 0F 88 23 06 }
condition:
$a0 at pe.entry_point
}
rule PE_Admin10EncryptPE12003518SoldFlyingCat {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 79 01 0000 90 0000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????????????????????????????????????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 000000 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 }
$a1 = { 60 9C 64 FF 35 00000000 E8 79 01 0000 90 0000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????????????????????????????????????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 000000 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 00000000 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule MacromediaWindowsFlashProjectorPlayerv40 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 44 56 FF 15 24 41 43 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
condition:
$a0 at pe.entry_point
}
rule WWPack32v100v111v112v120 {
meta: author="malware-lu"
strings:
$a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 }
condition:
$a0 at pe.entry_point
}
rule VProtectorV11vcasm {
meta: author="malware-lu"
strings:
$a0 = { B8 1A ED 41 00 B9 EC EB 41 00 50 51 E8 74 000000 E8 51 6A 0000 58 83 E8 10 B9 B3 000000 }
condition:
$a0 at pe.entry_point
}
rule MaskPE16yzkzero {
meta: author="malware-lu"
strings:
$a0 = { 36 81 2C 24 ?????? 00 C3 60 }
condition:
$a0
}
rule bambam001bedrock {
meta: author="malware-lu"
strings:
$a0 = { 6A 14 E8 9A 05 0000 8B D8 53 68 ???????? E8 6C FD FF FF B9 05 000000 8B F3 BF ???????? 53 F3 A5 E8 8D 05 0000 8B 3D ???????? A1 ???????? 66 8B 15 ???????? B9 ???????? 2B CF 89 45 E8 89 0D ???????? 66 89 55 EC 8B 41 3C 33 D2 03 C1 83 C4 10 66 8B 48 06 66 8B 50 14 81 E1 FF FF 0000 8D 5C 02 18 8D 41 FF 85 C0 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01MEW11SE10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { E9 09 000000000000 02 000000 0C 90 E9 }
condition:
$a0 at pe.entry_point
}
rule ASProtectv20 {
meta: author="malware-lu"
strings:
$a0 = { 68 01 ?? 40 00 E8 01 000000 C3 C3 }
condition:
$a0
}
rule PseudoSigner01BorlandDelphi6070Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 53 8B D8 33 C0 A3 09 09 09 00 6A 00 E8 09 09 00 FF A3 09 09 09 00 A1 09 09 09 00 A3 09 09 09 00 33 C0 A3 09 09 09 00 33 C0 A3 09 09 09 00 E8 }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV12ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 77 1E 0000 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PEProtect09Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 52 51 55 57 64 67 A1 30 00 85 C0 78 0D E8 07 000000 58 83 C0 07 C6 90 C3 E9 }
condition:
$a0 at pe.entry_point
}
rule WWPack32v1x {
meta: author="malware-lu"
strings:
$a0 = { 53 55 8B E8 33 DB EB 60 }
condition:
$a0 at pe.entry_point
}
rule ChSfxsmallv11 {
meta: author="malware-lu"
strings:
$a0 = { BA ???? E8 ???? 8B EC 83 EC ?? 8C C8 BB ???? B1 ?? D3 EB 03 C3 8E D8 05 ???? 89 }
condition:
$a0 at pe.entry_point
}
rule UPXModifiedStubcFarbrauschConsumerConsulting {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? 8D BE ???????? 57 83 CD FF FC B2 80 E8 00000000 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 000000 49 E2 10 E8 40 000000 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02NorthStarPEShrinker13Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 00000000 }
condition:
$a0 at pe.entry_point
}
rule tElockv098tE {
meta: author="malware-lu"
strings:
$a0 = { E9 25 E4 FF FF 000000 ???????????????? 0000000000000000 ???????????????????????? 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????? 00000000 ???????? 00 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMicrosoftVisualBasicMASM32 {
meta: author="malware-lu"
strings:
$a0 = { EB 02 09 94 0F B7 FF 68 80 ???? 00 81 F6 8E 000000 5B EB 02 11 C2 8D 05 F4 000000 47 }
condition:
$a0 at pe.entry_point
}
rule Upackv022v023BetaDwing {
meta: author="malware-lu"
strings:
$a0 = { 6A 07 BE 88 01 40 00 AD 8B F8 59 95 F3 A5 }
condition:
$a0 at pe.entry_point
}
rule VxVirusConstructorbased {
meta: author="malware-lu"
strings:
$a0 = { BB ???? B9 ???? 2E ???????? 43 43 ???? 8B EC CC 8B ???? 81 ?????? 06 1E B8 ???? CD 21 3D ???????? 8C D8 48 8E D8 }
$a1 = { E8 ???? 5D 81 ?????? 06 1E E8 ???? E8 ???????? 2E ???????????? B4 4A BB FF FF CD 21 83 ???? B4 4A CD 21 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PESHiELD02 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02Gleam100Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090909090909090909090909090909090909090 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF }
condition:
$a0 at pe.entry_point
}
rule DBPEv233DingBoy {
meta: author="malware-lu"
strings:
$a0 = { EB 20 ???? 40 ?????????????????????????????????????????????????????????? 9C 55 57 56 52 51 53 9C E8 ???????? 5D 81 ED ???????? 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?????? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PEtite2xlevel0Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 B8 00 9090 00 6A 00 68 909090 00 64 FF 35 00000000 64 89 25 00000000 66 9C 60 50 8B D8 03 00 68 }
condition:
$a0 at pe.entry_point
}
rule EPack14litefinalby6aHguT {
meta: author="malware-lu"
strings:
$a0 = { 33 C0 8B C0 68 ???????? 68 ???????? E8 }
condition:
$a0 at pe.entry_point
}
rule tElock098tE {
meta: author="malware-lu"
strings:
$a0 = { E9 25 E4 FF FF 000000 ???????? 1E ???? 000000000000000000 3E ???? 00 2E ???? 00 26 ???? 000000000000000000 4B ???? 00 36 ???? 000000000000000000000000000000000000000000 56 ???? 0000000000 69 ???? 0000000000 56 ???? 0000000000 69 ???? 0000000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 }
condition:
$a0 at pe.entry_point
}
rule UnnamedScrambler10p0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC 53 56 33 C0 89 45 ???????? 40 00 E8 11 F4 FF FF BE 30 6B 40 00 33 C0 55 68 C9 42 40 00 64 FF 30 64 89 20 E8 C9 FA FF FF BA D8 42 40 00 8B ???????? FF FF 8B D8 B8 28 6B 40 00 8B 16 E8 37 F0 FF FF B8 2C 6B 40 00 8B 16 E8 2B F0 FF FF B8 28 6B 40 00 E8 19 F0 FF FF 8B D0 8B C3 8B 0E E8 42 E3 FF FF BA DC 42 40 00 8B C6 E8 2A FA FF FF 8B D8 B8 20 6B 40 00 8B 16 E8 FC EF FF FF B8 24 6B 40 00 8B 16 E8 F0 EF FF FF B8 20 6B 40 00 E8 DE EF FF FF 8B D0 8B C3 8B 0E E8 07 E3 FF FF 6A 00 6A 19 6A 00 6A 32 A1 28 6B 40 00 E8 59 EF FF FF 83 E8 05 03 C0 8D 55 EC E8 94 FE FF FF 8B 55 EC B9 24 6B 40 00 A1 20 6B 40 00 E8 E2 F6 FF FF 6A 00 6A 19 6A 00 6A 32 }
condition:
$a0
}
rule WARNINGTROJANADinjector {
meta: author="malware-lu"
strings:
$a0 = { 90 61 BE 00 20 44 00 8D BE 00 F0 FB FF C7 87 9C E0 04 00 6A F0 8A 5E 57 83 CD FF EB 0E }
condition:
$a0 at pe.entry_point
}
rule TopSpeedv3011989 {
meta: author="malware-lu"
strings:
$a0 = { 1E BA ???? 8E DA 8B ?????? 8B ?????? FF ?????? 50 53 }
condition:
$a0 at pe.entry_point
}
rule CodeCryptv0164 {
meta: author="malware-lu"
strings:
$a0 = { E9 2E 03 0000 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F EB 03 FF 1D 34 }
condition:
$a0 at pe.entry_point
}
rule UPXHiT001DJSiba {
meta: author="malware-lu"
strings:
$a0 = { E2 FA 94 FF E0 61 00000000000000 }
condition:
$a0
}
rule PseudoSigner01ASProtectAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 909090909090 5D 9090909090909090909090 03 DD E9 }
condition:
$a0 at pe.entry_point
}
rule PocketPCARM {
meta: author="malware-lu"
strings:
$a0 = { F0 40 2D E9 00 40 A0 E1 01 50 A0 E1 02 60 A0 E1 03 70 A0 E1 ?? 0000 EB 07 30 A0 E1 06 20 A0 E1 05 10 A0 E1 04 00 A0 E1 ?????? EB F0 40 BD E8 ?? 0000 EA ?? 40 2D E9 ???? 9F E5 ?????????? 00 ???????????????? 9F E5 00 ???????? 00 }
condition:
$a0 at pe.entry_point
}
rule AnskyaBinderv11Anskya {
meta: author="malware-lu"
strings:
$a0 = { BE ?????? 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 }
condition:
$a0 at pe.entry_point
}
rule VProtectorV10Bvcasm {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 CA 37 41 00 68 06 38 41 00 64 A1 00000000 50 64 89 25 00000000 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 }
condition:
$a0 at pe.entry_point
}
rule SecurePE1Xwwwdeepzoneorg {
meta: author="malware-lu"
strings:
$a0 = { 8B 04 24 E8 00000000 5D 81 ED 4C 2F 40 00 89 85 61 2F 40 00 8D 9D 65 2F 40 00 53 C3 00000000 8D B5 BA 2F 40 00 8B FE BB 65 2F 40 00 B9 C6 01 0000 AD 2B C3 C1 C0 03 33 C3 AB 43 81 FB 8E 2F 40 00 75 05 BB 65 2F 40 00 E2 E7 89 AD 1A 31 40 00 89 AD 55 34 40 00 89 AD 68 34 40 00 8D 85 BA 2F 40 00 50 C3 }
condition:
$a0 at pe.entry_point
}
rule yPv10bbyAshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 60 E8 00000000 5D 81 ED 4C 32 40 00 E8 03 000000 EB 01 ?? B9 EA 47 40 00 81 E9 E9 32 40 00 8B D5 81 C2 E9 32 40 00 8D 3A 8B F7 33 C0 E8 04 000000 90 EB 01 C2 E8 03 000000 EB 01 ?? AC ?????????????? EB 01 E8 }
condition:
$a0
}
rule MSLRHv031a {
meta: author="malware-lu"
strings:
$a0 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F }
$a1 = { 60 D1 CB 0F CA C1 CA E0 D1 CA 0F C8 EB 01 F1 0F C0 C9 D2 D1 0F C1 C0 D3 DA C0 D6 A8 EB 01 DE D0 EC 0F C1 CB D0 CF 0F C1 D1 D2 DB 0F C8 EB 01 BC C0 E9 C6 C1 D0 91 0F CB EB 01 73 0F CA 87 D9 87 D2 D0 CF 87 D9 0F C8 EB 01 C1 EB 01 A2 86 CA D0 E1 0F C0 CB 0F CA C0 C7 91 0F CB C1 D9 0C 86 F9 86 D7 D1 D9 EB 01 A5 EB 01 11 EB 01 1D 0F C1 C2 0F CB 0F C1 C2 EB 01 A1 C0 E9 FD 0F C1 D1 EB 01 E3 0F CA 87 D9 EB 01 F3 0F CB 87 C2 0F C0 F9 D0 F7 EB 01 2F 0F C9 C0 DC C4 EB 01 35 0F CA D3 D1 86 C8 EB 01 01 0F C0 F5 87 C8 D0 DE EB 01 95 EB 01 E1 EB 01 FD EB 01 EC 87 D3 0F CB C1 DB 35 D3 E2 0F C8 86 E2 86 EC C1 FB 12 D2 EE 0F C9 D2 F6 0F CA 87 C3 C1 D3 B3 EB 01 BF D1 CB 87 C9 0F CA 0F C1 DB EB 01 44 C0 CA F2 0F C1 D1 0F CB EB 01 D3 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 }
condition:
$a0 or $a1 at pe.entry_point
}
rule Upackv039finalDwing {
meta: author="malware-lu"
strings:
$a0 = { 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 }
$a1 = { FF 76 38 AD 50 8B 3E BE F0 ?????? 6A 27 59 F3 A5 FF 76 04 83 C8 FF }
condition:
$a0 or $a1
}
rule vprotector12vcasm {
meta: author="malware-lu"
strings:
$a0 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 000000 8B 44 24 04 8B 00 3D 04 0000 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00000000 74 F3 75 F1 EB 24 64 FF 35 00000000 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 0000 9D 90 EB F4 64 89 25 00 }
$a1 = { EB 0B 5B 56 50 72 6F 74 65 63 74 5D 00 E8 24 000000 8B 44 24 04 8B 00 3D 04 0000 80 75 08 8B 64 24 08 EB 04 58 EB 0C E9 64 8F 05 00000000 74 F3 75 F1 EB 24 64 FF 35 00000000 EB 12 FF 9C 74 03 75 01 E9 81 0C 24 00 01 0000 9D 90 EB F4 64 89 25 00000000 EB E6 E8 16 000000 8B 5C 24 0C 8B A3 C4 000000 64 8F 05 00000000 83 C4 04 EB 14 64 FF 35 00000000 64 89 25 00000000 33 C9 99 F7 F1 E9 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 16 000000 8B 5C 24 0C 8B A3 C4 000000 64 8F 05 00000000 83 C4 04 EB 14 64 FF 35 00000000 64 89 25 00000000 33 C9 99 F7 F1 E9 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 33 F6 E8 10 000000 8B 64 24 08 64 8F 05 00000000 58 EB 13 C7 83 64 FF 35 00000000 64 89 25 00000000 AD CD 20 E8 05 000000 0F 01 EB 05 E8 EB FB 0000 83 C4 04 E8 08 000000 0F 01 83 C0 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule FakeNinjav28Spirit {
meta: author="malware-lu"
strings:
$a0 = { BA ???????? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 }
condition:
$a0
}
rule PECompactv133 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 00 80 40 ?? 9090 01 85 9E 80 40 ?? BB E8 0E }
condition:
$a0 at pe.entry_point
}
rule DragonArmorOrient {
meta: author="malware-lu"
strings:
$a0 = { BF 4C ???? 00 83 C9 FF 33 C0 68 34 ???? 00 F2 AE F7 D1 49 51 68 4C ???? 00 E8 11 0A 0000 83 C4 0C 68 4C ???? 00 FF 15 00 ???? 00 8B F0 BF 4C ???? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 4C ???? 00 8B D1 68 34 ???? 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF 5C ???? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 5C ???? 00 E8 C0 09 0000 8B 1D 04 ???? 00 83 C4 0C 68 5C ???? 00 56 FF D3 A3 D4 ???? 00 BF 5C ???? 00 83 C9 FF 33 C0 F2 AE F7 D1 49 BF 5C ???? 00 8B D1 68 34 ???? 00 C1 E9 02 F3 AB 8B CA 83 E1 }
condition:
$a0
}
rule ThemidaWinLicenseV1802OreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 00000000 60 0B C0 74 68 E8 00000000 58 05 ?? 000000 80 38 E9 75 ?? 61 EB ?? DB 2D ???????? FF FF FF FF FF FF FF FF 3D 40 E8 00000000 }
condition:
$a0 at pe.entry_point
}
rule SoftDefender1xRandyLi {
meta: author="malware-lu"
strings:
$a0 = { 74 07 75 05 19 32 67 E8 E8 74 1F 75 1D E8 68 39 44 CD 00 59 9C 50 74 0A 75 08 E8 59 C2 04 00 55 8B EC E8 F4 FF FF FF 56 57 53 78 0F 79 0D E8 34 99 47 49 34 33 EF 31 34 52 47 23 68 A2 AF 47 01 59 E8 01 000000 FF 58 05 E6 01 0000 03 C8 74 BD 75 BB E8 00 }
condition:
$a0 at pe.entry_point
}
rule PellesC2x4xDLLPelleOrinius {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 }
condition:
$a0 at pe.entry_point
}
rule UPX290LZMADelphistubMarkusOberhumerLaszloMolnarJohnReiser {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? 8D BE ???????? C7 87 ???????????????? 57 83 CD FF 89 E5 8D 9C 24 ???????? 31 C0 50 39 DC 75 FB 46 46 53 68 ???????? 57 83 C3 04 53 68 ???????? 56 83 C3 04 }
condition:
$a0 at pe.entry_point
}
rule RLPackV119aPlib043ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 0000 EB 0C 8B 85 38 04 0000 89 85 3C 04 0000 8D B5 60 04 0000 8D 9D EB 02 0000 33 FF E8 52 01 0000 EB 1B 8B 85 3C 04 0000 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 000000 74 0E 83 BD 4C 04 000000 74 05 E8 B8 01 0000 8D 74 37 04 53 6A 40 68 00 10 0000 68 ???????? 6A 00 FF 95 D1 03 0000 89 85 5C 04 0000 5B FF B5 5C 04 0000 56 FF D3 83 C4 08 8B B5 5C 04 0000 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 0000 83 C0 04 89 85 58 04 0000 E9 94 000000 56 FF 95 C9 03 0000 85 C0 0F 84 B4 000000 89 85 54 04 0000 8B C6 EB 5B 8B 85 58 04 0000 8B 00 A9 000000 80 74 14 35 000000 80 50 8B 85 58 04 0000 C7 00 20 20 20 00 EB 06 FF B5 58 04 0000 FF B5 54 04 0000 FF 95 CD 03 0000 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 0000 EB 01 40 80 38 00 75 FA 40 89 85 58 04 0000 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 0000 83 C0 04 89 85 58 04 0000 80 3E 01 0F 85 63 FF FF FF 68 00 40 0000 68 ???????? FF B5 5C 04 0000 FF 95 D5 03 0000 E8 3D 000000 E8 24 01 0000 61 E9 ???????? 61 C3 }
condition:
$a0 at pe.entry_point
}
rule VirogensPEShrinkerv014 {
meta: author="malware-lu"
strings:
$a0 = { 9C 55 E8 ???????? 87 D5 5D 60 87 D5 8D ?????????? 8D ?????????? 57 56 AD 0B C0 74 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtBorlandDelphiBorlandC {
meta: author="malware-lu"
strings:
$a0 = { 2B C2 E8 02 000000 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ???? 18 EB 02 AB A0 03 F7 }
$a1 = { 2B C2 E8 02 000000 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ???? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 000000 0B C7 5B 03 CB 8A 06 8A 16 E8 02 000000 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 000000 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 }
$a2 = { EB 01 2E EB 02 A5 55 BB 80 ???? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule PseudoSigner01ACProtect109Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 90909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090 EB 02 0000 909090 04 909090909090909090909090909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule RCryptorV16dVaska {
meta: author="malware-lu"
strings:
$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ???????? B8 ???????? 90 3D ???????? 74 06 80 30 ?? 40 EB F3 B8 ???????? 90 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point
}
rule Upackv032BetaPatchDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 ???? AD 50 ?? AD 91 F3 A5 }
condition:
$a0
}
rule Apex30alpha500mhz {
meta: author="malware-lu"
strings:
$a0 = { 5F B9 14 000000 51 BE 00 10 40 00 B9 00 ???? 00 8A 07 30 06 46 E2 FB 47 59 E2 EA 68 ?????? 00 C3 }
condition:
$a0
}
rule SimbiOZPoly21Extranger {
meta: author="malware-lu"
strings:
$a0 = { 55 50 8B C4 83 C0 04 C7 00 ???????? 58 C3 90 }
condition:
$a0 at pe.entry_point
}
rule Armadillov184 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 E8 C1 40 00 68 F4 86 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule Armadillov183 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 64 84 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule Armadillov182 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 74 81 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule Armadillov180 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 E8 C1 0000 68 F4 86 0000 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule ExeSplitter13SplitMethodBillPrisonerTPOC {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5D 81 ED 08 12 40 00 E8 66 FE FF FF 55 50 8D 9D 81 11 40 00 53 8D 9D 21 11 40 00 53 6A 08 E8 76 FF FF FF 6A 40 68 00 30 0000 68 00 01 0000 6A 00 FF 95 89 11 40 00 89 85 61 10 40 00 50 68 00 01 0000 FF 95 85 11 40 00 8D 85 65 10 40 00 50 FF B5 61 10 40 00 FF 95 8D 11 40 00 6A 00 68 80 000000 6A 02 6A 00 ???????? 01 1F 00 FF B5 61 10 40 00 FF 95 91 11 40 00 89 85 72 10 40 00 6A 00 8D ???????? 00 50 FF B5 09 10 40 00 8D 85 F5 12 40 00 50 FF B5 72 10 40 00 FF 95 95 11 40 00 FF B5 72 10 40 00 FF 95 99 11 40 00 8D 85 0D 10 40 00 50 8D 85 1D 10 40 00 50 B9 07 000000 6A 00 E2 FC }
$a1 = { E9 FE 01 0000 ?????????????? 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 73 76 63 45 72 30 31 31 2E 74 6D 70 000000000000000000 64 A1 30 000000 8B 40 0C 8B 40 0C 8B 00 85 C0 0F 84 5F 02 0000 8B 48 30 80 39 6B 74 07 80 39 4B 74 02 EB E7 80 79 0C 33 74 02 EB DF 8B 40 18 C3 }
condition:
$a0 or $a1 at pe.entry_point
}
rule RJoiner12aVaska {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 0C 01 0000 8D 85 F4 FE FF FF 56 50 68 04 01 0000 FF 15 0C 10 40 00 94 90 94 8D 85 F4 FE FF FF 50 FF 15 08 10 40 00 94 90 94 BE 00 20 40 00 94 90 94 83 3E FF 74 7D 53 57 33 DB 8D 7E 04 94 90 94 53 68 80 000000 6A 02 53 6A 01 68 000000 C0 57 FF 15 04 10 40 00 89 45 F8 94 90 94 8B 06 8D 74 06 04 94 90 94 8D 45 FC 53 50 8D 46 04 FF 36 50 FF 75 F8 FF 15 00 10 40 00 94 90 94 FF 75 F8 FF 15 10 10 40 00 94 90 94 8D 85 F4 FE FF FF 6A 0A 50 53 57 68 20 10 40 00 53 FF 15 18 10 40 00 94 90 94 8B 06 8D 74 06 04 94 90 94 83 3E FF 75 89 5F 5B 33 C0 5E C9 C2 10 00 CCCC 24 11 }
condition:
$a0
}
rule VxVirusConstructorIVPbased {
meta: author="malware-lu"
strings:
$a0 = { E9 ???? E8 ???? 5D ?????????? 81 ED ???????????? E8 ???? 81 FC ???????? 8D ?????? BF ???? 57 A4 A5 }
condition:
$a0 at pe.entry_point
}
rule EncryptPE12003518WFS {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 79 }
condition:
$a0 at pe.entry_point
}
rule PECompactv168v184 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 9090 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 7B 11 }
condition:
$a0 at pe.entry_point
}
rule SDProtectorProEdition116RandyLi {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00000000 50 64 89 25 00000000 58 64 A3 00000000 58 58 58 58 8B E8 E8 3B 000000 E8 01 000000 FF 58 05 53 000000 51 8B 4C 24 10 89 81 B8 000000 B8 55 01 0000 89 41 18 33 C0 89 41 04 89 41 }
$a1 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00000000 50 64 89 25 00000000 58 64 A3 00000000 58 58 58 58 8B E8 E8 3B 000000 E8 01 000000 FF 58 05 53 000000 51 8B 4C 24 10 89 81 B8 000000 B8 55 01 0000 89 41 18 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 9090 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 000000 FF 58 05 93 03 0000 03 C8 74 C4 75 C2 E8 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Reg2Exe222223byJanVorel {
meta: author="malware-lu"
strings:
$a0 = { 6A 00 E8 2F 1E 0000 A3 C4 35 40 00 E8 2B 1E 0000 6A 0A 50 6A 00 FF 35 C4 35 40 00 E8 07 000000 50 E8 1B 1E 0000 CC 68 48 000000 68 00000000 68 C8 35 40 00 E8 76 16 0000 83 C4 0C 8B 44 24 04 A3 CC 35 40 00 68 00000000 68 A0 0F 0000 68 00000000 E8 EC 1D 0000 A3 C8 35 40 00 E8 62 1D 0000 E8 92 1A 0000 E8 80 16 0000 E8 13 14 0000 68 01 000000 68 08 36 40 00 68 00000000 8B 15 08 36 40 00 E8 71 3F 0000 B8 0000 10 00 BB 01 000000 E8 82 3F 0000 FF 35 48 31 40 00 B8 00 01 0000 E8 0D 13 0000 8D 0D EC 35 40 00 5A E8 F2 13 0000 68 00 01 0000 FF 35 EC 35 40 00 E8 84 1D 0000 A3 F4 35 40 00 FF 35 48 31 40 00 FF 35 F4 35 40 00 FF 35 EC 35 40 00 E8 }
condition:
$a0 at pe.entry_point
}
rule FSGv120EngdulekxtBorlandDelphiMicrosoftVisualC {
meta: author="malware-lu"
strings:
$a0 = { 0F B6 D0 E8 01 000000 0C 5A B8 80 ???? 00 EB 02 00 DE 8D 35 F4 000000 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 000000 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 }
condition:
$a0 at pe.entry_point
}
rule CrunchPE: Packer PEiD {
meta: author="malware-lu"
note="Added extra checks"
strings:
$a0 = { 55 E8 ???????? 5D 83 ED 06 8B C5 55 60 89 AD ???????? 2B 85 }
$b = { EB 10 ???????????????????????????????? 55 E8 ???????? 5D 81 ED 18 ?????? 8B C5 55 60 9C 2B 85 E9 06 ???? 89 85 E1 06 ???? FF 74 24 2C E8 BB 01 0000 0F 82 92 05 0000 E8 F1 03 0000 49 0F 88 86 05 0000 68 6C D9 B2 96 33 C0 50 E8 24 03 0000 89 85 D9 41 0000 68 EC 49 7B 79 33 C0 50 E8 11 03 0000 89 85 D1 41 0000 E8 67 05 0000 E9 56 05 0000 51 52 53 33 C9 49 8B D1 33 C0 33 DB AC 32 C1 8A CD 8A EA 8A D6 B6 08 66 D1 EB 66 D1 D8 73 09 66 35 20 83 66 81 F3 B8 ED FE CE 75 EB 33 C8 33 D3 4F 75 D5 F7 D2 F7 D1 5B 8B C2 C1 C0 10 66 8B C1 5A 59 C3 68 03 02 0000 E8 80 04 0000 0F 82 A8 02 0000 96 8B 44 24 04 0F C8 8B D0 25 0F 0F 0F 0F 33 D0 C1 C0 08 0B C2 8B D0 25 33 33 33 33 33 D0 C1 C0 04 0B C2 8B D0 25 55 55 55 55 33 D0 C1 C0 02 0B C2 }
condition:
for any of ($*) : ( $ at pe.entry_point )
}
rule CICompressv10 {
meta: author="malware-lu"
strings:
$a0 = { 6A 04 68 00 10 0000 FF 35 9C 14 40 00 6A 00 FF 15 38 10 40 00 A3 FC 10 40 00 97 BE 00 20 40 00 E8 71 000000 3B 05 9C 14 40 00 75 61 6A 00 6A 20 6A 02 6A 00 6A 03 68 000000 C0 68 94 10 40 00 FF 15 2C 10 40 00 A3 F8 10 40 00 6A 00 68 F4 10 40 00 FF 35 }
condition:
$a0 at pe.entry_point
}
rule ExeShieldv27b {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 40 85 06 00 C3 9C 60 E8 02 000000 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 87 DD 8B 85 E6 90 40 00 01 85 33 90 40 00 66 C7 85 30 90 40 00 9090 01 85 DA 90 40 00 01 85 DE 90 40 00 01 85 E2 90 40 00 BB 7B 11 0000 03 9D EA 90 40 }
condition:
$a0 at pe.entry_point
}
rule UPXInlinerv10byGPcH {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 0000 C7 06 01 000000 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }
condition:
$a0
}
rule PKLITEv114v120 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? BA ???? 05 ???? 3B 06 ???? 72 ?? B4 09 BA ???? CD 21 CD 20 }
condition:
$a0 at pe.entry_point
}
rule ExeToolsCOM2EXE {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5D 83 ED ?? 8C DA 2E 89 96 ???? 83 C2 ?? 8E DA 8E C2 2E 01 96 ???? 60 }
condition:
$a0 at pe.entry_point
}
rule ThinstallEmbedded2545Jitit {
meta: author="malware-lu"
strings:
$a0 = { E8 F2 FF FF FF 50 68 ???????? 68 40 1B 0000 E8 42 FF FF FF E9 9D FF FF FF 000000000000 }
condition:
$a0 at pe.entry_point
}
rule VxARCV4 {
meta: author="malware-lu"
strings:
$a0 = { E8 0000 5D 81 ED 06 01 81 FC 4F 50 74 0B 8D B6 86 01 BF 00 01 57 A4 EB 11 1E 06 }
condition:
$a0 at pe.entry_point
}
rule Armadillo3X5XSiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 60 33 C9 75 02 EB 15 EB 33 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakePESHiELD025emadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 2B 000000 0D 0A 0D 0A 0D 0A 52 65 67 69 73 74 41 72 65 64 20 74 6F 3A 20 4E 4F 4E 2D 43 4F 4D 4D 45 52 43 49 41 4C 21 21 0D 0A 0D 0A 0D 00 58 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule Armadillov252beta2 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? B0 ???????? 68 60 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF ?????? 15 24 }
condition:
$a0 at pe.entry_point
}
rule CipherWallSelfExtratorDecryptorConsolev15 {
meta: author="malware-lu"
strings:
$a0 = { 90 61 BE 00 10 42 00 8D BE 0000 FE FF C7 87 C0 20 02 00 0B 6E 5B 9B 57 83 CD FF EB 0E 90909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 }
condition:
$a0 at pe.entry_point
}
rule PCShrinkerv029 {
meta: author="malware-lu"
strings:
$a0 = { BD ???????? 01 AD 55 39 40 ?? 8D B5 35 39 40 }
condition:
$a0 at pe.entry_point
}
rule NsPacKV33LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D 83 ED 07 8D 85 ???????? 80 38 00 74 }
condition:
$a0 at pe.entry_point
}
rule CopyMinderMicrocosmLtd {
meta: author="malware-lu"
strings:
$a0 = { 83 25 ???????? EF 6A 00 E8 ???????? E8 ???????? CC FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 ???????? FF 25 }
condition:
$a0 at pe.entry_point
}
rule Crunchv5BitArts {
meta: author="malware-lu"
strings:
$a0 = { EB 15 03 000000 06 0000000000000000000000 68 00000000 55 E8 00000000 5D 81 ED 1D 000000 8B C5 55 60 9C 2B 85 FC 07 0000 89 85 E8 07 0000 FF 74 24 2C E8 20 02 0000 0F 82 94 06 0000 E8 F3 04 0000 49 0F 88 88 06 0000 8B B5 E8 07 00 }
condition:
$a0 at pe.entry_point
}
rule PCShrinkerv020 {
meta: author="malware-lu"
strings:
$a0 = { E8 E8 01 ???? 60 01 AD B3 27 40 ?? 68 }
condition:
$a0 at pe.entry_point
}
rule Armadillo500SiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { E8 E3 40 0000 E9 16 FE FF FF 6A 0C 68 ???????? E8 44 15 0000 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 0000 C7 00 0C 000000 57 57 57 57 57 E8 C7 12 0000 83 C4 14 33 C0 E9 D5 000000 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ???????? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ???????? 77 37 6A 04 E8 48 11 0000 59 89 7D FC FF 75 08 E8 01 49 0000 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 000000 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ???????? FF 15 ???????? 8B D8 3B DF 75 4C 39 3D ???????? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 000000 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 0000 59 C3 }
condition:
$a0 at pe.entry_point
}
rule SLVc0deProtector060SLVICU {
meta: author="malware-lu"
strings:
$a0 = { EB 02 FA 04 E8 49 000000 69 E8 49 000000 95 E8 4F 000000 68 E8 1F 000000 49 E8 E9 FF FF FF 67 E8 1F 000000 93 E8 31 000000 78 E8 DD }
condition:
$a0
}
rule Kryptonv03 {
meta: author="malware-lu"
strings:
$a0 = { 8B 0C 24 E9 C0 8D 01 ?? C1 3A 6E CA 5D 7E 79 6D B3 64 5A 71 EA }
condition:
$a0 at pe.entry_point
}
rule CrackStopv101cStefanEsser1997 {
meta: author="malware-lu"
strings:
$a0 = { B4 48 BB FF FF B9 EB 27 8B EC CD 21 FA FC }
condition:
$a0 at pe.entry_point
}
rule Kryptonv05 {
meta: author="malware-lu"
strings:
$a0 = { 54 E8 ???????? 5D 8B C5 81 ED 71 44 ???? 2B 85 64 60 ???? EB 43 DF }
condition:
$a0 at pe.entry_point
}
rule Kryptonv04 {
meta: author="malware-lu"
strings:
$a0 = { 54 E8 ???????? 5D 8B C5 81 ED 61 34 ???? 2B 85 60 37 ???? 83 E8 06 }
condition:
$a0 at pe.entry_point
}
rule PassLock2000v10EngMoonlightSoftware {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 BB 00 50 40 00 66 2E F7 05 34 20 40 00 04 00 0F 85 98 000000 E8 1F 01 0000 C7 43 60 01 000000 8D 83 E4 01 0000 50 FF 15 F0 61 40 00 83 EC 44 C7 04 24 44 000000 C7 44 24 2C 00000000 54 FF 15 E8 61 40 00 B8 0A 000000 F7 44 24 }
condition:
$a0 at pe.entry_point
}
rule Upackv029Betav031BetaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 ???? AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 }
condition:
$a0
}
rule AlexProtector10beta2byAlex {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 10 40 00 E8 24 000000 EB 01 E9 8B 44 24 0C EB 03 EB 03 C7 EB FB E8 01 000000 A8 83 C4 04 83 80 B8 000000 02 33 C0 EB 01 E9 C3 58 83 C4 04 EB 03 EB 03 C7 EB FB E8 01 000000 A8 83 C4 04 50 64 FF 35 00000000 64 89 25 }
condition:
$a0
}
rule MoleBoxv254Teggo {
meta: author="malware-lu"
strings:
$a0 = { 00 8B 4D F0 8B 11 89 15 ?????? 00 8B 45 FC A3 ?????? 00 5F 5E 8B E5 5D C3 CCCCCC E8 EB FB FF FF 58 E8 ?? 07 0000 58 89 44 24 24 61 58 58 FF D0 E8 ???? 0000 6A 00 FF 15 ?????? 00 CCCCCCCCCCCCCCCCCCCCCCCCCCCC }
condition:
$a0
}
rule Obsidium1337ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 2C 000000 EB 04 ???????? EB 04 ???????? 8B 54 24 0C EB 02 ???? 83 82 B8 000000 27 EB 04 ???????? 33 C0 EB 02 ???? C3 EB 02 ???? EB 03 ?????? 64 67 FF 36 0000 EB 04 ???????? 64 67 89 26 0000 EB 03 ?????? EB 01 ?? 50 EB 02 ???? 33 C0 EB 02 ???? 8B 00 EB 04 ???????? C3 EB 02 ???? E9 FA 000000 EB 04 ???????? E8 D5 FF FF FF EB 02 ???? EB 04 ???????? 58 EB 04 ???????? EB 03 ?????? 64 67 8F 06 0000 EB 01 ?? 83 C4 04 EB 03 ?????? E8 23 27 0000 }
condition:
$a0 at pe.entry_point
}
rule PESpinv03Engcyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 }
$a1 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PseudoSigner02PEPack099Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 11 000000 5D 83 ED 06 80 BD E0 04 9090 01 0F 84 F2 FF CC 0A }
condition:
$a0 at pe.entry_point
}
rule VxVCL {
meta: author="malware-lu"
strings:
$a0 = { AC B9 00 80 F2 AE B9 04 00 AC AE 75 ?? E2 FA 89 }
condition:
$a0 at pe.entry_point
}
rule VterminalV10XLeiPeng {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 58 05 ???????? 9C 50 C2 04 00 }
condition:
$a0 at pe.entry_point
}
rule PEEncrypt10Liwuyue {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 D0 53 56 57 8D 75 FC 8B 44 24 30 25 0000 FF FF 81 38 4D 5A 90 00 74 07 2D 00 10 0000 EB F1 89 45 FC E8 C8 FF FF FF 2D 0F 05 0000 89 45 F4 8B 06 8B 40 3C 03 06 8B 40 78 03 06 8B C8 8B 51 20 03 16 8B 59 24 03 1E 89 5D F0 8B 59 1C 03 1E 89 5D EC 8B 41 18 8B C8 49 85 C9 72 5A 41 33 C0 8B D8 C1 E3 02 03 DA 8B 3B 03 3E 81 3F 47 65 74 50 75 40 8B DF 83 C3 04 81 3B 72 6F 63 41 75 33 8B DF 83 C3 08 81 3B 64 64 72 65 75 26 83 C7 0C 66 81 3F 73 73 }
condition:
$a0 at pe.entry_point
}
rule InstallAnywhere61ZeroGSoftwareInc {
meta: author="malware-lu"
strings:
$a0 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 909090909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
$a1 = { 60 BE 00 A0 42 00 8D BE 00 70 FD FF 57 83 CD FF EB 10 909090909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule iLUCRYPTv4018exe {
meta: author="malware-lu"
strings:
$a0 = { 8B EC FA C7 ???????? 4C 4C C3 FB BF ???? B8 ???? 2E ???? D1 C8 4F 81 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02ASProtectAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 909090909090 5D 9090909090909090909090 03 DD }
condition:
$a0 at pe.entry_point
}
rule EncryptPEV22006710WFS {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 73 01 0000 }
$a1 = { 60 9C 64 FF 35 00000000 E8 73 01 0000000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????????????????????????????????????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 47 65 74 54 65 6D 70 50 61 74 68 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 000000 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 00000000 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Themida10xx18xxnocompressionOreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 D8 60 E8 00000000 5A 81 EA ???????? 8B DA C7 45 D8 00000000 8B 45 D8 40 89 45 D8 81 7D D8 80 000000 74 0F 8B 45 08 89 83 ???????? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00000000 }
$a1 = { 55 8B EC 83 C4 D8 60 E8 00000000 5A 81 EA ???????? 8B DA C7 45 D8 00000000 8B 45 D8 40 89 45 D8 81 7D D8 80 000000 74 0F 8B 45 08 89 83 ???????? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00000000 5A 81 EA ???????? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00000000 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 000000 75 E3 C7 85 7C FF FF FF 00000000 8D BA ???????? 8D 75 80 8A 0E BB F4 01 0000 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 000000 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00000000 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00000000 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00000000 EB }
condition:
$a0 or $a1
}
rule StonesPEEncryptorv10 {
meta: author="malware-lu"
strings:
$a0 = { 55 57 56 52 51 53 E8 ???????? 5D 8B D5 81 ED 63 3A 40 ?? 2B 95 C2 3A 40 ?? 83 EA 0B 89 95 CB 3A 40 ?? 8D B5 CA 3A 40 ?? 0F B6 36 }
condition:
$a0 at pe.entry_point
}
rule PolyBoxDAnskya {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 33 C9 51 51 51 51 51 53 33 C0 55 68 84 2C 40 00 64 FF 30 64 89 20 C6 45 FF 00 B8 B8 46 40 00 BA 24 000000 E8 8C F3 FF FF 6A 24 BA B8 46 40 00 8B 0D B0 46 40 00 A1 94 46 40 00 E8 71 FB FF FF 84 C0 0F 84 6E 01 0000 8B 1D D0 46 40 00 8B C3 83 C0 24 03 05 D8 46 40 00 3B 05 B4 46 40 00 0F 85 51 01 0000 8D 45 F4 BA B8 46 40 00 B9 10 000000 E8 A2 EC FF FF 8B 45 F4 BA 9C 2C 40 00 E8 F1 ED FF FF }
condition:
$a0
}
rule Mew10execoder10NorthfoxHCC {
meta: author="malware-lu"
strings:
$a0 = { 33 C0 E9 ???? FF FF 6A ?????????? 70 }
condition:
$a0 at pe.entry_point
}
rule PECrypt102 {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 }
condition:
$a0 at pe.entry_point
}
rule DIETv100d {
meta: author="malware-lu"
strings:
$a0 = { FC 06 1E 0E 8C C8 01 ?????? BA ???? 03 ???????????????????????????? 00000000 }
condition:
$a0 at pe.entry_point
}
rule RLPackV119LZMA430ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 0000 EB 0C 8B 85 45 0B 0000 89 85 49 0B 0000 8D B5 6D 0B 0000 8D 9D 2F 03 0000 33 FF 6A 40 68 00 10 0000 68 00 20 0C 00 6A 00 FF 95 DA 0A 0000 89 85 41 0B 0000 E8 76 01 0000 EB 20 60 8B 85 49 0B 0000 FF B5 41 0B 0000 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 000000 74 0E 83 BD 59 0B 000000 74 05 E8 D7 01 0000 8D 74 37 04 53 6A 40 68 00 10 0000 68 ???????? 6A 00 FF 95 DA 0A 0000 89 85 69 0B 0000 5B 60 FF B5 41 0B 0000 56 FF B5 69 0B 0000 FF D3 61 8B B5 69 0B 0000 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 0000 83 C0 04 89 85 65 0B 0000 E9 98 000000 56 FF 95 D2 0A 0000 89 85 61 0B 0000 85 C0 0F 84 C8 000000 8B C6 EB 5F 8B 85 65 0B 0000 8B 00 A9 000000 80 74 14 35 000000 80 50 8B 85 65 0B 0000 C7 00 20 20 20 00 EB 06 FF B5 65 0B 0000 FF B5 61 0B 0000 FF 95 D6 0A 0000 85 C0 0F 84 87 000000 89 07 83 C7 04 8B 85 65 0B 0000 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 0000 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 0000 83 C0 04 89 85 65 0B 0000 80 3E 01 0F 85 5F FF FF FF 68 00 40 0000 68 ???????? FF B5 69 0B 0000 FF 95 DE 0A 0000 68 00 40 0000 68 00 20 0C 00 FF B5 41 0B 0000 FF 95 DE 0A 0000 E8 3D 000000 E8 24 01 0000 61 E9 ???????? 61 C3 }
condition:
$a0 at pe.entry_point
}
rule ENIGMAProtectorV112SukhovVladimir {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 83 C5 FA 81 ED ?????? 00 ?????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 EB 02 FF 35 60 E8 24 0000000000 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 000000 03 31 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeASPack212FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 000000 EB 5D BB ED FF FF FF 03 DD 81 EB }
condition:
$a0 at pe.entry_point
}
rule MacromediaWindowsFlashProjectorPlayerv50 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 44 56 FF 15 70 61 44 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C 3C 20 7E 08 8A 46 01 46 3C 20 7F F8 8A 06 84 C0 74 0C 3C 20 7F 08 8A 46 01 46 84 C0 75 F4 8D 44 24 04 C7 44 24 30 00 }
condition:
$a0 at pe.entry_point
}
rule IDApplicationProtector12IDSecuritySuite {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED F2 0B 47 00 B9 19 22 47 00 81 E9 EA 0E 47 00 89 EA 81 C2 EA 0E 47 00 8D 3A 89 FE 31 C0 E9 D3 02 0000 CCCCCCCC E9 CA 02 0000 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 6F 66 74 57 61 72 65 50 72 6F 74 65 63 74 6F 72 5C }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4ExtractablePasswordchecking {
meta: author="malware-lu"
strings:
$a0 = { 03 05 80 1A B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule HASPHLProtectionV1XAladdin {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 60 8B C4 A3 ???????? B8 ???????? 2B 05 ???????? A3 ???????? 83 3D ???????? 00 74 15 8B 0D ???????? 51 FF 15 ???????? 83 C4 04 E9 A5 000000 68 ???????? FF 15 ???????? A3 ???????? 68 ???????? FF 15 }
$a1 = { 55 8B EC 53 56 57 60 8B C4 A3 ???????? B8 ???????? 2B 05 ???????? A3 ???????? 83 3D ???????? 00 74 15 8B 0D ???????? 51 FF 15 ???????? 83 C4 04 E9 A5 000000 68 ???????? FF 15 ???????? A3 ???????? 68 ???????? FF 15 ???????? A3 ???????? 8B 15 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule ASProtectv10 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 ?????? 90 5D 81 ED ???????? BB ???????? 03 DD 2B 9D }
condition:
$a0 at pe.entry_point
}
rule ASProtectv11 {
meta: author="malware-lu"
strings:
$a0 = { 60 E9 ?? 04 ???? E9 ?????????????? EE }
condition:
$a0 at pe.entry_point
}
rule Armadillov275a {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 68 ?????? 68 D0 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?????? 33 D2 8A D4 89 15 24 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner0132Lite003Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 06 FC 1E 07 BE 90909090 6A 04 68 90 10 9090 68 ???????? E9 }
condition:
$a0 at pe.entry_point
}
rule VxDoom666 {
meta: author="malware-lu"
strings:
$a0 = { E8 ?????? 5E 83 EE ?? B8 CF 7B CD 21 3D CF 7B ???? 0E 1F 81 C6 ???? BF ???? B9 ???? FC F3 A4 06 1F 06 B8 ???? 50 CB B4 48 BB 2C 00 CD 21 }
condition:
$a0 at pe.entry_point
}
rule VxSpanz {
meta: author="malware-lu"
strings:
$a0 = { E8 0000 5E 81 EE ???? 8D 94 ???? B4 1A CD 21 C7 84 }
condition:
$a0 at pe.entry_point
}
rule BeRoEXEPackerv100DLLLZBRSBeRoFarbrausch {
meta: author="malware-lu"
strings:
$a0 = { 83 7C 24 08 01 0F 85 ???????? 60 BE ???????? BF ???????? FC AD 8D 1C 07 B0 80 3B FB 73 3B E8 ???????? 72 03 A4 EB F2 E8 ???????? 8D 51 FF E8 ???????? 56 8B F7 2B F2 F3 A4 5E EB DB 02 C0 75 03 AC 12 C0 C3 33 }
condition:
$a0 at pe.entry_point
}
rule Pksmart10b {
meta: author="malware-lu"
strings:
$a0 = { BA ???? 8C C8 8B C8 03 C2 81 ?????? 51 B9 ???? 51 1E 8C D3 }
condition:
$a0 at pe.entry_point
}
rule PELockv106 {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 ???????????????? 00000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45 }
condition:
$a0 at pe.entry_point
}
rule LaunchAnywherev4001 {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 53 83 EC 48 55 B8 FF FF FF FF 50 50 68 E0 3E 42 00 64 FF 35 00000000 64 89 25 00000000 68 C0 69 44 00 E8 E4 80 FF FF 59 E8 4E 29 0000 E8 C9 0D 0000 85 C0 75 08 6A FF E8 6E 2B 0000 59 E8 A8 2C 0000 E8 23 2E 0000 FF 15 4C C2 44 00 89 C3 }
condition:
$a0 at pe.entry_point
}
rule Upackv033v034BetaDwing {
meta: author="malware-lu"
strings:
$a0 = { 59 F3 A5 83 C8 FF 8B DF AB 40 AB 40 }
condition:
$a0 at pe.entry_point
}
rule GameGuardnProtect {
meta: author="malware-lu"
strings:
$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 000000 80 7C 24 08 01 E9 00000000 60 BE ???????? 31 FF 74 06 61 E9 4A 4D 50 30 8D BE ???????? 31 C9 74 06 61 E9 4A 4D 50 30 B8 7D 000000 39 C2 B8 4C 000000 F7 D0 75 3F 64 A1 30 000000 85 C0 78 23 8B 40 0C 8B 40 0C C7 40 20 00 10 0000 64 A1 18 000000 8B 40 30 0F B6 40 02 85 C0 75 16 E9 12 000000 31 C0 64 A0 20 000000 85 C0 75 05 E9 01 000000 61 57 83 CD FF EB 0B 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 }
condition:
$a0 at pe.entry_point
}
rule yodasProtectorV1032AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 ?? BB 55 000000 E8 03 000000 EB 01 ?? E8 8F 000000 E8 03 000000 EB 01 ?? E8 82 000000 E8 03 000000 EB 01 ?? E8 B8 000000 E8 03 000000 EB 01 ?? E8 AB 000000 E8 03 000000 EB 01 ?? 83 FB 55 E8 03 000000 EB 01 ?? 75 2E E8 03 000000 EB 01 ?? C3 60 E8 00000000 5D 81 ED 94 73 42 00 8B D5 81 C2 E3 73 42 00 52 E8 01 000000 C3 C3 E8 03 000000 EB 01 ?? E8 0E 000000 E8 D1 FF FF FF C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 000000 EB 01 ?? 33 DB B9 BF A4 42 00 81 E9 8E 74 42 00 8B D5 81 C2 8E 74 42 00 8D 3A 8B F7 33 C0 E8 03 000000 EB 01 ?? E8 17 000000 909090 E9 63 29 0000 33 C0 64 FF 30 64 89 20 43 CC C3 }
condition:
$a0 at pe.entry_point
}
rule nBinderv40 {
meta: author="malware-lu"
strings:
$a0 = { 5C 6E 62 34 5F 74 6D 70 5F 30 31 33 32 34 35 34 33 35 30 5C 000000000000000000 E9 55 43 4C FF 01 1A 00000000 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E 32 88 DB 0E A4 B8 DC 79 }
condition:
$a0
}
rule AnslymFUDCrypter {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 56 B8 38 17 05 10 E8 5A 45 FB FF 33 C0 55 68 21 1C 05 10 64 FF 30 64 89 20 EB 08 FC FC FC FC FC FC 27 54 E8 85 4C FB FF 6A 00 E8 0E 47 FB FF 6A 0A E8 27 49 FB FF E8 EA 47 FB FF 6A 0A }
condition:
$a0 at pe.entry_point
}
rule EPExEPackV10EliteCodingGroup {
meta: author="malware-lu"
strings:
$a0 = { 60 68 ???????? B8 ???????? FF 10 }
condition:
$a0 at pe.entry_point
}
rule SimplePack12build3009Method2bagie {
meta: author="malware-lu"
strings:
$a0 = { 4D 5A 90 EB 01 00 52 E9 86 01 0000 50 45 0000 4C 01 02 00000000000000000000000000 E0 00 0F 03 0B 01 00000000000000000000000000000000000000000000 0C 00000000 ?????? 00 10 000000 02 0000 01 00000000000000 04 00000000000000 }
condition:
$a0
}
rule WinZip32bitSFXv6xmodule {
meta: author="malware-lu"
strings:
$a0 = { FF 15 ?????? 00 B1 22 38 08 74 02 B1 20 40 80 38 00 74 10 38 08 74 06 40 80 38 00 75 F6 80 38 00 74 01 40 33 C9 ???????? FF 15 }
condition:
$a0 at pe.entry_point
}
rule VxEinstein {
meta: author="malware-lu"
strings:
$a0 = { 00 42 CD 21 72 31 B9 6E 03 33 D2 B4 40 CD 21 72 19 3B C1 75 15 B8 00 42 }
condition:
$a0 at pe.entry_point
}
rule VideoLanClient {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 ?????????????????????????????? FF FF }
condition:
$a0 at pe.entry_point
}
rule CrunchPEv10xx {
meta: author="malware-lu"
strings:
$a0 = { 55 E8 ???????? 5D 83 ED 06 8B C5 55 60 89 AD ???????? 2B 85 ???????? 89 85 ???????? 80 BD ?????????? 75 09 C6 85 }
condition:
$a0 at pe.entry_point
}
rule VxTravJack883 {
meta: author="malware-lu"
strings:
$a0 = { EB ?? 9C 9E 26 ???? 51 04 ?? 7D ?? 00 ?? 2E ???????? 8C C8 8E C0 8E D8 80 ???????? 74 ?? 8A ?????? BB ???? 8A ?? 32 C2 88 ?? FE C2 43 81 }
condition:
$a0 at pe.entry_point
}
rule RSCsProcessPatcherv151 {
meta: author="malware-lu"
strings:
$a0 = { 68 00 20 40 00 E8 C3 01 0000 80 38 00 74 0D 66 81 78 FE 22 20 75 02 EB 03 40 EB EE 8B F8 B8 04 60 40 00 68 C4 20 40 00 68 D4 20 40 00 6A 00 6A 00 6A 04 6A 00 6A 00 6A 00 57 50 E8 9F 01 0000 85 C0 0F 84 39 01 0000 BE 00 60 40 00 8B 06 A3 28 21 40 00 83 }
condition:
$a0
}
rule kryptor9 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5E B9 ???????? 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 }
condition:
$a0 at pe.entry_point
}
rule SecuPackv15 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 CC 3A 40 ?? E8 E0 FC FF FF 33 C0 55 68 EA 3C 40 ?? 64 FF 30 64 89 20 6A ?? 68 80 ?????? 6A 03 6A ?? 6A 01 ?????? 80 }
condition:
$a0 at pe.entry_point
}
rule kryptor5 {
meta: author="malware-lu"
strings:
$a0 = { E8 03 ?????? E9 EB 6C 58 40 FF E0 }
condition:
$a0 at pe.entry_point
}
rule kryptor6 {
meta: author="malware-lu"
strings:
$a0 = { E8 03 ?????? E9 EB 68 58 33 D2 74 02 E9 E9 40 42 75 02 }
condition:
$a0 at pe.entry_point
}
rule ACProtectV13Xrisco {
meta: author="malware-lu"
strings:
$a0 = { 60 50 E8 01 000000 75 83 }
condition:
$a0 at pe.entry_point
}
rule PELockNTv202c {
meta: author="malware-lu"
strings:
$a0 = { EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02MinGWGCC2xAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 E8 02 000000 C9 C3 9090 45 58 45 }
condition:
$a0 at pe.entry_point
}
rule FreeBASIC016b {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 000000 FF 15 ?????? 00 E8 88 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 C7 04 24 02 000000 FF 15 ?????? 00 E8 68 FF FF FF 89 EC 31 C0 5D C3 89 F6 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?????? 00 89 EC 5D C3 8D 76 00 8D BC 27 00000000 55 89 E5 83 EC 08 8B 45 08 89 04 24 FF 15 ?????? 00 89 EC 5D C3 90909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule RCryptorv16bv16cVaska {
meta: author="malware-lu"
strings:
$a0 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 }
$a1 = { 8B C7 03 04 24 2B C7 80 38 50 0F 85 1B 8B 1F FF 68 ???????? B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule FileShield: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { 50 1E EB ?? 90 0000 8B D8 }
condition:
$a0 at pe.entry_point
}
rule SDC12SelfDecryptingBinaryGeneratorbyClaesMNyberg {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 000000 FF 15 A0 91 40 00 E8 DB FE FF FF 55 89 E5 53 83 EC 14 8B 45 08 8B 00 8B 00 3D 91 0000 C0 77 3B 3D 8D 0000 C0 72 4B BB 01 000000 C7 44 24 04 00000000 C7 04 24 08 000000 E8 CE 24 0000 83 F8 01 0F 84 C4 000000 85 C0 0F 85 A9 000000 31 C0 83 C4 14 5B 5D C2 04 00 3D 94 0000 C0 74 56 3D 96 0000 C0 74 1E 3D 93 0000 C0 75 E1 EB B5 3D 05 0000 C0 8D B4 26 00000000 74 43 3D 1D 0000 C0 75 CA C7 44 24 04 00000000 C7 04 24 04 000000 E8 73 24 0000 83 F8 01 0F 84 99 000000 85 C0 74 A9 C7 04 24 04 000000 FF D0 B8 FF FF FF FF EB 9B 31 DB 8D 74 26 00 E9 69 FF FF FF C7 44 24 04 00000000 C7 04 24 0B 000000 E8 37 24 0000 83 F8 01 74 7F 85 C0 0F 84 6D FF FF FF C7 04 24 0B 000000 8D 76 00 FF D0 B8 FF FF FF FF E9 59 FF FF FF C7 04 24 08 000000 FF D0 B8 FF FF FF FF E9 46 FF FF FF C7 44 24 04 01 000000 C7 04 24 08 000000 E8 ED 23 0000 B8 FF FF FF FF 85 DB 0F 84 25 FF FF FF E8 DB 15 0000 B8 FF FF FF FF E9 16 FF FF FF C7 44 24 04 01 000000 C7 04 24 04 000000 E8 BD 23 0000 B8 FF FF FF FF E9 F8 FE FF FF C7 44 24 04 01 000000 C7 04 24 0B 000000 E8 9F 23 0000 B8 FF FF FF FF E9 DA FE FF FF }
condition:
$a0 at pe.entry_point
}
rule PKLITEv1501 {
meta: author="malware-lu"
strings:
$a0 = { 50 B8 ???? BA ???? 05 ???? 3B 06 ???? 72 ?? B4 ?? BA ???? CD 21 B8 ???? CD 21 }
condition:
$a0 at pe.entry_point
}
rule Inbuildv10hard {
meta: author="malware-lu"
strings:
$a0 = { B9 ???? BB ???? 2E ???? 2E ???? 43 E2 }
condition:
$a0 at pe.entry_point
}
rule ExeShieldvxx {
meta: author="malware-lu"
strings:
$a0 = { 65 78 65 73 68 6C 2E 64 6C 6C C0 5D 00 }
condition:
$a0 at pe.entry_point
}
rule RCryptorv20Vaska {
meta: author="malware-lu"
strings:
$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ?? 02 0000 F7 D1 83 F1 FF 59 BA 32 21 ?? 00 F7 D1 83 F1 FF F7 D1 83 F1 FF 80 02 E3 F7 D1 83 F1 FF C0 0A 05 F7 D1 83 F1 FF 80 02 6F F7 D1 83 F1 FF 80 32 A4 F7 D1 83 F1 FF 80 02 2D F7 D1 83 F1 FF 42 49 85 C9 75 CD 1C 4F 8D 5B FD 62 1E 1C 4F 8D 5B FD 4D 9D B9 ?????? 1E 1C 4F 8D 5B FD 22 1C 4F 8D 5B FD 8E A2 B9 B9 E2 83 DB E2 E5 4D CD 1E BF 60 AB 1F 4D DB 1E 1E 3D 1E 92 1B 8E DC 7D EC A4 E2 4D E5 20 C6 CC B2 8E EC 2D 7D DC 1C 4F 8D 5B FD 83 56 8E E0 3A 7D D0 8E 9D 6E 7D D6 4D 25 06 C2 AB 20 CC 3A 4D 2D 9D 6B 0B 81 45 CC 18 4D 2D 1F A1 A1 6B C2 CC F7 E2 4D 2D 9E 8B 8B CC DE 2E 2D F7 1E AB 7D 45 92 30 8E E6 B9 7D D6 8E 9D 27 DA FD FD 1E 1E 8E DF B8 7D CF 8E A3 4D 7D DC 1C 4F 8D 5B FD 33 D7 1E 1E 1E A6 0B 41 A1 A6 42 61 6B 41 6B 4C 45 1E 21 F6 26 BC E2 62 1E 62 1E 62 1E 23 63 59 ?? 1E 62 1E 62 1E 33 D7 1E 1E 1E 85 6B C2 41 AB C2 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 20 33 9E 1E 1E 1E 85 A2 0B 8B C2 27 41 EB A1 A2 C2 1E C0 FD F0 FD 30 62 1E 33 7E 1E 1E 1E C6 2D 42 AB 9F 23 6B C2 41 A1 1E C0 FD F0 FD 30 C0 FD F0 8E 1D 1C 4F 8D 5B FD E0 00 33 5E 1E 1E 1E BF 0B EC C2 E6 42 A2 C2 45 1E C0 FD F0 FD 30 CE 36 CC F2 1C 4F 8D 5B FD }
condition:
$a0 at pe.entry_point
}
rule PECompactv125 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? F3 0D }
condition:
$a0 at pe.entry_point
}
rule RCryptorv1Vaska {
meta: author="malware-lu"
strings:
$a0 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 }
$a1 = { 90 58 90 50 90 8B 00 90 3C 50 90 58 0F 85 67 D6 EF 11 50 68 ???????? B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PECompactv122 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 ?? 70 40 ?? 9090 01 85 9E 70 40 ?? BB F3 08 }
condition:
$a0 at pe.entry_point
}
rule Packmanv10BrandonLaCombe {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA 8B E8 C6 06 E9 8B 43 0C 89 46 01 6A 04 68 00 10 0000 FF 73 08 51 FF 55 08 8B }
condition:
$a0 at pe.entry_point
}
rule SpecialEXEPaswordProtectorV101EngPavolCerven {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 89 AD 8C 01 0000 8B C5 2B 85 FE 75 0000 89 85 3E }
condition:
$a0 at pe.entry_point
}
rule ExeSmashervxx {
meta: author="malware-lu"
strings:
$a0 = { 9C FE 03 ?? 60 BE ???? 41 ?? 8D BE ?? 10 FF FF 57 83 CD FF EB 10 }
condition:
$a0 at pe.entry_point
}
rule PEArmor046ChinaCrackingGroup {
meta: author="malware-lu"
strings:
$a0 = { E8 AA 000000 2D ???? 000000000000000000 3D ???? 00 2D ???? 000000000000000000000000000000000000000000 4B ???? 00 5C ???? 00 6F ???? 0000000000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00000000 47 65 74 50 72 6F 63 41 }
condition:
$a0 at pe.entry_point
}
rule VMProtect106107PolyTech {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 68 00000000 8B 74 24 28 BF ???????? FC 89 F3 03 34 24 AC 00 D8 }
condition:
$a0
}
rule USSR031bySpirit {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5D 83 C5 12 55 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 8C C9 30 C9 E3 01 C3 BE 32 ?????? B0 ?? 30 06 8A 06 46 81 FE 00 ?????? 7C F3 }
condition:
$a0
}
rule PeCompact253DLLSlimLoaderBitSumTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 32 0000 08 0C 00 48 E1 01 56 57 53 55 8B 5C 24 1C 85 DB 0F 84 AB 21 E8 BD 0E E6 60 0D 0B 6B 65 72 6E 6C 33 32 }
condition:
$a0 at pe.entry_point
}
rule LameCryptv10 {
meta: author="malware-lu"
strings:
$a0 = { 60 66 9C BB ???????? 80 B3 00 10 40 00 90 4B 83 FB FF 75 F3 66 9D 61 }
condition:
$a0 at pe.entry_point
}
rule Cygwin32: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 04 83 3D }
condition:
$a0 at pe.entry_point
}
rule ASProtectv123RC4build0807exeAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 90 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 000000 EB 5D BB ED FF FF FF 03 DD 81 EB ???????? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 0000 8D 45 35 50 E9 82 00000000000000000000000000000000 }
condition:
$a0
}
rule Armadillov210b2 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 18 12 41 00 68 24 A0 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule Armadillov190 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 10 F2 40 00 68 64 9A 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule eXPressorProtection150XCGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 EB 01 ???????? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ???????? 00 74 08 EB 01 E9 E9 56 01 0000 EB 02 E8 E9 C7 05 ???????? 01 000000 EB 01 C2 E8 E2 05 0000 EB 02 DA 9F 68 ???????? 68 ???????? B8 ???????? FF D0 59 59 EB 01 C8 EB 02 66 F0 68 ???????? E8 0E 05 0000 59 EB 01 DD 83 65 F4 00 EB 07 8B 45 F4 40 89 45 F4 83 7D F4 61 73 1F EB 02 DA 1A 8B 45 F4 0F ???????????? 33 45 F4 8B 4D F4 88 ?????????? EB 01 EB EB }
condition:
$a0
}
rule VxNecropolis1963 {
meta: author="malware-lu"
strings:
$a0 = { B4 30 CD 21 3C 03 ???? B8 00 12 CD 2F 3C FF B8 ???????? B4 4A BB 40 01 CD 21 ???? FA 0E 17 BC ???? E8 ???? FB A1 ???? 0B C0 }
condition:
$a0 at pe.entry_point
}
rule Shrinkv20 {
meta: author="malware-lu"
strings:
$a0 = { E9 ???? 50 9C FC BE ???? 8B FE 8C C8 05 ???? 8E C0 06 57 B9 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02UPX06Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 58 83 E8 3D 50 8D B8 000000 FF 57 8D B0 E8 000000 }
condition:
$a0 at pe.entry_point
}
rule PESpinV071cyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E }
condition:
$a0 at pe.entry_point
}
rule XHider10GlobaL {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC 33 C0 89 45 EC B8 54 20 44 44 E8 DF F8 FF FF 33 C0 55 68 08 21 44 44 64 FF 30 64 89 20 8D 55 EC B8 1C 21 44 44 E8 E0 F9 FF FF 8B 55 EC B8 40 ???? 44 E8 8B F5 FF FF 6A 00 6A 00 6A 02 6A 00 6A 01 68 000000 40 A1 40 ???? 44 E8 7E F6 FF FF 50 E8 4C F9 FF FF 6A 00 50 E8 4C F9 FF FF A3 28 ???? 44 E8 CE FE FF FF 33 C0 5A 59 59 64 89 10 68 0F 21 44 44 8D 45 EC E8 F1 F4 FF FF C3 E9 BB F2 FF FF EB F0 E8 FC F3 FF FF FF FF FF FF 0E 000000 63 3A 5C 30 30 30 30 30 30 31 2E 64 61 74 00 }
$a1 = { 85 D2 74 23 8B 4A F8 41 7F 1A 50 52 8B 42 FC E8 30 000000 89 C2 58 52 8B 48 FC E8 48 FB FF FF 5A 58 EB 03 FF 42 F8 87 10 85 D2 74 13 8B 4A F8 49 7C 0D FF 4A F8 75 08 8D 42 F8 E8 5C FA FF FF C3 8D 40 00 85 C0 7E 24 50 83 C0 0A 83 E0 FE 50 E8 2F FA FF FF 5A 66 C7 44 02 FE 0000 83 C0 08 5A 89 50 FC C7 40 F8 01 000000 C3 31 C0 C3 90 }
condition:
$a0 at pe.entry_point or $a1
}
rule PseudoSigner01MicrosoftVisualC70DLLAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 8D 6C 01 00 81 EC 00000000 8B 45 90 83 F8 01 56 0F 84 00000000 85 C0 0F 84 ???????? E9 }
condition:
$a0 at pe.entry_point
}
rule EXEShieldV05Smoke {
meta: author="malware-lu"
strings:
$a0 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 0000 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 000000 83 EB 01 00 8B FE E8 00000000 58 83 C0 07 50 C3 00 EB 04 58 40 }
$a1 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D 81 ED BC 1A 40 00 EB 01 00 8D B5 46 1B 40 00 BA B3 0A 0000 EB 01 00 8D 8D F9 25 40 00 8B 09 E8 14 000000 83 EB 01 00 8B FE E8 00000000 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 000000 83 EB 01 00 2A C2 E8 00000000 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00000000 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule UnnamedScrambler25Ap0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 0B 000000 6A 00 6A 00 49 75 F9 51 53 56 57 B8 6C 3E 40 00 E8 F7 EA FF FF 33 C0 55 68 60 44 40 00 64 FF 30 64 89 20 BA 70 44 40 00 B8 B8 6C 40 00 E8 62 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 A1 EB FF FF BA E8 64 40 00 8B C3 8B 0D B8 6C 40 00 E8 37 D3 FF FF C7 05 BC 6C 40 00 0A 000000 BB 68 6C 40 00 BE 90 6C 40 00 BF E8 64 40 00 B8 C0 6C 40 00 BA 04 000000 E8 07 EC FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 09 F3 FF FF 89 03 83 3B 00 0F 84 BB 04 0000 B8 C0 6C 40 00 8B 16 E8 06 E2 FF FF B8 C0 6C 40 00 E8 24 E1 FF FF 8B D0 8B 03 8B 0E E8 D1 D2 FF FF 8B C7 A3 20 6E 40 00 8D 55 EC 33 C0 E8 0C D4 FF FF 8B 45 EC B9 1C 6E 40 00 BA 18 6E 40 00 }
condition:
$a0
}
rule Armadillov177 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 B0 71 40 00 68 6C 37 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule VxTrivial25 {
meta: author="malware-lu"
strings:
$a0 = { B4 4E FE C6 CD 21 B8 ?? 3D BA ?? 00 CD 21 93 B4 40 CD }
condition:
$a0 at pe.entry_point
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule Armadillov171 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 ???????? 64 A1 }
condition:
$a0 at pe.entry_point
}
*/
rule KBySV022shoooo {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? E8 01 000000 C3 C3 11 55 07 8B EC B8 ???????? E8 }
condition:
$a0 at pe.entry_point
}
rule InnoSetupModule {
meta: author="malware-lu"
strings:
$a0 = { 49 6E 6E 6F 53 65 74 75 70 4C 64 72 57 69 6E 64 6F 77 0000 53 54 41 54 49 43 }
$a1 = { 55 8B EC 83 C4 ?? 53 56 57 33 C0 89 45 F0 89 45 ?? 89 45 ?? E8 ???? FF FF E8 ???? FF FF E8 ???? FF FF E8 ???? FF FF E8 ???? FF FF }
condition:
$a0 at pe.entry_point or $a1
}
rule piritv15 {
meta: author="malware-lu"
strings:
$a0 = { 5B 24 55 50 44 FB 32 2E 31 5D }
condition:
$a0 at pe.entry_point
}
rule SoftSentryv30 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC ?? 53 56 57 E9 B0 06 }
condition:
$a0 at pe.entry_point
}
rule EncryptPEV22007411WFS {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 1B 02 0000000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????????????????????????????????????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 47 65 74 54 65 6D 70 50 61 74 68 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 000000 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 000000000000 }
condition:
$a0 at pe.entry_point
}
rule Armadillov19x {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 98 ?????? 68 10 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 }
condition:
$a0 at pe.entry_point
}
rule Armadillov285 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 68 ?????? 68 ???????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 28 ?????? 33 D2 8A D4 89 15 24 }
condition:
$a0 at pe.entry_point
}
rule ASProtectvxx {
meta: author="malware-lu"
strings:
$a0 = { 60 ?????????? 90 5D ?????????????????????? 03 DD }
condition:
$a0 at pe.entry_point
}
rule ExeShieldv17 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 90 1F 06 00 C3 9C 60 E8 02 000000 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 }
condition:
$a0 at pe.entry_point
}
rule Splasherv10v30 {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 8B 44 24 24 E8 ???????? 5D 81 ED ???????? 50 E8 ED 02 ???? 8C C0 0F 84 }
condition:
$a0 at pe.entry_point
}
rule FreeCryptor01build002GlOFF {
meta: author="malware-lu"
strings:
$a0 = { 8B 04 24 40 90 83 C0 07 80 38 9090 74 02 EB FF 90 68 27 ???? 00 64 FF 35 00000000 64 89 25 00000000 FF E4 90 8B 04 24 64 A3 00000000 8B 64 24 08 90 83 C4 08 }
condition:
$a0
}
rule EXEShieldV06SMoKE {
meta: author="malware-lu"
strings:
$a0 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 0000 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 000000 83 EB 01 00 8B FE E8 00000000 58 83 C0 07 50 C3 00 EB 04 58 40 }
$a1 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D 81 ED D4 1A 40 00 EB 01 00 8D B5 5E 1B 40 00 BA A1 0B 0000 EB 01 00 8D 8D FF 26 40 00 8B 09 E8 14 000000 83 EB 01 00 8B FE E8 00000000 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 000000 83 EB 01 00 2A C2 E8 00000000 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00000000 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 90 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PseudoSigner02MicrosoftVisualBasic5060Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? E8 0A 000000000000000000 30 000000 }
condition:
$a0 at pe.entry_point
}
rule RLPack118DllLZMA430ap0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 ?? 01 0000 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 ???????? 8D 9D ???????? 33 FF E8 9F 01 0000 6A ?? 68 ???????? 68 ???????? 6A ?? FF 95 AA 0A 0000 89 85 F9 0A 0000 EB 14 60 FF B5 F9 0A 0000 FF 34 37 FF 74 37 04 FF D3 61 83 C7 08 83 3C 37 00 75 E6 83 BD 0D 0B 000000 74 0E 83 BD 11 0B 000000 74 05 E8 F6 01 0000 8D 74 37 04 53 6A ?? 68 ???????? 68 ???????? 6A ?? FF 95 AA 0A 0000 89 85 1D 0B 0000 5B 60 FF B5 F9 0A 0000 56 FF B5 1D 0B 0000 FF D3 61 8B B5 1D 0B 0000 8B C6 EB 01 }
condition:
$a0 at pe.entry_point
}
rule PKLITEv100v103 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? BA ???? 8C DB 03 D8 3B }
condition:
$a0 at pe.entry_point
}
rule Shrinkerv34 {
meta: author="malware-lu"
strings:
$a0 = { 83 3D B4 ???????? 55 8B EC 56 57 75 6B 68 00 01 0000 E8 ?? 0B 0000 83 C4 04 8B 75 08 A3 B4 ?????? 85 F6 74 23 83 7D 0C 03 77 1D 68 FF }
$a1 = { BB ???? BA ???? 81 C3 07 00 B8 40 B4 B1 04 D3 E8 03 C3 8C D9 49 8E C1 26 03 0E 03 00 2B }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Shrinkerv32 {
meta: author="malware-lu"
strings:
$a0 = { 83 3D ?????????? 55 8B EC 56 57 75 65 68 00 01 ???? E8 ?? E6 FF FF 83 C4 04 8B 75 08 A3 ???????? 85 F6 74 1D 68 FF }
condition:
$a0 at pe.entry_point
}
rule Shrinkerv33 {
meta: author="malware-lu"
strings:
$a0 = { 83 3D ?????? 0000 55 8B EC 56 57 75 65 68 00 01 0000 E8 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01JDPack1xJDProtect09Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 22 000000 5D 8B D5 81 ED 90909090 2B 95 90909090 81 EA 06 909090 89 95 90909090 83 BD 45 00 01 00 01 E9 }
condition:
$a0 at pe.entry_point
}
rule Upack024027beta028alphaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 40 00 AD 8B F8 95 AD 91 F3 A5 AD B5 ?? F3 AB AD 50 97 51 58 8D 54 85 5C FF 16 72 57 2C 03 73 02 B0 00 3C 07 72 02 2C 03 50 0F B6 5F FF C1 E3 ?? B3 00 8D 1C 5B 8D 9C 9D 0C 10 0000 B0 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01LocklessIntroPackAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 2C E8 EB 1A 9090 5D 8B C5 81 ED F6 73 9090 2B 85 90909090 83 E8 06 89 85 FF 01 EC AD E9 }
condition:
$a0 at pe.entry_point
}
rule Armadillov250b3 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 B8 ?????? 68 F8 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 20 ?????? 33 D2 8A D4 89 15 D0 }
condition:
$a0 at pe.entry_point
}
rule PEBundlev02v20x {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ???? 40 ?? 87 DD 6A 04 68 ?? 10 ???? 68 ?? 02 ???? 6A ?? FF 95 }
condition:
$a0 at pe.entry_point
}
rule SoftProtectwwwsoftprotectbyru {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? 8D ?????????? C7 0000000000 E8 ???????? E8 ???????? 8D ?????????? 50 E8 ???????? 83 ?????????? 01 }
condition:
$a0 at pe.entry_point
}
rule NTPackerV2XErazerZ {
meta: author="malware-lu"
strings:
$a0 = { 4B 57 69 6E 64 6F 77 73 00 10 55 54 79 70 65 73 0000 3F 75 6E 74 4D 61 69 6E 46 75 6E 63 74 69 6F 6E 73 0000 47 75 6E 74 42 79 70 61 73 73 0000 B7 61 50 4C 69 62 75 000000 }
condition:
$a0
}
rule SiliconRealmsInstallStub {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ?? 92 40 00 68 ???? 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 ???? 40 00 33 D2 8A D4 89 15 ???? 40 00 8B C8 81 E1 FF 000000 89 0D ???? 40 00 C1 E1 08 03 CA 89 0D ???? 40 00 C1 E8 10 A3 }
condition:
$a0
}
rule Armadillov430v440SiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 40 ???? 00 68 80 ???? 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 88 ???? 00 33 D2 8A D4 89 15 30 ???? 00 8B C8 81 E1 FF 000000 89 0D 2C ???? 00 C1 E1 08 03 CA 89 0D 28 ???? 00 C1 E8 10 A3 24 }
$a1 = { 60 E8 00000000 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule MoleBoxv20 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? 60 E8 4F }
condition:
$a0
}
rule FucknJoyv10cUsAr {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 0000 0B C0 0F 84 2C 01 0000 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 0000 0B C0 0F 84 0C 01 0000 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 00 }
$a1 = { 60 E8 00000000 5D 81 ED D8 05 40 00 FF 74 24 20 E8 8C 02 0000 0B C0 0F 84 2C 01 0000 89 85 6C 08 40 00 8D 85 2F 08 40 00 50 FF B5 6C 08 40 00 E8 EF 02 0000 0B C0 0F 84 0C 01 0000 89 85 3B 08 40 00 8D 85 3F 08 40 00 50 FF B5 6C 08 40 00 E8 CF 02 0000 0B C0 0F 84 EC 000000 89 85 4D 08 40 00 8D 85 51 08 40 00 50 FF B5 6C 08 40 00 E8 AF 02 0000 0B C0 0F 84 CC 000000 89 85 5C 08 40 00 8D 85 67 07 40 00 E8 7B 02 0000 8D B5 C4 07 40 00 56 6A 64 FF 95 74 07 40 00 46 80 3E 00 75 FA C7 06 74 6D 70 2E 83 C6 04 C7 06 65 78 65 00 8D 85 36 07 40 00 E8 4C 02 0000 33 DB 53 53 6A 02 53 53 68 000000 40 8D 85 C4 07 40 00 50 FF 95 74 07 40 00 89 85 78 07 40 00 8D 85 51 07 40 00 E8 21 02 0000 6A 00 8D 85 7C 07 40 00 50 68 00 ???? 00 8D 85 F2 09 40 00 50 FF }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PseudoSigner02VideoLanClientAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 9090909090909090909090909090 01 FF FF 01 01 01 00 01 9090909090909090909090909090 00 01 00 01 00 01 9090 00 01 }
condition:
$a0 at pe.entry_point
}
rule SoftWrap {
meta: author="malware-lu"
strings:
$a0 = { 52 53 51 56 57 55 E8 ???????? 5D 81 ED 36 ?????? E8 ?? 01 ???? 60 BA ???????? E8 ???????? 5F }
condition:
$a0 at pe.entry_point
}
rule AI1Creator1Beta2byMZ {
meta: author="malware-lu"
strings:
$a0 = { E8 FE FD FF FF 6A 00 E8 0D 000000 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
condition:
$a0
}
rule JAMv211 {
meta: author="malware-lu"
strings:
$a0 = { 50 06 16 07 BE ???? 8B FE B9 ???? FD FA F3 2E A5 FB 06 BD ???? 55 CB }
condition:
$a0 at pe.entry_point
}
rule PECompactv0978 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 24 88 40 ?? 87 DD 8B 85 A9 88 }
condition:
$a0 at pe.entry_point
}
rule Setup2GoInstallerStub {
meta: author="malware-lu"
strings:
$a0 = { 5B 53 45 54 55 50 5F 49 4E 46 4F 5D 0D 0A 56 65 72 }
condition:
$a0
}
rule themida1005httpwwworeanscom {
meta: author="malware-lu"
strings:
$a0 = { B8 00000000 60 0B C0 74 58 E8 00000000 58 05 43 000000 80 38 E9 75 03 61 EB 35 E8 00000000 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }
condition:
$a0 at pe.entry_point
}
rule yodasProtectorv1033exescrcomAshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 ?? BB 55 000000 E8 03 000000 EB 01 ?? E8 8E 000000 E8 03 000000 EB 01 ?? E8 81 000000 E8 03 000000 EB 01 ?? E8 B7 000000 E8 03 000000 EB 01 ?? E8 AA 000000 E8 03 000000 EB 01 ?? 83 FB 55 E8 03 000000 EB 01 ?? 75 }
condition:
$a0 at pe.entry_point
}
rule ORiENv211DEMO {
meta: author="malware-lu"
strings:
$a0 = { E9 5D 01 0000 CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F }
condition:
$a0 at pe.entry_point
}
rule PECompactv0977 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB A0 86 40 ?? 87 DD 8B 85 2A 87 }
condition:
$a0 at pe.entry_point
}
rule PESpinv13betaCyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
condition:
$a0 at pe.entry_point
}
rule RCryptorv13bVaska {
meta: author="malware-lu"
strings:
$a0 = { 61 83 EF 4F 60 68 ???????? FF D7 }
$a1 = { 61 83 EF 4F 60 68 ???????? FF D7 B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule mkfpackllydd {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5B 81 EB 05 000000 8B 93 9F 08 0000 53 6A 40 68 00 10 0000 52 6A 00 FF 93 32 08 0000 5B 8B F0 8B BB 9B 08 0000 03 FB 56 57 E8 86 08 0000 83 C4 08 8D 93 BB 08 0000 52 53 FF E6 }
condition:
$a0
}
rule PESpinV03cyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 000000 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 000000 B9 75 0A 0000 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 0000 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 000000 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 000000 68 E8 1A 000000 8D 34 28 B9 08 000000 B8 ???????? 2B C9 83 C9 15 0F A3 C8 0F 83 81 000000 8D B4 0D DC 2C 40 00 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02BorlandDelphiSetupModuleAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 90 53 56 57 33 C0 89 45 F0 89 45 D4 89 45 D0 E8 00000000 }
condition:
$a0 at pe.entry_point
}
rule PELOCKnt204 {
meta: author="malware-lu"
strings:
$a0 = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 }
condition:
$a0 at pe.entry_point
}
rule MacromediaWindowsFlashProjectorPlayerv60 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
condition:
$a0 at pe.entry_point
}
rule IMPostorPack10MahdiHezavehi {
meta: author="malware-lu"
strings:
$a0 = { BE ?????? 00 83 C6 01 FF E6 00000000 ???? 000000000000000000 ?????? 00 ?? 02 ???? 00 10 000000 02 00 }
condition:
$a0 at pe.entry_point
}
rule PluginToExev102BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 0000 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 }
condition:
$a0 at pe.entry_point
}
rule PKLITEv120 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? BA ???? 05 ???? 3B 06 ???? 72 ?? B4 09 BA ???? CD 21 B4 4C CD 21 }
condition:
$a0 at pe.entry_point
}
rule PrivateexeProtectorV18SetiSoftTeam {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000000000000000000000000000 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ???????? 000000000000 45 78 69 74 50 72 6F 63 65 73 73 }
condition:
$a0
}
rule PENinjamodified {
meta: author="malware-lu"
strings:
$a0 = { 5D 8B C5 81 ED B2 2C 40 00 2B 85 94 3E 40 00 2D 71 02 0000 89 85 98 3E 40 00 0F B6 B5 9C 3E 40 00 8B FD }
condition:
$a0 at pe.entry_point
}
rule DotFixNiceProtect21GPcHSoft {
meta: author="malware-lu"
strings:
$a0 = { E9 FF 000000 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 000000 73 F6 33 C9 E8 64 000000 73 1C 33 C0 E8 5B 000000 73 23 B3 02 41 B0 10 E8 4F 000000 12 C0 73 F7 75 3F AA EB D4 E8 4D 000000 2B CB 75 10 E8 42 000000 EB 28 AC D1 E8 74 4D 13 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 000000 3D 00 7D 0000 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 8E 02 D2 75 05 8A 16 46 12 D2 C3 33 C9 41 E8 EE FF FF FF 13 C9 E8 E7 FF FF FF 72 F2 C3 2B 7C 24 28 89 7C 24 1C 61 C3 60 B8 ???????? 03 C5 50 B8 ???????? 03 C5 FF 10 BB ???????? 03 DD 83 C3 0C 53 50 B8 ???????? 03 C5 FF 10 6A 40 68 00 10 0000 FF 74 24 2C 6A 00 FF D0 89 44 24 1C 61 C3 }
condition:
$a0
}
rule EXEStealthv276WebToolMaster {
meta: author="malware-lu"
strings:
$a0 = { EB 65 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 59 4F 55 52 20 41 44 20 48 45 52 45 21 50 69 52 41 43 59 20 69 53 20 41 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor239DLLcompressedresources {
meta: author="malware-lu"
strings:
$a0 = { 50 68 ???????? 58 C1 C0 0F E9 ?????? 00 87 04 24 58 89 45 FC E9 ?????? FF FF 05 ???????? E9 ?????? 00 C1 C3 18 E9 ???????? 8B 55 08 09 42 F8 E9 ?????? FF 83 7D F0 01 0F 85 ???????? E9 ?????? 00 87 34 24 5E 8B 45 FC 33 D2 56 8B F2 E9 ?????? 00 BA ???????? E8 ?????? 00 A3 ???????? C3 E9 ?????? 00 C3 83 C4 04 C3 E9 ?????? FF 64 FF 35 00000000 64 89 25 00000000 E8 ?????? 00 E9 ?????? FF C1 C2 03 81 CA ???????? 81 C2 ???????? 03 C2 5A E9 ?????? FF 81 E7 ???????? 81 EF ???????? 81 C7 ???????? 89 07 E9 ???????? 0F 89 ???????? 87 14 24 5A 50 C1 C8 10 }
condition:
$a0 at pe.entry_point
}
rule UnoPiX103110BaGiE {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 04 C7 04 24 00 ?????? C3 00 ???? 000000000000000000000000 ???? 00 10 000000 02 0000 01 00000000000000 04 0000000000000000 ???? 0000 10 000000000000 02 0000 ?? 0000 ?? 0000 ???? 000000 10 0000 10 000000000000 10 }
condition:
$a0 at pe.entry_point
}
rule PECompactv110b3 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 9090 BB 95 }
condition:
$a0 at pe.entry_point
}
rule IonicWindSoftware {
meta: author="malware-lu"
strings:
$a0 = { 9B DB E3 9B DB E2 D9 2D 00 ???? 00 55 89 E5 E8 }
condition:
$a0 at pe.entry_point
}
rule SimplePackV11XMethod2bagie {
meta: author="malware-lu"
strings:
$a0 = { 4D 5A 90 EB 01 00 52 E9 89 01 0000 50 45 0000 4C 01 02 00 }
$a1 = { 4D 5A 90 EB 01 00 52 E9 89 01 0000 50 45 0000 4C 01 02 00000000000000000000000000 E0 00 0F 03 0B 01 00000000000000000000000000000000000000000000 0C 00000000 ?????? 00 10 000000 02 0000 01 00000000000000 04 00000000000000 }
condition:
$a0 or $a1
}
rule PCGuardv500d {
meta: author="malware-lu"
strings:
$a0 = { FC 55 50 E8 00000000 5D 60 E8 03 000000 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 B8 30 D2 40 00 EB 01 E3 60 E8 03 000000 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 2B E8 9C EB 01 D5 9D EB 01 0B 58 60 E8 03 000000 83 EB 0E EB 01 0C }
condition:
$a0 at pe.entry_point
}
rule PESHiELDv0251 {
meta: author="malware-lu"
strings:
$a0 = { 5D 83 ED 06 EB 02 EA 04 8D }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEdition117DLLaPLibAp0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 ???????? 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 53 03 0000 8D 9D 02 02 0000 33 FF E8 ???????? EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 }
condition:
$a0 at pe.entry_point
}
rule PECompactv110b4 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 60 40 ?? 87 DD 8B 85 95 60 40 ?? 01 85 03 60 40 ?? 66 C7 85 ?? 60 40 ?? 9090 BB 44 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02PEX099Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 000000 55 83 C4 04 E8 01 000000 90 5D 81 FF FF FF 00 01 }
condition:
$a0 at pe.entry_point
}
rule ThinstallVirtualizationSuite30XThinstallCompany {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 68 ???????? 68 ???????? E8 00000000 58 BB ???????? 2B C3 50 68 ???????? 68 ???????? 68 ???????? E8 BA FE FF FF E9 ???????? CCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA }
$a1 = { 9C 60 68 ???????? 68 ???????? E8 00000000 58 BB ???????? 2B C3 50 68 ???????? 68 ???????? 68 ???????? E8 BA FE FF FF E9 ???????? CCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA ???????? 43 33 C0 E8 19 01 0000 73 0E 8B 4D F8 E8 27 01 0000 02 45 F7 AA EB E9 E8 04 01 0000 0F 82 96 000000 E8 F9 000000 73 5B B9 04 000000 E8 05 01 0000 48 74 DE 0F 89 ???????? E8 DF 000000 73 1B 55 BD ???????? E8 DF 000000 88 07 47 4D 75 F5 E8 C7 000000 72 E9 5D EB }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule NullsoftInstallSystemv20 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 0C 53 55 56 57 C7 44 24 10 70 92 40 00 33 DB C6 44 24 14 20 FF 15 2C 70 40 00 53 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 0000 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 2D 90 70 40 00 85 C0 75 21 68 FB 03 0000 56 FF 15 5C 71 40 00 }
condition:
$a0
}
rule SLVc0deProtectorv11SLV {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 58 C6 00 EB C6 40 01 08 FF E0 E9 4C }
$a1 = { E8 01 000000 A0 5D EB 01 69 81 ED 5F 1A 40 00 8D 85 92 1A 40 00 F3 8D 95 83 1A 40 00 8B C0 8B D2 2B C2 83 E8 05 89 42 01 E8 FB FF FF FF 69 83 C4 08 E8 06 000000 69 E8 F2 FF FF FF F3 B9 05 000000 51 8D B5 BF 1A 40 00 8B FE B9 58 15 0000 AC 32 C1 F6 }
condition:
$a0 at pe.entry_point or $a1
}
rule FreeJoinerSmallbuild031032GlOFF {
meta: author="malware-lu"
strings:
$a0 = { 50 32 ?? 66 8B C3 58 E8 ?? FD FF FF 6A 00 E8 0D 000000 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
condition:
$a0 at pe.entry_point
}
rule SLVc0deProtectorv06SLV {
meta: author="malware-lu"
strings:
$a0 = { E8 49 000000 69 E8 49 000000 95 E8 4F 000000 68 E8 1F 000000 49 E8 E9 FF FF FF 67 E8 1F 000000 93 E8 31 000000 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 000000 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00000000 5D 81 ED 97 11 40 00 8D B5 EF 11 40 00 B9 FE 2D 0000 8B FE AC F8 ???????????? 90 }
condition:
$a0 at pe.entry_point
}
rule PEArmor04600759hying {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????? 00000000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 }
condition:
$a0
}
rule RpolycryptbyVaska2003071841 {
meta: author="malware-lu"
strings:
$a0 = { 58 ?????????????? E8 000000 58 E8 00 ?????????????????????????????????????????????????????????????????????????????????????????? 000000 ???? 04 }
condition:
$a0
}
rule DBPEvxxxDingBoy {
meta: author="malware-lu"
strings:
$a0 = { EB 20 ???? 40 ?????????????????????????????????????????????????????????? 9C 55 57 56 52 51 53 9C E8 ???????? 5D 81 ED }
condition:
$a0 at pe.entry_point
}
rule SoftwareCompressBGSoftware {
meta: author="malware-lu"
strings:
$a0 = { E9 BE 000000 60 8B 74 24 24 8B 7C 24 28 FC B2 80 33 DB A4 B3 02 E8 6D 000000 73 F6 33 C9 E8 64 000000 73 1C 33 C0 E8 5B 000000 73 23 B3 02 41 B0 10 E8 4F 000000 12 C0 73 F7 75 3F AA EB D4 E8 4D 000000 2B CB 75 10 E8 42 000000 EB 28 AC D1 E8 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4UnextrPasswcheckVirshield {
meta: author="malware-lu"
strings:
$a0 = { 03 05 C0 1B B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule Upackv0399Dwing {
meta: author="malware-lu"
strings:
$a0 = { 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 18 10 0000 10 00000000 ???? 000000 40 0000 10 000000 02 0000 04 0000000000 3A 00 04 0000000000000000 ???? 0000 02 000000000000 ?? 0000000000 10 0000 ?? 00000000 10 0000 10 000000000000 0A 0000000000000000000000 EE ???? 00 14 00000000 ???? 00 ???? 0000 FF 76 38 AD 50 8B 3E BE F0 ???? 00 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 ?????? 00 ?? 000000 40 AB 40 B1 04 F3 AB C1 E0 0A B5 }
$a1 = { BE B0 11 ???? AD 50 FF 76 34 EB 7C 48 01 ???? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 18 10 0000 10 00000000 ?????? 0000 ???? 00 10 000000 02 0000 04 0000000000 3A 00 04 0000000000000000 ?????? 00 02 000000000000 }
$a2 = { BE B0 11 ???? AD 50 FF 76 34 EB 7C 48 01 ???? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 18 10 0000 10 00000000 ?????? 0000 ???? 00 10 000000 02 0000 04 0000000000 3A 00 04 0000000000000000 ?????? 00 02 000000000000 ?? 0000 ?? 0000 10 0000 ???? 000000 10 0000 10 000000000000 0A 0000000000000000000000 EE ?????? 14 00000000 ?????????? 0000 FF 76 38 AD 50 8B 3E BE F0 ?????? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 ?????????? 000000 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ???????? 56 10 E2 E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 99 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule UPXModifiedstub {
meta: author="malware-lu"
strings:
$a0 = { 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 0000 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 0000 61 E9 ?????? FF }
condition:
$a0 at pe.entry_point
}
rule Cryptic20Tughack {
meta: author="malware-lu"
strings:
$a0 = { B8 0000 40 00 BB ?????? 00 B9 00 10 0000 BA ?????? 00 03 D8 03 C8 03 D1 3B CA 74 06 80 31 ?? 41 EB F6 FF E3 }
condition:
$a0 at pe.entry_point
}
rule KGBSFX {
meta: author="malware-lu"
strings:
$a0 = { 60 BE 00 A0 46 00 8D BE 00 70 F9 FF 57 83 CD FF EB 10 909090909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }
condition:
$a0 at pe.entry_point
}
rule PECompactv20betaJeremyCollake {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 05 ???????? 50 64 FF 35 00000000 64 89 25 00000000 CC 90909090 }
condition:
$a0 at pe.entry_point
}
rule DevCv4 {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 83 C4 F4 6A ?? A1 ?????? 00 FF D0 E8 ?? FF FF FF }
condition:
$a0
}
rule DevCv5 {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 14 6A ?? FF 15 ?????? 00 ???????????????????????????? 00000000 }
condition:
$a0
}
rule CRYPToCRACksPEProtectorV092LukasFleischer {
meta: author="malware-lu"
strings:
$a0 = { E8 01 000000 E8 58 5B 81 E3 00 FF FF FF 66 81 3B 4D 5A 75 37 84 DB 75 33 8B F3 03 ???? 81 3E 50 45 0000 75 26 }
condition:
$a0 at pe.entry_point
}
rule UpackV037Dwing {
meta: author="malware-lu"
strings:
$a0 = { 0B 01 ???????????????????????????? 18 10 0000 10 000000 ???????????????? 00 10 000000 02 0000 ???????????????????????? 00000000 ???????????????????????????????????????????????????????????????? 00000000 0A 0000000000000000000000 ???????? 14 000000 ???????????????????????????????????????????????????????????????????????????????? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 }
$a1 = { 60 E8 09 000000 ?????????????????? 33 C9 5E 87 0E }
$a2 = { BE ???????? AD 50 FF ???? EB }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule Obsidiumv13037ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 26 000000 EB 03 ?????? EB 01 ?? 8B 54 24 0C EB 04 ???????? 83 82 B8 000000 26 EB 01 ?? 33 C0 EB 02 ???? C3 EB 01 ?? EB 04 ???????? 64 67 FF 36 0000 EB 01 ?? 64 67 89 26 0000 EB 01 ?? EB 03 ?????? 50 EB 03 ?????? 33 C0 EB 03 ?????? 8B 00 EB 04 ???????? C3 EB 03 ?????? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 04 ???????? EB 01 ?? 58 EB 02 ???? EB 03 ?????? 64 67 8F 06 0000 EB 01 ?? 83 C4 04 EB 03 ?????? E8 23 27 }
condition:
$a0 at pe.entry_point
}
rule VxCompiler {
meta: author="malware-lu"
strings:
$a0 = { 8C C3 83 C3 10 2E 01 1E ?? 02 2E 03 1E ?? 02 53 1E }
condition:
$a0 at pe.entry_point
}
rule BJFntv13 {
meta: author="malware-lu"
strings:
$a0 = { EB ?? 3A ???? 1E EB ?? CD 20 9C EB ?? CD 20 EB ?? CD 20 60 EB }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakePEtite21emadicius {
meta: author="malware-lu"
strings:
$a0 = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00000000 64 89 25 00000000 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00000000 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule UPXShitv01500mhz {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ???? 00 ?????? 00 ?????? 01 ?????? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }
$a1 = { E8 00000000 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ???? 00 ?????? 00 ?????????????? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }
$a2 = { E8 ???????? 5E 83 C6 ?? AD 89 C7 AD 89 C1 AD 30 07 47 E2 ?? AD FF E0 C3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule PackmanV0001Bubbasoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 58 8D ?????????? 8D ?????????? 8D ?????????? 8D ???? 48 }
condition:
$a0 at pe.entry_point
}
rule DJoinv07publicxorencryptiondrmist {
meta: author="malware-lu"
strings:
$a0 = { C6 05 ???? 40 0000 ???????????????? 00 ???????? 00 ?????????? 00 }
condition:
$a0 at pe.entry_point
}
rule FreeJoinerSmallbuild033GlOFF {
meta: author="malware-lu"
strings:
$a0 = { 50 66 33 C3 66 8B C1 58 E8 AC FD FF FF 6A 00 E8 0D 000000 CC FF 25 78 10 40 00 FF 25 7C 10 40 00 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 AC 10 40 00 }
condition:
$a0 at pe.entry_point
}
rule AnticrackSoftwareProtectorv109ACProtect {
meta: author="malware-lu"
strings:
$a0 = { 60 ???????????????? 0000 ???????????????????????? E8 01 000000 ?? 83 04 24 06 C3 ?????????? 00 }
condition:
$a0 at pe.entry_point
}
rule UnderGroundCrypterbyBooster2000 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 B8 74 3C 00 11 E8 94 F9 FF FF E8 BF FE FF FF E8 0A F3 FF FF 8B C0 }
condition:
$a0
}
rule MicroJoiner16coban2k {
meta: author="malware-lu"
strings:
$a0 = { 33 C0 64 8B 38 48 8B C8 F2 AF AF 8B 1F 66 33 DB 66 81 3B }
condition:
$a0 at pe.entry_point
}
rule WiseInstallerStubv11010291 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 40 0F 0000 53 56 57 6A 04 FF 15 F4 30 40 00 FF 15 74 30 40 00 8A 08 89 45 E8 80 F9 22 75 48 8A 48 01 40 89 45 E8 33 F6 84 C9 74 0E 80 F9 22 74 09 8A 48 01 40 89 45 E8 EB EE 80 38 22 75 04 40 89 45 E8 80 38 20 75 09 40 80 38 20 74 FA 89 45 }
condition:
$a0 at pe.entry_point
}
rule PrivateEXEProtector18 {
meta: author="malware-lu"
strings:
$a0 = { BB DC EE 0D 76 D9 D0 8D 16 85 D8 90 D9 D0 }
condition:
$a0
}
rule SimpleUPXCryptorv3042005multilayerencryptionMANtiCORE {
meta: author="malware-lu"
strings:
$a0 = { 60 B8 ?????? 00 B9 18 000000 80 34 08 ?? E2 FA 61 68 ?????? 00 C3 }
$a1 = { 60 B8 ???????? B9 18 000000 80 34 08 ?? E2 FA 61 68 ???????? C3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule Themida1201compressedOreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 0000 ???? 60 0B C0 74 58 E8 00000000 58 05 43 000000 80 38 E9 75 03 61 EB 35 E8 00000000 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 0000 83 C3 67 39 1A 74 07 2D 00 10 0000 EB DA 8B F8 B8 }
condition:
$a0 at pe.entry_point
}
rule PECompactv155 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A2 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 80 40 ?? 9090 01 85 9E 80 40 ?? BB 2D 12 }
condition:
$a0 at pe.entry_point
}
rule PolyCryptPE214b215JLabSoftwareCreationshsigned {
meta: author="malware-lu"
strings:
$a0 = { 50 6F 6C 79 43 72 79 70 74 20 50 45 20 28 63 29 20 32 30 30 34 2D 32 30 30 35 2C 20 4A 4C 61 62 53 6F 66 74 77 61 72 65 2E 00 50 00 43 00 50 00 45 }
condition:
$a0
}
rule PECompactv156 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 90 40 ?? 87 DD 8B 85 A2 90 40 ?? 01 85 03 90 40 ?? 66 C7 85 ?? 90 40 ?? 9090 01 85 9E 90 40 ?? BB 2D 12 }
condition:
$a0 at pe.entry_point
}
rule PGMPACKv013 {
meta: author="malware-lu"
strings:
$a0 = { FA 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ???? BF ???? E8 ???? E8 ???? BB ???? BA ???? 8A C3 8B F3 }
condition:
$a0 at pe.entry_point
}
rule PGMPACKv014 {
meta: author="malware-lu"
strings:
$a0 = { 1E 17 50 B4 30 CD 21 3C 02 73 ?? B4 4C CD 21 FC BE ???? BF ???? E8 ???? E8 ???? BB ???? BA ???? 8A C3 8B F3 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner0232Lite003Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 06 FC 1E 07 BE 90909090 6A 04 68 90 10 9090 68 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakePEtite22FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 B8 00000000 68 00000000 64 FF 35 00000000 64 89 25 00000000 66 9C 60 50 }
condition:
$a0 at pe.entry_point
}
rule MEW10byNorthfox {
meta: author="malware-lu"
strings:
$a0 = { 33 C0 E9 ???? FF FF ?? 1C ???? 40 }
condition:
$a0
}
rule theWRAPbyTronDoc {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 56 57 33 C0 89 45 F0 B8 48 D2 4B 00 E8 BC 87 F4 FF BB 04 0B 4D 00 33 C0 55 68 E8 D5 4B 00 64 FF 30 64 89 20 E8 9C F4 FF FF E8 F7 FB FF FF 6A 40 8D 55 F0 A1 F0 ED 4B 00 8B 00 E8 42 2E F7 FF 8B 4D F0 B2 01 A1 F4 C2 40 00 E8 F7 20 F5 FF 8B F0 B2 01 A1 B4 C3 40 00 E8 F1 5B F4 FF 89 03 33 D2 8B 03 E8 42 1E F5 FF 66 B9 02 00 BA FC FF FF FF 8B C6 8B 38 FF 57 0C BA B8 A7 4D 00 B9 04 000000 8B C6 8B 38 FF 57 04 83 3D B8 A7 4D 0000 0F 84 5E 01 0000 8B 15 B8 A7 4D 00 83 C2 04 F7 DA 66 B9 02 00 8B C6 8B 38 FF 57 0C 8B 0D B8 A7 4D 00 8B D6 8B 03 E8 2B 1F F5 FF 8B C6 E8 B4 5B F4 FF 33 D2 8B 03 E8 DF 1D F5 FF BA F0 44 4E 00 B9 01 000000 8B 03 8B 30 FF 56 04 80 3D F0 44 4E 00 0A 75 3F BA B8 A7 4D 00 B9 04 000000 8B 03 8B 30 FF 56 04 8B 15 B8 A7 }
condition:
$a0 at pe.entry_point
}
rule Petitev211 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 68 ???????? 64 ???????????? 64 ???????????? 66 9C 60 50 }
condition:
$a0 at pe.entry_point
}
rule Petitev212 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 6A 00 68 ???????? 64 ???????????? 64 ???????????? 66 9C 60 50 }
condition:
$a0 at pe.entry_point
}
rule MaskPEV20yzkzero {
meta: author="malware-lu"
strings:
$a0 = { B8 18 000000 64 8B 18 83 C3 30 C3 40 3E 0F B6 00 C1 E0 ?? 83 C0 ?? 36 01 04 24 C3 }
condition:
$a0
}
rule PseudoSigner01Morphine12Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090909090909090909090909090 EB 06 00 9090909090909090 EB 08 E8 90 000000 66 9090909090909090909090909090909090909090909090909090909090 51 66 909090 59 909090909090909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule EZIPv10 {
meta: author="malware-lu"
strings:
$a0 = { E9 19 32 0000 E9 7C 2A 0000 E9 19 24 0000 E9 FF 23 0000 E9 1E 2E 0000 E9 88 2E 0000 E9 2C }
condition:
$a0 at pe.entry_point
}
rule y0dasCrypterv12 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED F3 1D 40 00 B9 7B 09 0000 8D BD 3B 1E 40 00 8B F7 AC ???????????????????????????????????????????????????????????????????????????????????????????????? AA E2 CC }
condition:
$a0 at pe.entry_point
}
rule ChinaProtectdummy {
meta: author="malware-lu"
strings:
$a0 = { C3 E8 ???????? B9 ???????? E8 ???????? FF 30 C3 B9 ???????? E8 ???????? FF 30 C3 B9 ???????? E8 ???????? FF 30 C3 B9 ???????? E8 ???????? FF 30 C3 56 8B ?????? 6A 40 68 00 10 0000 8D ???? 50 6A 00 E8 ???????? 89 30 83 C0 04 5E C3 8B 44 ???? 56 8D ???? 68 00 40 0000 FF 36 56 E8 ???????? 68 00 80 0000 6A 00 56 E8 ???????? 5E C3 }
condition:
$a0
}
rule BopCryptv10 {
meta: author="malware-lu"
strings:
$a0 = { 60 BD ???????? E8 ???? 0000 }
condition:
$a0 at pe.entry_point
}
rule MinkeV101Codius {
meta: author="malware-lu"
strings:
$a0 = { 26 3D 4F 38 C2 82 37 B8 F3 24 42 03 17 9B 3A 83 01 0000 CC 00000000 06 000000 01 64 53 74 75 62 00 10 55 54 79 70 65 73 0000 C7 53 79 73 74 65 6D 0000 81 53 79 73 49 6E 69 74 00 0C 4B 57 69 6E 64 6F 77 73 0000 8A 75 46 75 6E 63 74 69 6F 6E 73 }
condition:
$a0
}
rule PseudoSigner02BorlandDelphiDLLAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 B4 B8 90909090 E8 00000000 E8 00000000 8D 40 00 }
condition:
$a0 at pe.entry_point
}
rule bambam004bedrock {
meta: author="malware-lu"
strings:
$a0 = { BF ???????? 83 C9 FF 33 C0 68 ???????? F2 AE F7 D1 49 51 68 ???????? E8 11 0A 0000 83 C4 0C 68 ???????? FF 15 ???????? 8B F0 BF ???????? 83 C9 FF 33 C0 F2 AE F7 D1 49 BF ???????? 8B D1 68 ???????? C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA BF ???????? 83 C9 FF 33 C0 F2 AE F7 D1 49 51 68 ???????? E8 C0 09 0000 }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEdition117DLLLZMAAp0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 ???????? 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 5A 0A 0000 8D 9D 40 02 0000 33 FF E8 ???????? 6A 40 68 ???????? 68 ???????? 6A 00 FF 95 EB 09 0000 89 85 }
condition:
$a0 at pe.entry_point
}
rule PEtitev22 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 68 ???????? 64 FF 35 ???????? 64 89 25 ???????? 66 9C 60 50 }
condition:
$a0 at pe.entry_point
}
rule PEtitev20 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 66 9C 60 50 8B D8 03 ?? 68 54 BC ???? 6A ?? FF 50 18 8B CC 8D A0 54 BC ???? 8B C3 8D 90 E0 15 ???? 68 }
condition:
$a0 at pe.entry_point
}
rule PEtitev21 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 6A ?? 68 ???????? 64 FF 35 ???????? 64 89 25 ???????? 66 9C 60 50 }
condition:
$a0 at pe.entry_point
}
rule ElicenseSystemV4000ViaTechInc {
meta: author="malware-lu"
strings:
$a0 = { 00000000 63 79 62 00 65 6C 69 63 65 6E 34 30 2E 64 6C 6C 00000000 }
condition:
$a0
}
rule VProtectorV10Build20041213testvcasm {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 1A 89 40 00 68 56 89 40 00 64 A1 00000000 50 64 89 25 00000000 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 }
condition:
$a0 at pe.entry_point
}
rule Themida18xxOreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 60 0B C0 74 68 E8 00000000 58 05 53 000000 80 38 E9 75 13 61 EB 45 DB 2D 37 ?????? FF FF FF FF FF FF FF FF 3D 40 E8 00000000 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 0000 83 C3 67 }
$a1 = { B8 ???????? 60 0B C0 74 68 E8 00000000 58 05 53 000000 80 38 E9 75 13 61 EB 45 DB 2D 37 ?????? FF FF FF FF FF FF FF FF 3D 40 E8 00000000 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 0000 83 C3 67 39 1A 74 07 2D 00 10 0000 EB DA 8B F8 B8 ???????? 03 C7 B9 ???????? 03 CF EB 0A B8 ???????? B9 ???????? 50 51 E8 84 000000 E8 00000000 58 2D 26 000000 B9 EF 01 0000 C6 00 E9 83 E9 05 89 48 01 61 E9 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule EXEJoinerv10 {
meta: author="malware-lu"
strings:
$a0 = { 68 00 10 40 00 68 04 01 0000 E8 39 03 0000 05 00 10 40 C6 00 5C 68 ???????? 68 ???????? 6A 00 E8 }
condition:
$a0 at pe.entry_point
}
rule MicroJoiner11coban2k {
meta: author="malware-lu"
strings:
$a0 = { BE 0C 70 40 00 BB F8 11 40 00 33 ED 83 EE 04 39 2E 74 11 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01FSG10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 BB D0 01 40 00 BF 00 10 40 00 BE 90909090 53 E8 0A 000000 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 }
condition:
$a0 at pe.entry_point
}
rule Armadillov200b2200b3 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 00 F2 40 00 68 C4 A0 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule RAZOR1911encruptor {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? BF ???? 3B FC 72 ?? B4 4C CD 21 BE ???? B9 ???? FD F3 A5 FC }
condition:
$a0 at pe.entry_point
}
rule tElock051tE {
meta: author="malware-lu"
strings:
$a0 = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00000000 5E 83 C6 5E 8B FE 68 79 01 0000 59 EB 01 EB AC 54 E8 03 000000 5C EB 08 8D 64 24 04 FF 64 24 FC 6A 05 D0 2C 24 72 01 E8 01 24 24 5C F7 DC EB 02 CD 20 8D 64 24 FE F7 DC EB 02 CD 20 FE C8 E8 00000000 32 C1 EB 02 82 0D AA EB 03 82 0D 58 EB 02 1D 7A 49 EB 05 E8 01 000000 7F AE 14 7E A0 77 76 75 74 }
condition:
$a0 at pe.entry_point
}
rule SDProtectorBasicProEdition112RandyLi {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 1D 32 13 05 68 88 88 88 08 64 A1 00000000 50 64 89 25 00000000 58 64 A3 00000000 58 58 58 58 8B E8 E8 3B 000000 E8 01 000000 FF 58 05 53 000000 51 8B 4C 24 10 89 81 B8 000000 B8 55 01 0000 89 41 20 33 C0 89 41 04 89 41 08 89 41 0C 89 41 10 59 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 33 C0 64 FF 30 64 89 20 9C 80 4C 24 01 01 9D 9090 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 C3 64 8F 00 58 74 07 75 05 19 32 67 E8 E8 74 27 75 25 EB 00 EB FC 68 39 44 CD 00 59 9C 50 74 0F 75 0D E8 59 C2 04 00 55 8B EC E9 FA FF FF 0E E8 EF FF FF FF 56 57 53 78 03 79 01 E8 68 A2 AF 47 01 59 E8 01 000000 FF 58 05 7B 03 0000 03 C8 74 C4 75 C2 E8 0000000000000000000000000000000000000000000000000000000000000000000000000000000000 E2 }
condition:
$a0 at pe.entry_point
}
rule VxFaxFreeTopo {
meta: author="malware-lu"
strings:
$a0 = { FA 06 33 C0 8E C0 B8 ???? 26 ???????? 50 8C C8 26 ???????? 50 CC 58 9D 58 26 ???????? 58 26 ???????? 07 FB }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02MEW11SE10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { E9 09 000000000000 02 000000 0C 90 }
condition:
$a0 at pe.entry_point
}
rule Joinersignfrompinch250320072010 {
meta: author="malware-lu"
strings:
$a0 = { 81 EC 04 01 0000 8B F4 68 04 01 0000 56 6A 00 E8 7C 01 0000 33 C0 6A 00 68 80 000000 6A 03 6A 00 6A 00 68 000000 80 56 E8 50 01 0000 8B D8 6A 00 6A 00 6A 00 6A 02 6A 00 53 E8 44 01 }
condition:
$a0 at pe.entry_point
}
rule VxSK {
meta: author="malware-lu"
strings:
$a0 = { CD 20 B8 03 00 CD 10 51 E8 0000 5E 83 EE 09 }
condition:
$a0 at pe.entry_point
}
rule PEStubOEPv1x {
meta: author="malware-lu"
strings:
$a0 = { 40 48 BE 00 ???? 00 40 48 60 33 C0 B8 ?????? 00 FF E0 C3 C3 }
condition:
$a0
}
rule MoleBoxV23XMoleStudiocom {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 60 E8 4F 000000 }
condition:
$a0 at pe.entry_point
}
rule VxHymn1865 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 83 EE 4C FC 2E ???????? 4D 5A ???? FA 8B E6 81 ?????? FB 3B ?????????? 2E ?????????? 50 06 56 1E 0E 1F B8 00 C5 CD 21 }
condition:
$a0 at pe.entry_point
}
rule kkrunchyRyd {
meta: author="malware-lu"
strings:
$a0 = { BD 08 ???? 00 C7 45 00 ?????? 00 FF 4D 08 C6 45 0C 05 8D 7D 14 31 C0 B4 04 89 C1 F3 AB BF ?????? 00 57 BE ?????? 00 31 C9 41 FF 4D 0C 8D 9C 8D A0 000000 FF D6 10 C9 73 F3 FF 45 0C 91 AA 83 C9 FF 8D 5C 8D 18 FF D6 74 DD E3 17 8D 5D 1C FF D6 74 10 }
condition:
$a0 at pe.entry_point
}
rule PECryptv100v101 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? 5B 83 EB 05 EB 04 52 4E 44 21 EB 02 CD 20 EB }
condition:
$a0 at pe.entry_point
}
rule CERBERUSv20 {
meta: author="malware-lu"
strings:
$a0 = { 9C 2B ED 8C ???? 8C ???? FA E4 ?? 88 ???? 16 07 BF ???? 8E DD 9B F5 B9 ???? FC F3 A5 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor2117StrongbitSoftCompleteDevelopment {
meta: author="malware-lu"
strings:
$a0 = { BE ???????? B8 0000 ???? 89 45 FC 89 C2 8B 46 0C 09 C0 0F 84 ?? 000000 01 D0 89 C3 50 FF 15 94 ?????? 09 C0 0F 85 0F 000000 53 FF 15 98 ?????? 09 C0 0F 84 ?? 000000 89 45 F8 6A 00 8F 45 F4 8B 06 09 C0 8B 55 FC 0F 85 03 000000 8B 46 10 01 }
condition:
$a0
}
rule WWPACKv303 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 BB ???? 53 }
condition:
$a0 at pe.entry_point
}
rule GHFProtectorpackonlyGPcH {
meta: author="malware-lu"
strings:
$a0 = { 60 68 ???????? B8 ???????? FF 10 68 ???????? 50 B8 ???????? FF 10 68 00000000 6A 40 FF D0 89 05 ???????? 89 C7 BE ???????? 60 FC B2 80 31 DB A4 B3 02 E8 6D 000000 73 F6 31 C9 E8 64 000000 73 1C 31 C0 E8 5B 000000 73 23 B3 02 41 B0 10 E8 4F 000000 10 C0 73 F7 75 3F AA EB D4 E8 4D 000000 29 D9 75 10 E8 42 000000 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 000000 3D 00 7D 0000 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 61 B9 FC FF FF FF 8B 1C 08 89 99 ???????? E2 F5 9090 BA ???????? BE ???????? 01 D6 8B 46 0C 85 C0 0F 84 87 000000 01 D0 89 C3 50 B8 ???????? FF 10 85 C0 75 08 53 B8 ???????? FF 10 89 05 ???????? C7 05 ???????? 00000000 BA ???????? 8B 06 85 C0 75 03 8B 46 10 01 D0 03 05 ???????? 8B 18 8B 7E 10 01 D7 03 3D ???????? 85 DB 74 2B F7 C3 000000 80 75 04 01 D3 43 43 81 E3 FF FF FF 0F 53 FF 35 ???????? B8 ???????? FF 10 89 07 83 05 ???????? 04 EB AE 83 C6 14 BA ???????? E9 6E FF FF FF 68 ???????? B8 ???????? FF 10 68 ???????? 50 B8 ???????? FF 10 8B 15 ???????? 52 FF D0 61 BA ???????? FF E2 90 C3 }
$a1 = { 60 68 ???????? B8 ???????? FF 10 68 ???????? 50 B8 ???????? FF 10 68 00000000 6A 40 FF D0 89 05 ???????? 89 C7 BE ???????? 60 FC B2 80 31 DB A4 B3 02 E8 6D 000000 73 F6 31 C9 E8 64 000000 73 1C 31 C0 E8 5B 000000 73 23 B3 02 41 }
condition:
$a0 at pe.entry_point or $a1
}
rule yzpackV11UsAr {
meta: author="malware-lu"
strings:
$a0 = { 60 33 C0 8D 48 07 50 E2 FD 8B EC 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C 8B 40 3C 89 45 04 E8 F3 07 0000 60 8B 5D 04 8B 73 3C 8B 74 33 78 03 F3 56 8B 76 20 03 F3 33 C9 49 92 41 AD 03 C3 52 33 FF 0F B6 10 38 F2 }
condition:
$a0 at pe.entry_point
}
rule VxDanishtiny {
meta: author="malware-lu"
strings:
$a0 = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 }
condition:
$a0 at pe.entry_point
}
rule UPXV194MarkusOberhumerLaszloMolnarJohnReiser {
meta: author="malware-lu"
strings:
$a0 = { FF D5 80 A7 ?????????? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }
condition:
$a0
}
rule yzpack112UsAr {
meta: author="malware-lu"
strings:
$a0 = { 5A 52 45 60 83 EC 18 8B EC 8B FC 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 83 C0 7C 8B 40 3C AB E9 ???????? B4 09 BA 0000 1F CD 21 B8 01 4C CD 21 40 000000 50 45 0000 4C 01 02 00 ???????? 0000000000000000 E0 00 ???? 0B 01 ???????? 0000 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02YodasProtector102Anorganix {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 9090 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02PESHiELD025Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 2B 000000 9090909090909090909090909090909090909090909090909090909090909090909090909090909090 CCCC }
condition:
$a0 at pe.entry_point
}
rule NsPacKV34V35LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D 83 ED 07 8D 85 ???????? 80 38 01 0F 84 }
condition:
$a0 at pe.entry_point
}
rule DualseXe10 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 00 05 0000 E8 00000000 5D 81 ED 0E 000000 8D 85 08 03 0000 89 28 33 FF 8D 85 7D 02 0000 8D 8D 08 03 0000 2B C8 8B 9D 58 03 0000 E8 1C 02 0000 8D 9D 61 02 0000 8D B5 7C 02 0000 46 80 3E 00 74 24 56 FF 95 0A 04 0000 46 80 3E 00 }
condition:
$a0 at pe.entry_point
}
rule NoodleCryptv200EngNoodleSpa {
meta: author="malware-lu"
strings:
$a0 = { EB 01 9A E8 76 000000 EB 01 9A E8 65 000000 EB 01 9A E8 7D 000000 EB 01 9A E8 55 000000 EB 01 9A E8 43 04 0000 EB 01 9A E8 E1 000000 EB 01 9A E8 3D 000000 EB 01 9A E8 EB 01 0000 EB 01 9A E8 2C 04 0000 EB 01 9A E8 25 000000 EB 01 9A E8 02 }
condition:
$a0 at pe.entry_point
}
rule SoftComp1xBGSoftPT {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 81 2C 24 3A 10 41 00 5D E8 00000000 81 2C 24 31 01 0000 8B 85 2A 0F 41 00 29 04 24 8B 04 24 89 85 2A 0F 41 00 58 8B 85 2A 0F 41 00 }
condition:
$a0
}
rule Petite13c1998IanLuck {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 50 8D 88 00 ?????? 8D 90 ???? 0000 8B DC 8B E1 68 0000 ???? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 0000 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }
condition:
$a0 at pe.entry_point
}
rule PENightMarev13 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D B9 ???????? 80 31 15 41 81 F9 }
condition:
$a0 at pe.entry_point
}
rule Armadillo50DllSiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 83 7C 24 08 01 75 05 E8 DE 4B 0000 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ???????? E8 E5 24 0000 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 0000 C7 00 0C 000000 57 57 57 57 57 E8 20 15 0000 83 C4 14 33 C0 E9 D5 000000 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ???????? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ???????? 77 37 6A 04 E8 D7 23 0000 59 89 7D FC FF 75 08 E8 EC 53 0000 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 000000 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ???????? FF 15 ???????? 8B D8 3B DF 75 4C 39 3D ???????? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 000000 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 0000 59 C3 }
condition:
$a0 at pe.entry_point
}
rule ObsidiumV1350ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 03 ?????? E8 ???????? EB 02 ???? EB 04 ???????? 8B 54 24 0C EB 04 ???????? 83 82 B8 000000 20 EB 03 ?????? 33 C0 EB 01 ?? C3 EB 02 ???? EB 03 ?????? 64 67 FF 36 0000 EB 03 ?????? 64 67 89 26 0000 EB 01 ?? EB 04 ???????? 50 EB 04 ???????? 33 C0 EB 04 ???????? 8B 00 EB 03 ?????? C3 EB 02 ???? E9 FA 000000 EB 01 ?? E8 ???????? EB 01 ?? EB 02 ???? 58 EB 04 ???????? EB 02 ???? 64 67 8F 06 0000 EB 02 ???? 83 C4 04 EB 01 ?? E8 }
condition:
$a0 at pe.entry_point
}
rule ASProtectv123RC1 {
meta: author="malware-lu"
strings:
$a0 = { 68 01 ???? 00 E8 01 000000 C3 C3 }
condition:
$a0 at pe.entry_point
}
rule PUNiSHERv15DEMOFEUERRADERAHTeam {
meta: author="malware-lu"
strings:
$a0 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00000000 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00000000 EB 04 64 6B 88 18 81 2C 24 86 000000 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 }
$a1 = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00000000 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00000000 EB 04 64 6B 88 18 81 2C 24 86 000000 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 24 EB 04 64 6B 88 18 89 85 9C C2 41 00 EB 04 64 6B 88 18 58 68 9F 6F 56 B6 50 E8 5D 000000 EB FF 71 78 C2 50 00 EB D3 5B F3 68 89 5C 24 48 5C 24 58 FF 8D 5C 24 58 5B 83 C3 4C 75 F4 5A 8D 71 78 75 09 81 F3 EB FF 52 BA 01 00 83 EB FC 4A FF 71 0F 75 19 8B 5C 24 0000 81 33 50 53 8B 1B 0F FF C6 75 1B 81 F3 EB 87 1C 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 000000 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 000000 89 E0 EB FF D0 EB FF 71 0F 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PECompactv140b2v140b4 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 9090 01 85 9E A0 40 ?? BB 86 11 }
condition:
$a0 at pe.entry_point
}
rule NullsoftInstallSystemv198 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 0C 53 56 57 FF 15 2C 81 40 }
condition:
$a0 at pe.entry_point
}
rule CryptoLockv202EngRyanThian {
meta: author="malware-lu"
strings:
$a0 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 909090909090 8A 06 46 88 07 47 }
$a1 = { 60 BE 15 90 40 00 8D BE EB 7F FF FF 57 83 CD FF EB 10 909090909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
$a2 = { 60 BE ?? 90 40 00 8D BE ???? FF FF 57 83 CD FF EB 10 909090909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 03 72 0D C1 E0 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule vfpexeNcv600WangJianGuo {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 000000 63 58 E8 01 000000 7A 58 2D 0D 10 40 00 8D 90 C1 10 40 00 52 50 8D 80 49 10 40 00 5D 50 8D 85 65 10 40 00 50 64 FF 35 00000000 64 89 25 00000000 CC }
condition:
$a0 at pe.entry_point
}
rule XPEORv099b {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 }
$a1 = { E8 ???????? 5D 8B CD 81 ED 7A 29 40 ?? 89 AD 0F 6D 40 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PEiDBundlev100BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 21 02 0000 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 0000 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
condition:
$a0 at pe.entry_point
}
rule PeCompact2253276BitSumTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 55 53 51 57 56 52 8D 98 C9 11 00 10 8B 53 18 52 8B E8 6A 40 68 00 10 0000 FF 73 04 6A 00 8B 4B 10 03 CA 8B 01 FF D0 5A 8B F8 50 52 8B 33 8B 43 20 03 C2 8B 08 89 4B 20 8B 43 1C 03 C2 8B 08 89 4B 1C 03 F2 8B 4B 0C 03 CA 8D 43 1C 50 57 56 FF }
condition:
$a0
}
rule PseudoSigner02CodeLockAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 01 28 01 50 4B 47 05 4C 3F B4 04 4D 4C 47 4B }
condition:
$a0 at pe.entry_point
}
rule FSGv100Engdulekxt {
meta: author="malware-lu"
strings:
$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ?????? 00 53 E8 0A 000000 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 000000 2B CB 75 10 E8 38 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01BorlandDelphi50KOLMCKAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 90909090 68 ???????? 90909090909090909090909090909090909090909090909090909090 00 FF 9090909090909090 00 01 909090909090909090 EB 04 000000 01 90909090909090 00 01 909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule FlyCrypter10ut1lz {
meta: author="malware-lu"
strings:
$a0 = { 53 56 57 55 BB 2C ???? 44 BE 00 30 44 44 BF 20 ???? 44 80 7B 28 00 75 16 83 3F 00 74 11 8B 17 89 D0 33 D2 89 17 8B E8 FF D5 83 3F 00 75 EF 83 3D 04 30 44 44 00 74 06 FF 15 58 30 44 44 80 7B 28 02 75 0A 83 3E 00 75 05 33 C0 89 43 0C FF 15 20 30 44 44 80 7B 28 01 76 05 83 3E 00 74 22 8B 43 10 85 C0 74 1B FF 15 18 30 44 44 8B 53 10 8B 42 10 3B 42 04 74 0A 85 C0 74 06 50 E8 2F FA FF FF FF 15 24 30 44 44 80 7B 28 01 75 03 FF 53 24 80 7B 28 00 74 05 E8 35 FF FF FF 83 3B 00 75 17 83 3D 10 ???? 44 00 74 06 FF 15 10 ???? 44 8B 06 50 E8 51 FA FF FF 8B 03 56 8B F0 8B FB B9 0B 000000 F3 A5 5E E9 73 FF FF FF 5D 5F 5E 5B C3 A3 00 30 44 44 E8 26 FF FF FF C3 }
$a1 = { 55 8B EC 83 C4 F0 53 B8 18 22 44 44 E8 7F F7 FF FF E8 0A F1 FF FF B8 09 000000 E8 5C F1 FF FF 8B D8 85 DB 75 05 E8 85 FD FF FF 83 FB 01 75 05 E8 7B FD FF FF 83 FB 02 75 05 E8 D1 FD FF FF 83 FB 03 75 05 E8 87 FE FF FF 83 FB 04 75 05 E8 5D FD FF FF 83 FB 05 75 05 E8 B3 FD FF FF 83 FB 06 75 05 E8 69 FE FF FF 83 FB 07 75 05 E8 5F FE FF FF 83 FB 08 75 05 E8 95 FD FF FF 83 FB 09 75 05 E8 4B FE FF FF 5B E8 9D F2 FF FF 90 }
condition:
$a0 or $a1 at pe.entry_point
}
rule MSLRHv032afakePECompact14xemadicius {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 2E A8 0000 C3 9C 60 E8 02 000000 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule muckisprotectorIImucki {
meta: author="malware-lu"
strings:
$a0 = { E8 24 000000 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00000000000000 31 C0 89 41 14 89 41 18 80 6A 00 E8 85 C0 74 12 64 8B 3D 18 000000 8B 7F 30 0F B6 47 02 85 C0 74 01 C3 C7 04 24 ???????? BE ???????? B9 ???????? 8A 06 F6 D0 88 06 46 E2 F7 C3 }
condition:
$a0 at pe.entry_point
}
rule VcasmProtector10 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ?????? 00 68 ?????? 00 64 A1 00000000 50 64 89 25 00000000 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 C3 FF 35 E8 07 000000 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 }
condition:
$a0 at pe.entry_point
}
rule NullsoftInstallSystemv20b2v20b3 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 0C 53 55 56 57 FF 15 ?? 70 40 00 8B 35 ?? 92 40 00 05 E8 03 0000 89 44 24 14 B3 20 FF 15 2C 70 40 00 BF 00 04 0000 68 ?????? 00 57 FF 15 ???? 40 00 57 FF 15 }
condition:
$a0 at pe.entry_point
}
rule VProtectorV10Dvcasm {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 CA 31 41 00 68 06 32 41 00 64 A1 00000000 50 64 89 25 00000000 E8 03 000000 C7 84 00 58 EB 01 E9 83 C0 07 50 }
condition:
$a0 at pe.entry_point
}
rule GardianAngel10 {
meta: author="malware-lu"
strings:
$a0 = { 06 8C C8 8E D8 8E C0 FC BF ???? EB }
condition:
$a0 at pe.entry_point
}
rule eXpressorv12CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC D4 01 0000 53 56 57 EB 0C 45 78 50 72 2D 76 }
condition:
$a0 at pe.entry_point
}
rule RSCsProcessPatcherv14 {
meta: author="malware-lu"
strings:
$a0 = { E8 E1 01 0000 80 38 22 75 13 80 38 00 74 2E 80 38 20 75 06 80 78 FF 22 74 18 40 EB ED 80 38 00 74 1B EB 19 40 80 78 FF 20 75 F9 80 38 00 74 0D EB 0B 40 80 38 00 74 05 80 38 22 74 00 8B F8 B8 04 60 40 00 68 00 20 40 00 C7 05 A2 20 40 00 44 000000 68 92 }
condition:
$a0
}
rule Armadillov190b1 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 E0 C1 40 00 68 04 89 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule Armadillov190b2 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 F0 C1 40 00 68 A4 89 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule Armadillov190b3 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 08 E2 40 00 68 94 95 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualCASM {
meta: author="malware-lu"
strings:
$a0 = { EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ???? 00 EB 02 82 B8 EB 01 10 8D 05 F4 }
condition:
$a0 at pe.entry_point
}
rule Thinstall25xxJtit {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B8 ???????? BB ???????? 50 E8 00000000 58 2D ?? 1A 0000 B9 ?? 1A 0000 BA ?? 1B 0000 BE 00 10 0000 BF ?? 53 0000 BD ?? 1A 0000 03 E8 81 75 00 ?????????? 75 04 ???????? 81 75 08 ???????? 81 75 0C ???????? 81 75 10 }
$a1 = { 55 8B EC B8 ???????? BB ???????? 50 E8 00000000 58 2D ?? 1A 0000 B9 ?? 1A 0000 BA ?? 1B 0000 BE 00 10 0000 BF ?? 53 0000 BD ?? 1A 0000 03 E8 81 75 00 ?????????? 75 04 ???????? 81 75 08 ???????? 81 75 0C ???????? 81 75 10 ???????? 03 ?????????????????????????????????????????????? 3B F1 7C 04 3B F2 7C 02 89 2E 83 C6 04 3B F7 7C E3 58 50 68 0000 40 00 68 80 5A }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule hmimysPacker10hmimys {
meta: author="malware-lu"
strings:
$a0 = { 5E 83 C6 64 AD 50 AD 50 83 EE 6C AD 50 AD 50 AD 50 AD 50 AD 50 E8 E7 07 }
condition:
$a0
}
rule ACProtectV20risco {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? 68 ???????? C3 C3 }
condition:
$a0 at pe.entry_point
}
rule RLPackV112V114LZMA430ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 ???????? 8D 9D ???????? 33 FF 6A ?? 68 ???????? 68 ???????? 6A ?? FF 95 ???????? 89 85 ???????? EB ?? 60 }
condition:
$a0
}
rule JDPack: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 8B D5 81 ED ???????? 2B 95 ???????? 81 EA 06 ?????? 89 95 ???????? 83 BD 45 }
condition:
$a0 at pe.entry_point
}
rule PESpinv1304Cyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
condition:
$a0 at pe.entry_point
}
rule ScObfuscatorSuperCRacker {
meta: author="malware-lu"
strings:
$a0 = { 60 33 C9 8B 1D ???????? 03 1D ???????? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D ???????? 75 E7 A1 ???????? 01 05 ???????? 61 FF 25 ???????? 0000 }
condition:
$a0 at pe.entry_point
}
rule tElock098SpecialBuildforgotheXer {
meta: author="malware-lu"
strings:
$a0 = { E9 99 D7 FF FF 000000 ???????? AA ???? 000000000000000000 CA }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01DEF10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 9090909090909090909090909090909090 83 C1 01 E9 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02REALBasicAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 90909090909090909090 50 9090909090 00 01 }
condition:
$a0 at pe.entry_point
}
rule Armadillov260c {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 40 ?????? 68 F4 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?????? 33 D2 8A D4 89 15 F4 }
condition:
$a0 at pe.entry_point
}
rule Armadillov260a {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 94 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 6C ?????? 33 D2 8A D4 89 15 B4 }
condition:
$a0 at pe.entry_point
}
rule ThemidaWinLicenseV10XV17XDLLOreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 60 0B C0 74 58 E8 00000000 58 05 ???????? 80 38 E9 75 03 61 EB 35 E8 00000000 58 25 00 F0 FF FF 33 FF 66 BB ???? 66 83 ???? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ???????? 83 C3 ?? 39 1A 74 07 2D 00 10 0000 EB DA 8B F8 B8 ???????? 03 C7 B9 ???????? 03 CF EB 0A B8 ???????? B9 ???????? 50 51 E8 84 000000 E8 00000000 58 2D ???????? B9 ???????? C6 00 E9 83 E9 ?? 89 48 01 61 E9 }
condition:
$a0 at pe.entry_point
}
rule eXPressor12CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC D4 01 0000 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E }
condition:
$a0 at pe.entry_point
}
rule NeoLitev10 {
meta: author="malware-lu"
strings:
$a0 = { 8B 44 24 04 8D 54 24 FC 23 05 ???????? E8 ???????? FF 35 ???????? 50 FF 25 }
condition:
$a0 at pe.entry_point
}
rule ExeBundlev30standardloader {
meta: author="malware-lu"
strings:
$a0 = { 00000000 60 BE 00 B0 42 00 8D BE 00 60 FD FF C7 87 B0 E4 02 00 31 3C 4B DF 57 83 CD FF EB 0E 90909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB }
condition:
$a0 at pe.entry_point
}
rule ProtectionPlusvxx {
meta: author="malware-lu"
strings:
$a0 = { 50 60 29 C0 64 FF 30 E8 ???????? 5D 83 ED 3C 89 E8 89 A5 14 ?????? 2B 85 1C ?????? 89 85 1C ?????? 8D 85 27 03 ???? 50 8B ?? 85 C0 0F 85 C0 ?????? 8D BD 5B 03 ???? 8D B5 43 03 ???? E8 DD ?????? 89 85 1F 03 ???? 6A 40 68 ?? 10 ???? 8B 85 }
condition:
$a0 at pe.entry_point
}
rule EXECryptorV22Xsoftcompletecom {
meta: author="malware-lu"
strings:
$a0 = { FF E0 E8 04 000000 FF FF FF FF 5E C3 00 }
condition:
$a0
}
rule ThinstallVirtualizationSuite30353043ThinstallCompany {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 68 53 74 41 6C 68 54 68 49 6E E8 00000000 58 BB 37 1F 0000 2B C3 50 68 ???????? 68 00 28 0000 68 04 01 0000 E8 BA FE FF FF E9 90 FF FF FF CCCCCCCCCCCCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 000000 80 43 33 C0 E8 19 01 0000 73 0E 8B 4D F8 E8 27 01 0000 02 45 F7 AA EB E9 E8 04 01 0000 0F 82 96 000000 E8 F9 000000 73 5B B9 04 000000 E8 05 01 0000 48 74 DE 0F 89 C6 000000 E8 DF 000000 73 1B 55 BD 00 01 0000 E8 DF 000000 88 07 47 4D 75 F5 E8 C7 000000 72 E9 5D EB }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01CrunchPEHeuristicAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 E8 0E 000000 5D 83 ED 06 8B C5 55 60 89 AD ???????? 2B 85 00000000 E9 }
condition:
$a0 at pe.entry_point
}
rule FSGv120EngdulekxtBorlandC {
meta: author="malware-lu"
strings:
$a0 = { C1 F0 07 EB 02 CD 20 BE 80 ???? 00 1B C6 8D 1D F4 000000 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 000000 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 }
condition:
$a0 at pe.entry_point
}
rule EXEPACKv405v406 {
meta: author="malware-lu"
strings:
$a0 = { 8C C0 05 ???? 0E 1F A3 ???? 03 06 ???? 8E C0 8B 0E ???? 8B F9 4F 8B F7 FD F3 A4 }
condition:
$a0 at pe.entry_point
}
rule PeStubOEPv1x {
meta: author="malware-lu"
strings:
$a0 = { 90 33 C9 33 D2 B8 ?????? 00 B9 FF }
$a1 = { E8 05 000000 33 C0 40 48 C3 E8 05 }
condition:
$a0 or $a1
}
rule EXEShieldv01bv03bv03SMoKE {
meta: author="malware-lu"
strings:
$a0 = { E8 04 000000 83 60 EB 0C 5D EB 05 }
condition:
$a0 at pe.entry_point
}
rule PEArmor049Hying {
meta: author="malware-lu"
strings:
$a0 = { 56 52 51 53 55 E8 15 01 0000 32 ???? 0000000000 }
condition:
$a0 at pe.entry_point
}
rule PECompactv14x {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
condition:
$a0 at pe.entry_point
}
rule PocketPCSHA {
meta: author="malware-lu"
strings:
$a0 = { 86 2F 96 2F A6 2F B6 2F 22 4F 43 68 53 6B 63 6A 73 69 F0 7F 0B D0 0B 40 09 00 09 D0 B3 65 A3 66 93 67 0B 40 83 64 03 64 04 D0 0B 40 09 00 10 7F 26 4F F6 6B F6 6A F6 69 0B 00 F6 68 ?????? 00 ?????? 00 ?????? 00 22 4F F0 7F 0A D0 06 D4 06 D5 0B 40 09 }
condition:
$a0 at pe.entry_point
}
rule eXPressorV1451CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC 58 53 56 57 83 65 DC 00 F3 EB 0C 65 58 50 72 2D 76 2E 31 2E 34 2E 00 A1 00 ???? 00 05 00 ???? 00 A3 08 ???? 00 A1 08 ???? 00 B9 81 ???? 00 2B 48 18 89 0D 0C ???? 00 83 3D }
condition:
$a0 at pe.entry_point
}
rule Thinstall25 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B8 ???????? BB ???????? 50 E8 00000000 58 2D A7 1A 0000 B9 6C 1A 0000 BA 20 1B 0000 BE 00 10 0000 BF B0 53 0000 BD EC 1A 0000 03 E8 81 75 00 ???????? 81 75 04 ???????? 81 75 08 ???????? 81 75 0C ???????? 81 75 10 }
condition:
$a0 at pe.entry_point
}
rule SuckStopv111 {
meta: author="malware-lu"
strings:
$a0 = { EB ?????? BE ???? B4 30 CD 21 EB ?? 9B }
condition:
$a0 at pe.entry_point
}
rule DEFv10 {
meta: author="malware-lu"
strings:
$a0 = { BE ?? 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 }
$a1 = { BE ?? 01 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 0000 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ?? 10 40 00 C3 }
condition:
$a0 at pe.entry_point or $a1
}
rule UnnamedScrambler251Beta2252p0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 ?? 000000 6A 00 6A 00 49 75 F9 53 56 57 B8 ???? 40 00 E8 ?? EA FF FF 33 C0 55 68 ???? 40 00 64 FF 30 64 89 20 BA ???? 40 00 B8 ???? 40 00 E8 63 F3 FF FF 8B D8 85 DB 75 07 6A 00 E8 ???? FF FF BA ???? 40 00 8B C3 8B 0D ???? 40 00 E8 ???? FF FF C7 05 ???? 40 00 0A 000000 BB ???? 40 00 BE ???? 40 00 BF ???? 40 00 B8 ???? 40 00 BA 04 000000 E8 ?? EB FF FF 83 3B 00 74 04 33 C0 89 03 8B D7 8B C6 E8 0A F3 FF FF 89 03 83 3B 00 0F 84 F7 04 0000 B8 ???? 40 00 8B 16 E8 ?? E1 FF FF B8 ???? 40 00 E8 ?? E0 FF FF 8B D0 8B 03 8B 0E E8 ???? FF FF 8B C7 A3 ???? 40 00 8D 55 EC 33 C0 E8 ?? D3 FF FF 8B 45 EC B9 ???? 40 00 BA ???? 40 00 E8 8B ED FF FF 3C 01 75 2B A1 }
condition:
$a0
}
rule Crunchv40 {
meta: author="malware-lu"
strings:
$a0 = { EB 10 00000000000000000000000000000000 55 E8 00000000 5D 81 ED 18 000000 8B C5 55 60 9C 2B 85 E9 06 0000 89 85 E1 06 0000 FF 74 24 2C E8 BB 01 0000 0F 82 92 05 0000 E8 F1 03 0000 49 0F 88 86 05 0000 68 6C D9 B2 96 33 C0 50 E8 24 }
condition:
$a0 at pe.entry_point
}
rule PrivateEXEProtector18SetiSoft {
meta: author="malware-lu"
strings:
$a0 = { A4 B3 02 E8 6D 000000 73 F6 31 C9 E8 64 000000 73 1C 31 C0 E8 5B 000000 73 23 B3 02 41 B0 10 E8 4F 000000 10 C0 73 F7 75 3F AA EB D4 E8 4D 000000 29 D9 75 10 E8 42 000000 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 000000 3D 00 7D 0000 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 FF 31 F6 C3 }
condition:
$a0
}
rule PseudoSigner02Armadillo300Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 2A 000000 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 }
condition:
$a0 at pe.entry_point
}
rule hmimyssPEPack01hmimys {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5D 83 ED 05 6A 00 FF 95 E1 0E 0000 89 85 85 0E 0000 8B 58 3C 03 D8 81 C3 F8 000000 80 AD 89 0E 0000 01 89 9D 63 0F 0000 8B 4B 0C 03 8D 85 0E 0000 8B 53 08 80 BD 89 0E 000000 75 0C 03 8D 91 0E 0000 2B 95 91 0E 0000 89 8D 57 0F 0000 89 95 5B 0F 0000 8B 5B 10 89 9D 5F 0F 0000 8B 9D 5F 0F 0000 8B 85 57 0F 0000 53 50 E8 B7 0B 0000 89 85 73 0F 0000 6A 04 68 00 10 0000 50 6A 00 FF 95 E9 0E 0000 89 85 6B 0F 0000 6A 04 68 00 10 0000 68 D8 7C 0000 6A 00 FF 95 E9 0E 0000 89 85 6F 0F 0000 8D 85 67 0F 0000 8B 9D 73 0F 0000 8B 8D 6B 0F 0000 8B 95 5B 0F 0000 83 EA 0E 8B B5 57 0F 0000 83 C6 0E 8B BD 6F 0F 0000 50 53 51 52 56 68 D8 7C 0000 57 E8 01 01 0000 8B 9D 57 0F 0000 8B 03 3C 01 75 }
condition:
$a0 at pe.entry_point
}
rule PECompactv146 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 9090 01 85 9E A0 40 ?? BB 60 12 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02XCR011Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 }
condition:
$a0 at pe.entry_point
}
rule EXEPACKLINKv360v364v365or50121 {
meta: author="malware-lu"
strings:
$a0 = { 8C C0 05 ???? 0E 1F A3 ???? 03 ?????? 8E C0 8B ?????? 8B ?? 4F 8B F7 FD F3 A4 50 B8 ???? 50 CB }
condition:
$a0 at pe.entry_point
}
rule SpecialEXEPasswordProtectorv10 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 89 AD 8C 01 0000 8B C5 2B 85 FE 75 0000 89 85 3E 77 }
condition:
$a0 at pe.entry_point
}
rule RCryptor15Vaska {
meta: author="malware-lu"
strings:
$a0 = { 83 2C 24 4F 68 ???????? FF 54 24 04 83 44 24 04 4F B8 ???????? 3D ???????? 74 06 80 30 ???? EB F3 B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point
}
rule ExeJoiner10Yoda {
meta: author="malware-lu"
strings:
$a0 = { 68 00 10 40 00 68 04 01 0000 E8 39 03 0000 05 00 10 40 00 C6 00 5C 68 04 01 0000 68 04 11 40 00 6A 00 E8 1A 03 0000 6A 00 68 80 000000 6A 03 6A 00 6A 01 68 000000 80 68 04 11 40 00 E8 EC 02 0000 83 F8 FF 0F 84 83 02 0000 A3 08 12 40 00 6A 00 50 E8 E2 02 0000 83 F8 FF 0F 84 6D 02 0000 A3 0C 12 40 00 8B D8 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 E8 E3 02 0000 6A 00 68 3C 12 40 00 6A 04 68 1E 12 40 00 FF 35 08 12 40 00 E8 C4 02 0000 83 EB 04 6A 00 6A 00 53 FF 35 08 12 40 00 }
condition:
$a0 at pe.entry_point
}
rule RLPackV119DllaPlib043ap0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 89 01 0000 60 E8 00000000 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 3C 04 0000 EB 0C 8B 85 38 04 0000 89 85 3C 04 0000 8D B5 60 04 0000 8D 9D EB 02 0000 33 FF E8 52 01 0000 EB 1B 8B 85 3C 04 0000 FF 74 37 04 01 04 24 FF 34 37 01 04 24 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 DF 83 BD 48 04 000000 74 0E 83 BD 4C 04 000000 74 05 E8 B8 01 0000 8D 74 37 04 53 6A 40 68 00 10 0000 68 ???????? 6A 00 FF 95 D1 03 0000 89 85 5C 04 0000 5B FF B5 5C 04 0000 56 FF D3 83 C4 08 8B B5 5C 04 0000 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 3C 04 0000 83 C0 04 89 85 58 04 0000 E9 94 000000 56 FF 95 C9 03 0000 85 C0 0F 84 B4 000000 89 85 54 04 0000 8B C6 EB 5B 8B 85 58 04 0000 8B 00 A9 000000 80 74 14 35 000000 80 50 8B 85 58 04 0000 C7 00 20 20 20 00 EB 06 FF B5 58 04 0000 FF B5 54 04 0000 FF 95 CD 03 0000 85 C0 74 71 89 07 83 C7 04 8B 85 58 04 0000 EB 01 40 80 38 00 75 FA 40 89 85 58 04 0000 66 81 78 02 00 80 74 A5 80 38 00 75 A0 EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 3C 04 0000 83 C0 04 89 85 58 04 0000 80 3E 01 0F 85 63 FF FF FF 68 00 40 0000 68 ???????? FF B5 5C 04 0000 FF 95 D5 03 0000 E8 3D 000000 E8 24 01 0000 61 E9 ???????? 61 C3 }
condition:
$a0 at pe.entry_point
}
rule CrypKeyV56XKenonicControlsLtd {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? E8 ???????? 83 F8 00 75 07 6A 00 E8 }
condition:
$a0 at pe.entry_point
}
rule Safe20 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 10 53 56 57 E8 C4 01 00 }
condition:
$a0
}
rule MicrosoftVisualCV80 {
meta: author="malware-lu"
strings:
$a0 = { 6A 14 68 ???????? E8 ???????? BB 94 000000 53 6A 00 8B ?????????? FF D7 50 FF ?????????? 8B F0 85 F6 75 0A 6A 12 E8 ???????? 59 EB 18 89 1E 56 FF ?????????? 56 85 C0 75 14 50 FF D7 50 FF ?????????? B8 }
condition:
$a0 at pe.entry_point
}
rule MZ_Crypt10byBrainSt0rm {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 25 14 40 00 8B BD 77 14 40 00 8B 8D 7F 14 40 00 EB 28 83 7F 1C 07 75 1E 8B 77 0C 03 B5 7B 14 40 00 33 C0 EB 0C 50 8A A5 83 14 40 00 30 26 58 40 46 3B 47 10 76 EF 83 C7 28 49 0B C9 75 D4 8B 85 73 14 40 00 89 44 24 1C 61 FF E0 }
condition:
$a0
}
rule EPWv130 {
meta: author="malware-lu"
strings:
$a0 = { 06 57 1E 56 55 52 51 53 50 2E 8C 06 08 00 8C C0 83 C0 10 2E }
condition:
$a0 at pe.entry_point
}
rule WindofCrypt10byDarkPressure {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC 53 ???????? 89 45 EC B8 64 40 00 10 E8 28 EA FF FF 33 C0 55 68 CE 51 00 10 64 ???????? 20 6A 00 68 80 000000 6A 03 6A 00 6A 01 68 000000 80 8D 55 EC 33 C0 E8 F6 DB FF FF 8B 45 EC E8 12 E7 FF FF 50 E8 3C EA FF FF 8B D8 83 FB FF 0F 84 A6 000000 6A 00 53 E8 41 EA FF FF 8B F0 81 EE 00 5E 0000 6A 00 6A 00 68 00 5E 0000 53 E8 52 EA FF FF B8 F4 97 00 10 8B D6 E8 2E E7 FF FF B8 F8 97 00 10 8B D6 E8 22 E7 FF FF 8B C6 E8 AB D8 FF FF 8B F8 6A 00 68 F0 97 00 10 56 A1 F4 97 00 10 50 53 E8 05 EA FF FF 53 E8 CF E9 FF FF B8 FC 97 00 10 BA E8 51 00 10 E8 74 EA FF FF A1 F4 97 00 10 85 C0 74 05 83 E8 04 8B 00 50 B9 F8 97 00 10 B8 FC 97 00 10 8B 15 F4 97 00 10 E8 D8 EA FF FF B8 FC 97 00 10 E8 5A EB FF FF 8B CE 8B 15 F8 97 00 10 8B C7 E8 EB E9 FF FF 8B C7 85 C0 74 05 E8 E4 EB FF FF 33 C0 5A 59 59 64 89 10 68 D5 51 00 10 8D 45 EC E8 BB E5 FF FF C3 E9 A9 DF FF FF EB F0 5F 5E 5B E8 B7 E4 FF FF 000000 FF FF FF FF 0A 000000 63 5A 6C 56 30 55 6C 6B 70 4D }
condition:
$a0 at pe.entry_point
}
rule NTKrnlPackerAshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { 000000000000000000000000 34 10 0000 28 10 00000000000000000000000000000000000000000000 41 10 0000 50 10 000000000000 4B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 }
condition:
$a0
}
rule PseudoSigner01LCCWin321xAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 64 A1 01 000000 55 89 E5 6A FF 68 ???????? 68 9A 10 40 90 50 E9 }
condition:
$a0 at pe.entry_point
}
rule NME11Publicbyredlime {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 56 B8 30 35 14 13 E8 9A E6 FF FF 33 C0 55 68 6C 36 14 13 64 FF 30 64 89 20 B8 08 5C 14 13 BA 84 36 14 13 E8 7D E2 FF FF E8 C0 EA FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 04 F8 FF FF 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 F4 F7 FF FF 8B 15 CC 45 14 13 A1 C8 45 14 13 E8 2C F9 FF FF A3 F8 5A 14 13 8B 15 D0 45 14 13 A1 C8 45 14 13 E8 17 F9 FF FF A3 FC 5A 14 13 B8 04 5C 14 13 E8 20 FB FF FF 8B D8 85 DB 74 48 B8 00 5B 14 13 8B 15 C4 45 14 13 E8 1E E7 FF FF A1 04 5C 14 13 E8 A8 DA FF FF ???????? 5C 14 13 50 8B CE 8B D3 B8 00 5B 14 13 ???????? FF 8B C6 E8 DF FB FF FF 8B C6 E8 9C DA FF FF B8 00 5B 14 13 E8 72 E7 FF FF 33 C0 5A 59 59 64 89 10 68 73 36 14 13 C3 E9 0F DF FF FF EB F8 5E 5B E8 7E E0 FF FF 0000 FF FF FF FF 0C 000000 4E 4D 45 20 31 2E 31 20 53 74 75 62 }
condition:
$a0
}
rule PEtitev13 {
meta: author="malware-lu"
strings:
$a0 = { 66 9C 60 50 8D 88 ?? F0 ???? 8D 90 04 16 ???? 8B DC 8B E1 68 ???????? 53 50 80 04 24 08 50 80 04 24 42 }
condition:
$a0 at pe.entry_point
}
rule PEtitev12 {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 CA ?????? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 }
condition:
$a0 at pe.entry_point
}
rule PECompactv134v140b1 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 80 40 ?? 87 DD 8B 85 A6 80 40 ?? 01 85 03 80 40 ?? 66 C7 85 ?? 00 80 ?? 40 9090 01 85 9E 80 ?? 40 BB F8 10 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeMSVC70DLLMethod3emadicius {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule PEtitev14 {
meta: author="malware-lu"
strings:
$a0 = { 66 9C 60 50 8B D8 03 ?? 68 54 BC ???? 6A ?? FF 50 14 8B CC }
$a1 = { 66 9C 60 50 8B D8 03 00 68 54 BC 0000 6A 00 FF 50 14 8B CC }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule SoftProtectSoftProtectbyru {
meta: author="malware-lu"
strings:
$a0 = { EB 01 E3 60 E8 03 ?????? D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 60 E8 03 ?????? 83 EB 0E EB 01 0C 58 EB 01 35 40 EB 01 36 FF E0 0B 61 EB 01 83 9C EB 01 D5 EB 08 35 9D EB 01 89 EB 03 0B EB F7 E8 ???????? 58 E8 ???????? 59 83 01 01 80 39 5C }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02CDCopsIIAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 53 60 BD 90909090 8D 45 90 8D 5D 90 E8 00000000 8D 01 }
condition:
$a0 at pe.entry_point
}
rule RLPack118LZMA430ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 ?? 8D B5 21 0B 0000 8D 9D FF 02 0000 33 FF E8 9F 01 0000 6A ?? 68 ???????? 68 ???????? 6A 00 FF 95 AA 0A 0000 89 85 F9 0A 0000 EB 14 60 FF B5 F9 0A 0000 FF 34 37 FF 74 37 04 FF D3 61 83 C7 ?? 83 3C 37 00 75 E6 83 BD 0D 0B 000000 74 0E 83 BD 11 0B 000000 74 05 E8 F6 01 0000 8D 74 37 04 53 6A ?? 68 ???????? 68 ???????? 6A 00 FF 95 AA 0A 0000 89 85 1D 0B 0000 5B 60 FF B5 F9 0A 0000 56 FF B5 1D 0B 0000 FF D3 61 8B B5 1D 0B 0000 8B C6 EB 01 }
condition:
$a0 at pe.entry_point
}
rule ASPackv108xAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02BorlandCDLLMethod2Anorganix {
meta: author="malware-lu"
strings:
$a0 = { EB 10 66 62 3A 43 2B 2B 48 4F 4F 4B 90 E9 90909090 }
condition:
$a0 at pe.entry_point
}
rule ARMProtector01bySMoKE {
meta: author="malware-lu"
strings:
$a0 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 0000 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 000000 83 EB 01 00 8B FE E8 00000000 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 000000 83 EB 01 00 2A C2 E8 00000000 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00000000 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 }
condition:
$a0 at pe.entry_point
}
rule tElock099cPrivateECLIPSEtE {
meta: author="malware-lu"
strings:
$a0 = { E9 3F DF FF FF 000000 ???????? 04 ???? 000000000000000000 24 ???? 00 14 ???? 00 0C ???? 000000000000000000 31 ???? 00 1C ???? 000000000000000000000000000000000000000000 3C ???? 0000000000 4F ???? 0000000000 3C ???? 0000000000 4F ???? 0000000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 75 73 65 }
condition:
$a0 at pe.entry_point
}
rule XPack152164 {
meta: author="malware-lu"
strings:
$a0 = { 8B EC FA 33 C0 8E D0 BC ???? 2E ???????? 2E ???????? EB }
condition:
$a0 at pe.entry_point
}
rule ASProtectv123RC4build0807dllAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 03 000000 E9 EB 04 5D 45 55 C3 E8 01 000000 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?????? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 0000 8D 45 35 50 E9 82 0000000000000000000000000000000000 }
condition:
$a0 at pe.entry_point
}
rule Armadillov253b3 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 D8 ?????? 68 14 ?????? 64 A1 ???????? 50 64 89 25 ???????? 83 EC 58 53 56 57 89 65 E8 FF 15 }
condition:
$a0 at pe.entry_point
}
rule Imploderv104BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 A0 000000000000000000000000000000 36 ?????? 2E ?????? 0000000000000000000000000000000000000000 01 0000 80 00000000 4B 65 72 6E 65 6C 33 32 2E 44 }
condition:
$a0 at pe.entry_point
}
rule PEiDBundlev100v101BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ?? 02 0000 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 0000 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }
condition:
$a0 at pe.entry_point
}
rule JExeCompressor10byArashVeyskarami {
meta: author="malware-lu"
strings:
$a0 = { 8D 2D D3 4A E5 14 0F BB F7 0F BA E5 73 0F AF D5 8D 0D 0C 9F E6 11 C0 F8 EF F6 DE 80 DC 5B F6 DA 0F A5 C1 0F C1 F1 1C F3 4A 81 E1 8C 1F 66 91 0F BE C6 11 EE 0F C0 E7 33 D9 64 F2 C0 DC 73 0F C0 D5 55 8B EC BA C0 1F 41 00 8B C2 B9 97 000000 80 32 79 50 B8 02 000000 50 03 14 24 58 58 51 2B C9 B9 01 000000 83 EA 01 E2 FB 59 E2 E1 FF E0 }
condition:
$a0 at pe.entry_point
}
rule Alloy4xPGWareLLC {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 02 000000 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 30 40 00 87 DD 6A 04 68 00 10 0000 68 00 02 0000 6A 00 FF 95 A8 33 40 00 0B C0 0F 84 F6 01 0000 89 85 2E 33 40 00 83 BD E8 32 40 00 01 74 0D 83 BD E4 32 40 00 01 74 2A 8B F8 EB 3E 68 }
condition:
$a0 at pe.entry_point
}
rule ThinstallV2403Jitit {
meta: author="malware-lu"
strings:
$a0 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 0000 C7 40 0C 01 000000 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 000000 C2 04 00 8B 44 24 04 C7 41 0C 01 000000 89 81 29 04 0000 0F B6 40 01 D1 E8 89 41 10 C7 41 }
$a1 = { 6A 00 FF 15 20 50 40 00 E8 D4 F8 FF FF E9 E9 AD FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 0000 C7 40 0C 01 000000 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 000000 C2 04 00 8B 44 24 04 C7 41 0C 01 000000 89 81 29 04 0000 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 000000 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 000000 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 57 BF 0000 80 00 39 79 14 77 36 53 56 8B B1 29 04 0000 8B 41 0C 8B 59 10 03 DB 8A 14 30 83 E2 01 0B D3 C1 E2 07 40 89 51 10 89 41 0C 0F B6 04 30 C1 61 14 08 D1 E8 09 41 10 39 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule FakeNinjav28AntiDebugSpirit {
meta: author="malware-lu"
strings:
$a0 = { 64 A1 18 000000 EB 02 C3 11 8B 40 30 EB 01 0F 0F B6 40 02 83 F8 01 74 FE EB 01 E8 90 C0 FF FF EB 03 BD F4 B5 64 A1 30 000000 0F B6 40 02 74 01 BA 74 E0 50 00 64 A1 30 000000 83 C0 68 8B 00 EB 00 83 F8 70 74 CF EB 02 EB FE 909090 0F 31 33 C9 03 C8 0F 31 2B C1 3D FF 0F 0000 73 EA E8 08 000000 C1 3D FF 0F 0000 74 AA EB 07 E8 8B 40 30 EB 08 EA 64 A1 18 000000 EB F2 909090 BA ???????? FF E2 64 11 40 00 FF 35 84 11 40 00 E8 40 11 0000 6A 00 6A 00 FF 35 70 11 40 00 FF 35 84 11 40 00 E8 25 11 0000 FF }
condition:
$a0
}
rule ExeLockv100 {
meta: author="malware-lu"
strings:
$a0 = { 06 8C C8 8E C0 BE ???? 26 ???? 34 ?? 26 ???? 46 81 ?????? 75 ?? 40 B3 ?? B3 ?? F3 }
condition:
$a0 at pe.entry_point
}
rule PEtitevxx {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 66 9C 60 50 }
condition:
$a0 at pe.entry_point
}
rule EnigmaProtector10XSukhovVladimir {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 83 ???? 81 ED ?????????????????????????????????????????????????????????????????????? E8 01 000000 ?? 83 C4 04 EB 02 ???? 60 E8 24 0000000000 ?? EB 02 ???? 8B 44 24 0C 83 80 B8 000000 03 31 C0 C3 83 C0 08 EB 02 ???? 89 C4 61 EB 2E ?????????????? EB 01 ?? 31 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ???? 89 00 9A 64 8F 05 00000000 EB 02 C1 ?? 58 61 EB 01 }
condition:
$a0
}
rule ThinstallEmbedded27172719Jitit {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 58 BB ???????? 2B C3 50 68 ???????? 68 ???????? 68 ???????? E8 C1 FE FF FF E9 97 FF FF FF CCCC 55 8B EC 83 C4 F4 FC 53 57 56 8B 75 08 8B 7D 0C C7 45 FC 08 000000 33 DB BA 000000 80 43 33 C0 E8 19 01 0000 73 0E 8B 4D F8 E8 27 01 0000 02 45 F7 AA EB E9 E8 04 01 0000 0F 82 96 000000 E8 F9 000000 73 5B B9 04 000000 E8 05 01 0000 48 74 DE 0F 89 C6 000000 E8 DF 000000 73 1B 55 BD 00 01 0000 E8 DF 000000 88 07 47 4D 75 F5 E8 C7 000000 72 E9 5D EB A2 B9 01 000000 E8 D0 000000 83 C0 07 89 45 F8 C6 45 F7 00 83 F8 08 74 89 E8 B1 000000 88 45 F7 E9 7C FF FF FF B9 07 000000 E8 AA 000000 50 33 C9 B1 02 E8 A0 000000 8B C8 41 41 58 0B C0 74 04 8B D8 EB 5E 83 F9 02 74 6A 41 E8 88 000000 89 45 FC E9 48 FF FF FF E8 87 000000 49 E2 09 8B C3 E8 7D 000000 EB 3A 49 8B C1 55 8B 4D FC 8B E8 33 C0 D3 E5 E8 5D 000000 0B C5 5D 8B D8 E8 5F 000000 3D 0000 01 00 73 14 3D FF 37 0000 73 0E 3D 7F 02 0000 73 08 83 F8 7F 77 04 41 41 41 41 56 8B F7 2B F0 F3 A4 5E E9 F0 FE FF FF 33 C0 EB 05 8B C7 2B 45 0C 5E 5F 5B C9 C2 08 00 }
condition:
$a0 at pe.entry_point
}
rule ASPackv102bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }
$a1 = { 60 E8 ???????? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 C5 2B 85 7D 7C 43 ?? 89 85 89 7C 43 ?? 80 BD 74 7C 43 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PEProtect09byCristophGabler1998 {
meta: author="malware-lu"
strings:
$a0 = { 50 45 2D 50 52 4F 54 45 43 54 20 30 2E 39 }
condition:
$a0
}
rule VxPredator2448 {
meta: author="malware-lu"
strings:
$a0 = { 0E 1F BF ???? B8 ???? B9 ???? 49 ???????? 2A C1 4F 4F ???? F9 CC }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeMSVC60DLLemadicius {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 5F 5E 5B 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule RCryptorv16dVaska {
meta: author="malware-lu"
strings:
$a0 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 }
$a1 = { 60 90 61 61 80 7F F0 45 90 60 0F 85 1B 8B 1F FF 68 ???????? B8 ???????? 90 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point or $a1
}
rule Enigmaprotector112VladimirSukhov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 83 ED 06 81 ED ?????????????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 EB 02 FF 35 60 E8 24 0000000000 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 000000 03 31 C0 C3 83 C0 08 EB 02 FF 15 89 C4 61 EB 2E EA EB 2B 83 04 24 03 EB 01 00 31 C0 EB 01 85 64 FF 30 EB 01 83 64 89 20 EB 02 CD 20 89 00 9A 64 8F 05 00000000 EB 02 C1 90 58 61 EB 01 3E EB 04 ???????? B8 ?????????????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 01 E8 ?????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 05 F6 01 0000 ?????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 B9 44 1A }
condition:
$a0
}
rule hyingsPEArmorV076hying {
meta: author="malware-lu"
strings:
$a0 = { E9 00000000 60 E8 14 000000 5D 81 ED 00000000 6A ?? E8 A3 000000 }
condition:
$a0 at pe.entry_point
}
rule JDPackV200JDPack {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 ???????? 64 A1 00000000 50 64 89 25 00000000 ?????? E8 01 000000 ???????????? 05 00000000 83 C4 0C 5D 60 E8 00000000 5D 8B D5 64 FF 35 00000000 EB }
condition:
$a0 at pe.entry_point
}
rule Upackv01xv02xDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 ???? AD 8B F8 95 }
condition:
$a0 at pe.entry_point
}
rule VcasmProtectorV1Xvcasm {
meta: author="malware-lu"
strings:
$a0 = { EB ?? 5B 56 50 72 6F 74 65 63 74 5D }
condition:
$a0 at pe.entry_point
}
rule kkrunchy023alpha2Ryd {
meta: author="malware-lu"
strings:
$a0 = { BD ???????? C7 45 00 ?????? 00 B8 ?????? 00 89 45 04 89 45 54 50 C7 45 10 ?????? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 0000 8D 7D 30 AB AB AB AB BB 0000 D8 00 BF }
$a1 = { BD ???????? C7 45 00 ?????? 00 B8 ?????? 00 89 45 04 89 45 54 50 C7 45 10 ?????? 00 FF 4D 0C FF 45 14 FF 45 58 C6 45 1C 08 B8 00 08 0000 8D 7D 30 AB AB AB AB BB 0000 D8 00 BF ?????? 01 31 C9 41 8D 74 09 01 B8 CA 8E 2A 2E 99 F7 F6 01 C3 89 D8 C1 E8 15 AB FE C1 75 E8 BE }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PolyEnEV001LennartHedlund {
meta: author="malware-lu"
strings:
$a0 = { 50 6F 6C 79 45 6E 45 00 4D 65 73 73 61 67 65 42 6F 78 41 00 55 53 45 52 33 32 2E 64 6C 6C }
condition:
$a0
}
rule Winkriptv10 {
meta: author="malware-lu"
strings:
$a0 = { 33 C0 8B B8 00 ?????? 8B 90 04 ?????? 85 FF 74 1B 33 C9 50 EB 0C 8A 04 39 C0 C8 04 34 1B 88 04 39 41 3B CA 72 F0 58 }
condition:
$a0 at pe.entry_point
}
rule TrainerCreationKitv5Trainer {
meta: author="malware-lu"
strings:
$a0 = { 6A 00 68 80 000000 6A 02 6A 00 6A 00 68 000000 40 68 25 45 40 00 E8 3C 02 0000 50 6A 00 68 40 45 40 00 68 00 10 0000 68 00 30 40 00 50 E8 54 02 0000 58 50 E8 17 02 0000 6A 00 E8 2E 02 0000 A3 70 45 40 00 68 25 45 40 00 E8 2B 02 0000 A3 30 45 40 }
condition:
$a0
}
rule EXEStealthv272 {
meta: author="malware-lu"
strings:
$a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 }
condition:
$a0 at pe.entry_point
}
rule EXEStealthv273 {
meta: author="malware-lu"
strings:
$a0 = { EB 00 EB 2F 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 EB 16 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 60 90 E8 00000000 5D 81 ED F0 27 40 00 B9 15 000000 83 C1 05 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 }
condition:
$a0
}
rule PseudoSigner02DEF10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { BE 00 01 40 00 6A 05 59 80 7E 07 00 74 11 8B 46 9090909090909090909090909090909090 83 C1 01 }
condition:
$a0 at pe.entry_point
}
rule AHpack01FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 60 68 54 ?????? B8 48 ?????? FF 10 68 B3 ?????? 50 B8 44 ?????? FF 10 68 00 ?????? 6A 40 FF D0 89 05 CA ?????? 89 C7 BE 00 10 ???? 60 FC B2 80 31 DB A4 B3 02 E8 6D 000000 73 F6 31 C9 E8 64 000000 73 1C 31 C0 E8 5B 000000 73 23 B3 02 41 }
condition:
$a0 at pe.entry_point
}
rule EXEStealthv274 {
meta: author="malware-lu"
strings:
$a0 = { EB 00 EB 17 53 68 61 72 65 77 61 72 65 20 2D 20 45 78 65 53 74 65 61 6C 74 68 00 60 90 E8 00000000 5D 81 ED C4 27 40 00 B9 15 000000 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 0000 B9 }
condition:
$a0
}
rule ThinstallEmbedded22X2308Jitit {
meta: author="malware-lu"
strings:
$a0 = { B8 EF BE AD DE 50 6A 00 FF 15 ???????? E9 B9 FF FF FF 8B C1 8B 4C 24 04 89 88 29 04 0000 C7 40 0C 01 000000 0F B6 49 01 D1 E9 89 48 10 C7 40 14 80 000000 C2 04 00 8B 44 24 04 C7 41 0C 01 000000 89 81 29 04 0000 0F B6 40 01 D1 E8 89 41 10 C7 41 14 80 000000 C2 04 00 55 8B EC 53 56 57 33 C0 33 FF 39 45 0C 8B F1 76 0C 8B 4D 08 03 3C 81 40 3B 45 0C 72 F4 8B CE E8 43 000000 8B 46 14 33 D2 F7 F7 8B 5E 10 33 D2 8B F8 8B C3 F7 F7 89 7E 18 89 45 0C 33 C0 33 C9 8B 55 08 03 0C 82 40 39 4D 0C 73 F4 48 8B 14 82 2B CA 0F AF CF 2B D9 0F AF FA 89 7E 14 89 5E 10 5F 5E 5B 5D C2 08 00 }
condition:
$a0 at pe.entry_point
}
rule PolyCryptorbySMTVersionv3v4 {
meta: author="malware-lu"
strings:
$a0 = { EB ?? 28 50 6F 6C 79 53 63 72 79 70 74 20 ?????? 20 62 79 20 53 4D 54 29 }
condition:
$a0 at pe.entry_point
}
rule ProtectSharewareV11eCompservCMS {
meta: author="malware-lu"
strings:
$a0 = { 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 000000 ?? 01 0000 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 000000 34 00 ?? 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00000000 }
condition:
$a0
}
rule Upackv035alphaDwing {
meta: author="malware-lu"
strings:
$a0 = { 8B F2 8B CA 03 4C 19 1C 03 54 1A 20 }
condition:
$a0
}
rule ASPackv10801AlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?????? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }
$a1 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?????? 44 ?? BB 10 ?? 44 ?? 03 DD 2B 9D }
$a2 = { 60 EB ?? 5D EB ?? FF ?????????? E9 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule ENIGMAProtectorV11SukhovVladimir {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 83 ???? 81 }
condition:
$a0 at pe.entry_point
}
rule PEncrypt20junkcode {
meta: author="malware-lu"
strings:
$a0 = { EB 25 0000 F7 BF 00000000000000000000 12 00 E8 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 0000000000 E8 00000000 5D 81 ED 2C 10 40 00 8D B5 14 10 40 00 E8 33 000000 89 85 10 10 40 00 BF 0000 40 00 8B F7 03 7F 3C 8B 4F 54 51 56 8D 85 }
condition:
$a0 at pe.entry_point
}
rule SimbiOZExtranger {
meta: author="malware-lu"
strings:
$a0 = { 50 60 E8 00000000 5D 81 ED 07 10 40 00 68 80 0B 0000 8D 85 1F 10 40 00 50 E8 84 0B 0000 }
condition:
$a0 at pe.entry_point
}
rule InnoSetupModulev304betav306v307 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 B8 53 56 57 33 C0 89 45 F0 89 45 BC 89 45 B8 E8 B3 70 FF FF E8 1A 85 FF FF E8 25 A7 FF FF E8 6C }
condition:
$a0
}
rule ASPackv107bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED ???????? B8 ???????? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ???? 80 BD 01 DE }
condition:
$a0 at pe.entry_point
}
rule PROPACKv208emphasisonpackedsizelocked {
meta: author="malware-lu"
strings:
$a0 = { 83 EC ?? 8B EC BE ???? FC E8 ???? 05 ???? 8B C8 E8 ???? 8B }
condition:
$a0 at pe.entry_point
}
rule HACKSTOPv110p1 {
meta: author="malware-lu"
strings:
$a0 = { B4 30 CD 21 86 E0 3D 00 03 73 ?? B4 2F CD 21 B4 2A CD 21 B4 2C CD 21 B0 FF B4 4C CD 21 50 B8 ???? 58 EB }
condition:
$a0 at pe.entry_point
}
rule AdysGlue110 {
meta: author="malware-lu"
strings:
$a0 = { 2E ???????? 0E 1F BF ???? 33 DB 33 C0 AC }
condition:
$a0 at pe.entry_point
}
rule VxEddiebased1745 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 81 EE ???? FC ?? 2E ???????? 4D 5A ???? FA ?? 8B E6 81 ?????? FB ?? 3B ?????????? 50 06 ?? 56 1E 8B FE 33 C0 ?? 50 8E D8 }
condition:
$a0 at pe.entry_point
}
rule ASDPackv10asd {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 56 53 E8 5C 01 000000000000000000000000000000 10 0000 ?????? 00000000000000 40 0000 ???? 000000000000000000 ?????? 00000000000000000000000000 ?????? 00000000000000000000 ???? 0000 10 000000 ?? 000000 ???? 0000 ???? 0000 ???? 0000 ?? 000000 ???? 0000 ?? 000000 ???? 0000 ?? 000000 ???? 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 5B 81 EB E6 1D 40 00 83 7D 0C 01 75 11 55 E8 4F 01 0000 E8 6A 01 0000 5D E8 2C 000000 8B B3 1A 1E 40 00 03 B3 FA 1D 40 00 8B 76 0C AD 0B C0 74 0D FF 75 10 FF 75 0C FF 75 08 FF D0 EB EE B8 01 000000 5B 5E C9 C2 0C 00 55 6A 00 FF 93 20 21 40 00 89 83 FA 1D 40 00 6A 40 68 00 10 0000 FF B3 02 1E 40 00 6A 00 FF 93 2C 21 40 00 89 83 06 1E 40 00 8B 83 F2 1D 40 00 03 83 FA 1D 40 00 50 FF B3 06 1E 40 00 50 E8 6D 01 0000 5F }
condition:
$a0
}
rule ORiENV1XV2XFisunAV {
meta: author="malware-lu"
strings:
$a0 = { 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F 74 65 63 74 69 6F 6E 20 73 79 73 74 65 6D }
condition:
$a0
}
rule StonesPEEncryptorv113 {
meta: author="malware-lu"
strings:
$a0 = { 55 57 56 52 51 53 E8 ???????? 5D 8B D5 81 ED 97 3B 40 ?? 2B 95 2D 3C 40 ?? 83 EA 0B 89 95 36 3C 40 ?? 01 95 24 3C 40 ?? 01 95 28 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv302v302aExtractable {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 33 C9 B1 ?? 51 06 06 BB ???? 53 8C D3 }
condition:
$a0 at pe.entry_point
}
rule ARMProtector03bySMoKE {
meta: author="malware-lu"
strings:
$a0 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D EB 01 00 81 ED 13 24 40 00 EB 02 83 09 8D B5 A4 24 40 00 EB 02 83 09 BA 4B 15 0000 EB 01 00 8D 8D EF 39 40 00 8B 09 E8 14 000000 83 EB 01 00 8B FE E8 00000000 58 83 C0 07 50 C3 00 EB 04 58 40 50 C3 8A 06 46 EB 01 00 D0 C8 E8 14 000000 83 EB 01 00 2A C2 E8 00000000 5B 83 C3 07 53 C3 00 EB 04 5B 43 53 C3 EB 01 00 32 C2 E8 0B 00000000 32 C1 EB 01 00 C0 C0 02 EB 09 2A C2 5B EB 01 00 43 53 C3 88 07 EB 01 00 47 4A 75 B4 }
condition:
$a0
}
rule VxSlowload {
meta: author="malware-lu"
strings:
$a0 = { 03 D6 B4 40 CD 21 B8 02 42 33 D2 33 C9 CD 21 8B D6 B9 78 01 }
condition:
$a0 at pe.entry_point
}
rule AntiDote10BetaSISTeam {
meta: author="malware-lu"
strings:
$a0 = { E8 BB FF FF FF 84 C0 74 2F 68 04 01 0000 68 C0 23 60 00 6A 00 FF 15 08 10 60 00 E8 40 FF FF FF 50 68 78 11 60 00 68 68 11 60 00 68 C0 23 60 00 E8 AB FD FF FF 83 C4 10 33 C0 C2 10 00 909090 8B 4C 24 08 56 8B 74 24 08 33 D2 8B C6 F7 F1 8B C6 85 D2 74 08 33 D2 F7 F1 40 0F AF C1 5E C3 90 8B 44 24 04 53 55 56 8B 48 3C 57 03 C8 33 D2 8B 79 54 8B 71 38 8B C7 F7 F6 85 D2 74 0C 8B C7 33 D2 F7 F6 8B F8 47 0F AF FE 33 C0 33 DB 66 8B 41 14 8D 54 08 18 33 C0 66 8B 41 06 89 54 24 14 8D 68 FF 85 ED 7C 37 33 C0 }
condition:
$a0 at pe.entry_point
}
rule DzAPatcherv13Loader {
meta: author="malware-lu"
strings:
$a0 = { BF 00 40 40 00 99 68 48 20 40 00 68 00 20 40 00 52 52 52 52 52 52 52 57 E8 15 01 0000 85 C0 75 1C 99 52 52 57 52 E8 CB 000000 FF 35 4C 20 40 00 E8 D2 000000 6A 00 E8 BF 000000 99 68 58 20 40 00 52 52 68 63 10 40 00 52 52 E8 DB 000000 6A FF FF 35 }
condition:
$a0
}
rule CDSSS10beta1CyberDoom {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 0000 0B C0 0F 84 13 03 0000 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 000000 EB 12 64 A1 30 000000 0F B6 40 02 0A C0 0F 85 E8 02 0000 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 0000 0B C0 0F 84 CE 02 0000 E8 1E 03 0000 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 4E 40 00 E8 D7 03 0000 0B C0 0F 84 A9 02 0000 E8 F9 02 0000 89 85 94 4E 40 00 8D 85 12 4D 40 00 50 }
condition:
$a0 at pe.entry_point
}
rule y0dasCrypterv10 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED E7 1A 40 00 E8 A1 000000 E8 D1 000000 E8 85 01 0000 F7 85 }
condition:
$a0 at pe.entry_point
}
rule y0dasCrypterv11 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 8A 1C 40 00 B9 9E 000000 8D BD 4C 23 40 00 8B F7 33 }
condition:
$a0 at pe.entry_point
}
rule NullsoftPiMPInstallSystemv1x {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 0C 53 56 57 FF 15 ???? 40 00 05 E8 03 0000 BE ?????? 00 89 44 24 10 B3 20 FF 15 28 ?? 40 00 68 00 04 0000 FF 15 ???? 40 00 50 56 FF 15 ???? 40 00 80 3D ?????? 00 22 75 08 80 C3 02 BE ?????? 00 8A 06 8B 3D ???? 40 00 84 C0 74 ?? 3A C3 74 }
condition:
$a0
}
rule ExeBundlev30smallloader {
meta: author="malware-lu"
strings:
$a0 = { 00000000 60 BE 00 F0 40 00 8D BE 00 20 FF FF 57 83 CD FF EB 10 909090909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 }
condition:
$a0 at pe.entry_point
}
rule UPXAlternativestub {
meta: author="malware-lu"
strings:
$a0 = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 000000 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B }
condition:
$a0 at pe.entry_point
}
rule EmbedPE113cyclotron {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 50 60 68 5D B9 52 5A E8 2F 99 0000 DC 99 F3 57 05 68 B8 5E 2D C6 DA FD 48 63 05 3C 71 B8 5E 97 7C 36 7E 32 7C 08 4F 06 51 64 10 A3 F1 4E CF 25 CB 80 D2 99 54 46 ED E1 D3 46 86 2D 10 68 93 83 5C 46 4D 43 9B 8C D6 7C BB 99 69 97 71 2A 2F A3 38 6B 33 }
condition:
$a0 at pe.entry_point
}
rule EXECryptor2223protectedIAT {
meta: author="malware-lu"
strings:
$a0 = { CC ?????? 00000000 FF FF FF FF 3C ?????? B4 ?????? 08 ?????? 00000000 FF FF FF FF E8 ?????? 04 ?????? 0000000000000000000000000000000000000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000000000 45 78 69 74 50 72 6F 63 65 73 73 0000000000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00000000 56 69 72 74 75 61 6C 46 72 65 65 000000 ???????????????????????????????????????????????? 4C ?????? 60 ?????? 70 ?????? 84 ?????? 94 ?????? A4 ?????? 00000000 75 73 65 72 33 32 2E 64 6C 6C 00000000 4D 65 73 73 61 67 65 42 6F 78 }
condition:
$a0
}
rule PseudoSigner01Armadillo300Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 2A 000000 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB 85 E9 }
condition:
$a0 at pe.entry_point
}
rule EXECryptorvxxxx {
meta: author="malware-lu"
strings:
$a0 = { E8 24 ?????? 8B 4C 24 0C C7 01 17 ?? 01 ?? C7 81 B8 ?????????????? 31 C0 89 41 }
condition:
$a0 at pe.entry_point
}
rule Morphinev33SilentSoftwareSilentShieldc2005 {
meta: author="malware-lu"
strings:
$a0 = { 28 ?????? 0000000000000000 40 ?????? 34 ?????? 0000000000000000000000000000000000000000 4C ?????? 5C ?????? 00000000 4C ?????? 5C ?????? 00000000 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 0000 47 65 74 50 72 6F 63 }
$a1 = { 28 ?????? 0000000000000000 40 ?????? 34 ?????? 0000000000000000000000000000000000000000 4C ?????? 5C ?????? 00000000 4C ?????? 5C ?????? 00000000 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 0000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 4C 6F 61 64 4C 69 62 72 61 72 79 41 }
condition:
$a0 or $a1
}
rule DEF10bartxt {
meta: author="malware-lu"
strings:
$a0 = { BE ???? 40 00 6A ?? 59 80 7E 07 00 74 11 8B 46 0C 05 0000 40 00 8B 56 10 30 10 40 4A 75 FA 83 C6 28 E2 E4 68 ???? 40 00 C3 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 }
condition:
$a0 at pe.entry_point
}
rule PECompactv0971v0976 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 C3 9C 60 E8 5D 55 5B 81 ED 8B 85 01 85 66 C7 85 }
condition:
$a0 at pe.entry_point
}
rule PCShrinkv040b {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 BD ???????? 01 ?????????? FF ?????????? 6A ?? FF ?????????? 50 50 2D }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakePECrypt102emadicius {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5B 83 EB 05 EB 04 52 4E 44 21 85 C0 73 02 F7 05 50 E8 08 000000 EA FF 58 EB 18 EB 01 0F EB 02 CD 20 EB 03 EA CD 20 58 58 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule ORiENv211212FisunAlexander {
meta: author="malware-lu"
strings:
$a0 = { E9 5D 01 0000 CE D1 CE ?? 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 4E 20 65 78 65 63 75 74 61 62 6C 65 20 66 69 6C 65 73 20 70 72 6F }
condition:
$a0 at pe.entry_point
}
rule StonesPEEncruptorv113 {
meta: author="malware-lu"
strings:
$a0 = { 55 57 56 52 51 53 E8 ???????? 5D 8B D5 81 }
condition:
$a0 at pe.entry_point
}
rule ASProtectv11MTEc {
meta: author="malware-lu"
strings:
$a0 = { 90 60 E8 1B ?????? E9 FC }
condition:
$a0 at pe.entry_point
}
rule CreateInstallStubvxx {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 20 02 0000 53 56 57 6A 00 FF 15 18 61 40 00 68 00 70 40 00 89 45 08 FF 15 14 61 40 00 85 C0 74 27 6A 00 A1 00 20 40 00 50 FF 15 3C 61 40 00 8B F0 6A 06 56 FF 15 38 61 40 00 6A 03 56 FF 15 38 61 40 00 E9 36 03 0000 68 02 7F 0000 33 F6 56 }
condition:
$a0 at pe.entry_point
}
rule WinZip32bitSFXv8xmodule {
meta: author="malware-lu"
strings:
$a0 = { 53 FF 15 ?????? 00 B3 22 38 18 74 03 80 C3 FE 8A 48 01 40 33 D2 3A CA 74 0A 3A CB 74 06 8A 48 01 40 EB F2 38 10 74 01 40 ???????? FF 15 }
condition:
$a0 at pe.entry_point
}
rule Upxv12MarcusLazlo {
meta: author="malware-lu"
strings:
$a0 = { 60 BE ???????? 8D BE ???????? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }
condition:
$a0 at pe.entry_point
}
rule PEPACKv10byANAKiN1998 {
meta: author="malware-lu"
strings:
$a0 = { 74 ?? E9 ???????? 00000000 }
condition:
$a0 at pe.entry_point
}
rule NeoLitev20 {
meta: author="malware-lu"
strings:
$a0 = { E9 ???????????????????????????????????????????????????????? 4E 65 6F 4C 69 74 65 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakeSpalsher1x3xFEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 9C 60 8B 44 24 24 E8 00000000 5D 81 ED 00000000 50 E8 ED 02 0000 8C C0 0F 84 }
condition:
$a0 at pe.entry_point
}
rule ASPackv10803AlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }
$a1 = { 60 E8 00000000 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 0000 89 9D BB 4E }
$a2 = { 60 E8 00000000 5D ???????????? BB ???????? 03 DD }
$a3 = { 60 E8 00000000 5D ???????????? BB ???????? 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 0000 89 9D BB 4E }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point or $a3 at pe.entry_point
}
rule VMProtect07x08PolyTech {
meta: author="malware-lu"
strings:
$a0 = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D }
condition:
$a0
}
rule ExeShieldProtectorV36wwwexeshieldcom {
meta: author="malware-lu"
strings:
$a0 = { B8 ?????? 00 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC }
condition:
$a0 at pe.entry_point
}
rule WerusCrypter10Kas {
meta: author="malware-lu"
strings:
$a0 = { 68 98 11 40 00 6A 00 E8 50 000000 C9 C3 ED B3 FE FF FF 6A 00 E8 0C 000000 FF 25 80 10 40 00 FF 25 84 10 40 00 FF 25 88 10 40 00 FF 25 8C 10 40 00 FF 25 90 10 40 00 FF 25 94 10 40 00 FF 25 98 10 40 00 FF 25 9C 10 40 00 FF 25 A0 10 40 00 FF 25 A4 10 40 00 FF 25 A8 10 40 00 FF 25 B0 10 40 0000000000000000000000000000000000000000000000000000000000000000000000 BB E8 12 40 00 80 33 05 E9 7D FF FF FF }
condition:
$a0
}
rule Themida10xx1800compressedengineOreansTechnologies {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 60 0B C0 74 58 E8 00000000 58 05 43 000000 80 38 E9 75 03 61 EB 35 E8 00000000 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 0000 83 C3 67 39 1A 74 07 2D 00 10 0000 EB DA 8B F8 B8 }
$a1 = { B8 ???????? 60 0B C0 74 58 E8 00000000 58 05 43 000000 80 38 E9 75 03 61 EB 35 E8 00000000 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 0000 83 C3 67 39 1A 74 07 2D 00 10 0000 EB DA 8B F8 B8 ???????? 03 C7 B9 5A ?????? 03 CF EB 0A B8 ???????? B9 5A ?????? 50 51 E8 84 000000 E8 00000000 58 2D 26 000000 B9 EF 01 0000 C6 00 E9 83 E9 05 89 48 01 61 E9 AF 01 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule CHECKPRGc1992 {
meta: author="malware-lu"
strings:
$a0 = { 33 C0 BE ???? 8B D8 B9 ???? BF ???? BA ???? 47 4A 74 }
condition:
$a0 at pe.entry_point
}
rule eXPressor11CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { E9 ???? 0000 E9 ???? 0000 E9 ?? 12 0000 E9 ?? 0C 0000 E9 ???? 0000 E9 ???? 0000 E9 ???? 0000 }
condition:
$a0 at pe.entry_point
}
rule VxEddie1028 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E FC 83 ???? 81 ?????? 4D 5A ???? FA 8B E6 81 C4 ???? FB 3B ?????????? 50 06 56 1E B8 FE 4B CD 21 81 FF BB 55 ???? 07 ?????? 07 B4 49 CD 21 BB FF FF B4 48 CD 21 }
condition:
$a0 at pe.entry_point
}
rule PEQuakev006byfORGAT {
meta: author="malware-lu"
strings:
$a0 = { E8 A5 000000 2D ?? 00000000000000000000 3D ?? 0000 2D ?? 00000000000000000000000000000000000000000000 4A ?? 0000 5B ?? 0000 6E ?? 000000000000 6B 45 72 4E 65 4C 33 32 2E 64 4C 6C 000000 47 65 74 50 72 6F 63 41 64 }
condition:
$a0
}
rule LTCv13 {
meta: author="malware-lu"
strings:
$a0 = { 54 E8 00000000 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 }
condition:
$a0 at pe.entry_point
}
rule tElockv071b7 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 48 11 0000 C3 83 }
condition:
$a0 at pe.entry_point
}
rule tElockv071b2 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 44 11 0000 C3 83 }
condition:
$a0 at pe.entry_point
}
rule UnknownJoinersignfrompinch260320070212 {
meta: author="malware-lu"
strings:
$a0 = { 44 90 4C 90 B9 DE 000000 BA 00 10 40 00 83 C2 03 44 90 4C B9 07 000000 44 90 4C 33 C9 C7 05 08 30 40 0000000000 90 68 00 01 0000 68 21 30 40 00 6A 00 E8 C5 02 0000 90 6A 00 68 80 }
condition:
$a0 at pe.entry_point
}
rule DIETv100v100d {
meta: author="malware-lu"
strings:
$a0 = { BF ???? 3B FC 72 ?? B4 4C CD 21 BE ???? B9 ???? FD F3 A5 FC }
condition:
$a0 at pe.entry_point
}
rule APEX_CBLTApex40500mhz {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 000000 8B 34 24 80 36 FD 46 E2 FA C3 }
condition:
$a0 at pe.entry_point
}
rule StealthPEv11 {
meta: author="malware-lu"
strings:
$a0 = { BA ?????? 00 FF E2 BA ?????? 00 B8 ???????? 89 02 83 C2 03 B8 ???????? 89 02 83 C2 FD FF E2 }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEdition117DLLAp0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 ???????? 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 ???????? 8D 9D ???????? 33 FF E8 }
condition:
$a0 at pe.entry_point
}
rule Anti007V26LiuXingPing {
meta: author="malware-lu"
strings:
$a0 = { 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 000000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 000000 56 69 72 74 75 61 6C 46 72 65 65 000000 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 57 72 69 74 65 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 45 78 69 74 50 72 6F 63 65 73 73 0000 }
condition:
$a0
}
rule AppEncryptorSilentTeam {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 1F 1F 40 00 B9 7B 09 0000 8D BD 67 1F 40 00 8B F7 AC }
condition:
$a0 at pe.entry_point
}
rule VirogenCryptv075 {
meta: author="malware-lu"
strings:
$a0 = { 9C 55 E8 EC 000000 87 D5 5D 60 87 D5 80 BD 15 27 40 00 01 }
condition:
$a0 at pe.entry_point
}
rule Armadillov300a {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 50 51 EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 59 58 50 51 EB }
condition:
$a0 at pe.entry_point
}
rule WWPACKv300v301Extractable {
meta: author="malware-lu"
strings:
$a0 = { B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 6A ?? 06 06 8C D3 83 ???? 53 6A ?? FC }
condition:
$a0 at pe.entry_point
}
rule VxUddy2617 {
meta: author="malware-lu"
strings:
$a0 = { 2E ?????????? 2E ?????????? 2E ?????? 8C C8 8E D8 8C ?????? 2B ?????? 03 ?????? A3 ???? A1 ???? A3 ???? A1 ???? A3 ???? 8C C8 2B ?????? 03 ?????? A3 ???? B8 AB 9C CD 2F 3D 76 98 }
condition:
$a0 at pe.entry_point
}
rule PLINK8619841985 {
meta: author="malware-lu"
strings:
$a0 = { FA 8C C7 8C D6 8B CC BA ???? 8E C2 26 }
condition:
$a0 at pe.entry_point
}
rule ASPackv10804AlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 41 06 0000 EB 41 }
condition:
$a0 at pe.entry_point
}
rule aPackv098m {
meta: author="malware-lu"
strings:
$a0 = { 1E 06 8C C8 8E D8 05 ???? 8E C0 50 BE ???? 33 FF FC B2 ?? BD ???? 33 C9 50 A4 BB ???? 3B F3 76 }
condition:
$a0
}
rule BamBamv001Bedrock {
meta: author="malware-lu"
strings:
$a0 = { 6A 14 E8 9A 05 0000 8B D8 53 68 FB ???? 00 E8 6C FD FF FF B9 05 000000 8B F3 BF FB ???? 00 53 F3 A5 E8 8D 05 0000 8B 3D 03 ???? 00 A1 2B ???? 00 66 8B 15 2F ???? 00 B9 80 ???? 00 2B CF 89 45 E8 89 0D 6B ???? 00 66 89 55 EC 8B 41 3C 33 D2 03 C1 }
condition:
$a0
}
rule PESHiELDv02v02bv02b2 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
condition:
$a0 at pe.entry_point
}
rule EXEStealthv27 {
meta: author="malware-lu"
strings:
$a0 = { EB 00 60 EB 00 E8 00000000 5D 81 ED D3 26 40 }
condition:
$a0 at pe.entry_point
}
rule EXEStealthv25 {
meta: author="malware-lu"
strings:
$a0 = { 60 90 EB 22 45 78 65 53 74 65 61 6C 74 68 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D E8 00000000 5D 81 ED 40 1E 40 00 B9 99 09 0000 8D BD 88 1E 40 00 8B F7 AC }
condition:
$a0
}
rule VxHaryanto {
meta: author="malware-lu"
strings:
$a0 = { 81 EB 2A 01 8B 0F 1E 5B 03 CB 0E 51 B9 10 01 51 CB }
condition:
$a0 at pe.entry_point
}
rule ASPRStripperv2xunpacked {
meta: author="malware-lu"
strings:
$a0 = { BB ???????? E9 ???????? 60 9C FC BF ???????? B9 ???????? F3 AA 9D 61 C3 55 8B EC }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01UPX06Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 58 83 E8 3D 50 8D B8 000000 FF 57 8D B0 E8 000000 E9 }
condition:
$a0 at pe.entry_point
}
rule Shrinker33 {
meta: author="malware-lu"
strings:
$a0 = { 0000 55 8B EC 56 57 75 65 68 00 01 0000 E8 }
condition:
$a0
}
rule Shrinker32 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 56 57 75 65 68 00 01 0000 E8 F1 E6 FF FF 83 C4 04 }
condition:
$a0
}
rule Shrinker34 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 56 57 75 6B 68 00 01 0000 E8 11 0B 0000 83 C4 04 }
condition:
$a0
}
rule PESPinv13Cyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
condition:
$a0 at pe.entry_point
}
rule PECompactv160v165 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 80 40 ?? 87 DD 8B 85 D2 80 40 ?? 01 85 33 80 40 ?? 66 C7 85 ?? 80 40 ?? 9090 01 85 CE 80 40 ?? BB BB 12 }
condition:
$a0 at pe.entry_point
}
rule eXPressorv120b {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC D4 01 0000 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 32 2E 2E B8 ?????? 00 2B 05 84 ???? 00 A3 ?????? 00 83 3D ?????? 0000 74 16 A1 ?????? 00 03 05 80 ???? 00 89 85 54 FE FF FF E9 ?? 07 0000 C7 05 ?????? 00 01 000000 68 04 }
condition:
$a0
}
rule EPWv12 {
meta: author="malware-lu"
strings:
$a0 = { 06 57 1E 56 55 52 51 53 50 2E ???????? 8C C0 05 ???? 2E ?????? 8E D8 A1 ???? 2E }
condition:
$a0 at pe.entry_point
}
rule ASProtectv12x {
meta: author="malware-lu"
strings:
$a0 = { 0000 68 01 ?????? C3 AA }
condition:
$a0 at pe.entry_point
}
rule Packanoidv1Arkanoid {
meta: author="malware-lu"
strings:
$a0 = { BF ???????? BE ???????? E8 9D 000000 B8 ???????? 8B 30 8B 78 04 BB ???????? 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 }
condition:
$a0 at pe.entry_point
}
rule EscargotV01Meat {
meta: author="malware-lu"
strings:
$a0 = { EB 04 40 30 2E 31 60 68 61 }
condition:
$a0 at pe.entry_point
}
rule SCObfuscatorSuperCRacker {
meta: author="malware-lu"
strings:
$a0 = { 60 33 C9 8B 1D 00 ?????? 03 1D 08 ?????? 8A 04 19 84 C0 74 09 3C ?? 74 05 34 ?? 88 04 19 41 3B 0D 04 ?????? 75 E7 A1 08 ?????? 01 05 0C ?????? 61 FF 25 0C }
condition:
$a0
}
rule EXEStealth275WebtoolMaster {
meta: author="malware-lu"
strings:
$a0 = { 90 60 90 E8 00000000 5D 81 ED D1 27 40 00 B9 15 000000 }
condition:
$a0 at pe.entry_point
}
rule PasswordProtectorcMiniSoft1992 {
meta: author="malware-lu"
strings:
$a0 = { 06 0E 0E 07 1F E8 0000 5B 83 EB 08 BA 27 01 03 D3 E8 3C 02 BA EA }
condition:
$a0 at pe.entry_point
}
rule VxEddie2000 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 81 EE ???? FC 2E ???????? 2E ???????? 4D 5A ???? FA 8B E6 81 C4 ???? FB 3B ?????????? 50 06 56 1E 8B FE 33 C0 50 8E D8 C5 ?????? B4 30 CD 21 }
condition:
$a0 at pe.entry_point
}
rule VideoLanClientUnknownCompiler {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 ?????????????????????????????? FF FF ?????????????????????????????????????? 00 ?????????????? 00 }
condition:
$a0 at pe.entry_point
}
rule eXPressorv14CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC ?? 53 56 57 EB 0C 45 78 50 72 2D 76 2E 31 2E 34 2E 2E B8 }
$a1 = { 65 58 50 72 2D 76 2E 31 2E 34 2E }
condition:
$a0 at pe.entry_point or $a1
}
rule SkDUndetectablerPro20NoUPXMethodSkD {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40 }
condition:
$a0 at pe.entry_point
}
rule RJcrushv100 {
meta: author="malware-lu"
strings:
$a0 = { 06 FC 8C C8 BA ???? 03 D0 52 BA ???? 52 BA ???? 03 C2 8B D8 05 ???? 8E DB 8E C0 33 F6 33 FF B9 }
condition:
$a0 at pe.entry_point
}
rule ExeShieldv27 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 F4 86 06 00 C3 9C 60 E8 02 0000 }
condition:
$a0 at pe.entry_point
}
rule ExeShieldv29 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 0B 20 40 00 B9 EB 08 0000 8D BD 53 20 40 00 8B F7 AC ?????? F8 }
condition:
$a0 at pe.entry_point
}
rule PEiDBundlev102v103BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 9C 000000000000000000000000000000 36 ?????? 2E ?????? 0000000000000000000000000000000000000000 01 0000 80 00000000 4B 65 72 6E 65 6C 33 32 2E 44 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtMicrosoftVisualC5060 {
meta: author="malware-lu"
strings:
$a0 = { 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?????? EB 02 CD 20 EB 01 F8 BE F4 000000 EB }
condition:
$a0 at pe.entry_point
}
rule PUNiSHERV15FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 3F 0000 80 66 20 ?? 00 7E 20 ?? 00 92 20 ?? 00 A4 20 ?? 0000000000 4B 45 52 4E 45 4C 33 32 }
condition:
$a0
}
rule ExcaliburV103forgot {
meta: author="malware-lu"
strings:
$a0 = { E9 00000000 60 E8 14 000000 5D 81 ED 00000000 6A 45 E8 A3 000000 68 00000000 E8 58 61 EB 39 }
condition:
$a0 at pe.entry_point
}
rule RLPack10betaap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 0000 8D 9D 13 01 0000 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 0000 68 ???????? 6A 00 FF 95 F9 01 0000 89 85 48 02 0000 5B FF B5 }
$a1 = { 60 E8 00000000 8D 64 24 04 8B 6C 24 FC 8D B5 4C 02 0000 8D 9D 13 01 0000 33 FF EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 8D 74 37 04 53 6A 40 68 00 10 0000 68 ???????? 6A 00 FF 95 F9 01 0000 89 85 48 02 0000 5B FF B5 48 02 0000 56 FF D3 83 C4 08 8B B5 48 02 0000 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 83 C0 04 89 85 44 02 0000 EB 7A 56 FF 95 F1 01 0000 89 85 40 02 0000 8B C6 EB 4F 8B 85 44 02 0000 8B 00 A9 000000 80 74 14 35 000000 80 50 8B 85 44 02 0000 C7 00 20 20 20 00 EB 06 FF B5 44 02 0000 FF B5 40 02 0000 FF 95 F5 01 0000 89 07 83 C7 04 8B 85 44 02 0000 EB 01 40 80 38 00 75 FA 40 89 85 44 02 0000 80 38 00 75 AC EB 01 46 80 3E 00 75 FA 46 40 8B 38 83 C0 04 89 85 44 02 0000 80 3E 01 75 81 68 00 40 0000 68 ???????? FF B5 48 02 0000 FF 95 FD 01 0000 61 68 ???????? C3 60 8B 74 24 24 8B 7C }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule nMacrorecorder10 {
meta: author="malware-lu"
strings:
$a0 = { 5C 6E 6D 72 5F 74 65 6D 70 2E 6E 6D 72 000000 72 62 0000 58 C7 41 00 10 F8 41 00 11 01 000000000000 46 E1 0000 46 E1 0000 35 000000 F6 88 41 00 }
condition:
$a0
}
rule PrivateEXEv20a {
meta: author="malware-lu"
strings:
$a0 = { 53 E8 00000000 5B 8B C3 2D }
$a1 = { 06 60 C8 ?????? 0E 68 ???? 9A ???????? 3D ???? 0F ?????? 50 50 0E 68 ???? 9A ???????? 0E }
$a2 = { 53 E8 ???????? 5B 8B C3 2D ???????? 50 81 ?????????? 8B }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule PackmanV10BrandonLaCombe {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5B 8D 5B C6 01 1B 8B 13 8D 73 14 6A 08 59 01 16 AD 49 75 FA }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PEX099Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 000000 55 83 C4 04 E8 01 000000 90 5D 81 FF FF FF 00 01 E9 }
condition:
$a0 at pe.entry_point
}
rule PAKSFXArchive {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 ???? A1 ???? 2E ?????? 2E ?????????? 8C D7 8E C7 8D ???? BE ???? FC AC 3C 0D }
condition:
$a0 at pe.entry_point
}
rule ASPackv2xxAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { A8 03 0000 61 75 08 B8 01 000000 C2 0C 00 68 00000000 C3 8B 85 26 04 0000 8D 8D 3B 04 0000 51 50 FF 95 }
$a1 = { A8 03 ???? 61 75 08 B8 01 ?????? C2 0C ?? 68 ???????? C3 8B 85 26 04 ???? 8D 8D 3B 04 ???? 51 50 FF 95 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule SimbiOZ13Extranger {
meta: author="malware-lu"
strings:
$a0 = { 57 57 8D 7C 24 04 50 B8 00 ?????? AB 58 5F C3 }
condition:
$a0 at pe.entry_point
}
rule muckisprotectorImucki {
meta: author="malware-lu"
strings:
$a0 = { BE ???????? B9 ???????? 8A 06 F6 D0 88 06 46 E2 F7 E9 }
condition:
$a0 at pe.entry_point
}
rule Obsidium1339ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 29 000000 EB 03 ?????? EB 01 ?? 8B 54 24 0C EB 04 ???????? 83 82 B8 000000 28 EB 02 ???? 33 C0 EB 02 ???? C3 EB 03 ?????? EB 04 ???????? 64 67 FF 36 0000 EB 03 ?????? 64 67 89 26 0000 EB 01 ?? EB 01 ?? 50 EB 03 ?????? 33 C0 EB 03 ?????? 8B 00 EB 04 ???????? C3 EB 04 ???????? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 02 ???? EB 04 ???????? 58 EB 03 ?????? EB 04 ???????? 64 67 8F 06 0000 EB 03 ?????? 83 C4 04 EB 04 ???????? E8 CF 27 0000 }
condition:
$a0 at pe.entry_point
}
rule LOCK98V10028keenvim {
meta: author="malware-lu"
strings:
$a0 = { 55 E8 00000000 5D 81 ?????????? EB 05 E9 ???????? EB 08 }
condition:
$a0 at pe.entry_point
}
rule iPBProtectv013 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 4B 43 55 46 68 54 49 48 53 64 A1 00000000 50 64 89 25 00000000 83 EC 68 53 56 57 89 65 FA 33 DB 89 5D F8 6A 02 EB 01 F8 58 5F 5E 5B 64 8B 25 00000000 64 8F 05 00000000 58 58 58 5D 68 9F 6F 56 B6 50 E8 5D 000000 EB FF 71 78 }
condition:
$a0
}
rule PrivateEXEProtector197SetiSoft {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F4 FC 53 57 56 8B 74 24 20 8B 7C 24 24 66 81 3E 4A 43 0F 85 A5 02 0000 83 C6 0A 33 DB BA 000000 80 C7 44 24 14 08 000000 43 8D A4 24 00000000 8B FF 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 2C 8B 4C 24 10 33 C0 8D A4 24 00000000 05 00000000 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 02 44 24 0C 88 07 47 EB C6 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 82 6E 01 0000 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 0F 83 DC 000000 B9 04 000000 33 C0 8D A4 24 00000000 8D 64 24 00 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 48 74 B1 0F 89 EF 01 0000 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 73 42 BD 00 01 0000 B9 08 000000 33 C0 8D A4 24 00000000 05 00000000 03 D2 75 08 8B 16 83 C6 04 F9 13 D2 13 C0 49 75 EF 88 07 47 4D 75 D6 }
condition:
$a0
}
rule ASPackv21AlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 72 05 0000 EB 33 87 DB 90 00 }
condition:
$a0 at pe.entry_point
}
rule ASPackv103bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }
condition:
$a0 at pe.entry_point
}
rule FSGv20 {
meta: author="malware-lu"
strings:
$a0 = { 87 25 ???????? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 }
condition:
$a0
}
rule PseudoSigner01PEIntro10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 8B 04 24 9C 60 E8 14 000000 5D 81 ED 0A 45 40 90 80 BD 67 44 40 9090 0F 85 48 FF ED 0A E9 }
condition:
$a0 at pe.entry_point
}
rule tElockv099SpecialBuildheXerforgot {
meta: author="malware-lu"
strings:
$a0 = { E9 5E DF FF FF 000000 ???????? E5 ???? 000000000000000000 05 ???? 00 F5 ???? 00 ED ???? 000000000000000000 12 ???? 00 FD ???? 000000000000000000000000000000000000000000 1D ???? 0000000000 30 ???? 0000 }
$a1 = { E9 5E DF FF FF 000000 ???????? E5 ???? 000000000000000000 05 ???? 00 F5 ???? 00 ED ???? 000000000000000000 12 ???? 00 FD ???? 000000000000000000000000000000000000000000 1D ???? 0000000000 30 ???? 0000000000 1D ???? 0000000000 30 ???? 0000000000 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule VxBackfont900 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? B4 30 CD 21 3C 03 ???? B8 ???? BA ???? CD 21 81 FA ???????? BA ???? 8C C0 48 8E C0 8E D8 80 ?????? 5A ???? 03 ?????? 40 8E D8 80 ?????? 5A ???? 83 }
condition:
$a0 at pe.entry_point
}
rule CrunchPEv20xx {
meta: author="malware-lu"
strings:
$a0 = { 55 E8 ???????? 5D 83 ED 06 8B C5 55 60 89 AD ???????? 2B 85 ???????? 89 85 ???????? 55 BB ???????? 03 DD 53 64 67 FF 36 ???? 64 67 89 26 }
condition:
$a0 at pe.entry_point
}
rule Litev003a {
meta: author="malware-lu"
strings:
$a0 = { 60 06 FC 1E 07 BE ???????? 6A 04 68 ?? 10 ???? 68 }
condition:
$a0 at pe.entry_point
}
rule SimplePack1XMethod2bagie {
meta: author="malware-lu"
strings:
$a0 = { 4D 5A 90 EB 01 00 52 E9 ?? 01 0000 50 45 0000 4C 01 02 00000000000000000000000000 E0 00 0F 03 0B 01 00000000000000000000000000000000000000000000 0C 00000000 ?????? 00 10 000000 02 0000 01 00000000000000 04 00000000000000 }
condition:
$a0
}
rule PEncryptv10 {
meta: author="malware-lu"
strings:
$a0 = { 60 9C BE 00 10 40 00 8B FE B9 28 03 0000 BB 78 56 34 12 AD 33 C3 AB E2 FA 9D 61 }
condition:
$a0 at pe.entry_point
}
rule BJFntv12RC {
meta: author="malware-lu"
strings:
$a0 = { EB 02 69 B1 83 EC 04 EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB }
condition:
$a0 at pe.entry_point
}
rule FishPEShield112116HellFish {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 BD FE FF FF 89 45 DC E8 E1 FD FF FF 8B 00 03 45 DC 89 45 E4 E8 DC FE FF FF 8B D8 BA 8E 4E 0E EC 8B C3 E8 2E FF FF FF 89 45 F4 BA 04 49 32 D3 8B C3 E8 1F FF FF FF 89 45 F8 BA 54 CA AF 91 8B C3 E8 10 FF FF FF 89 45 F0 BA AC 33 06 03 8B C3 E8 01 FF FF FF 89 45 EC BA 1B C6 46 79 8B C3 E8 F2 FE FF FF 89 45 E8 BA AA FC 0D 7C 8B C3 E8 E3 FE FF FF 89 45 FC 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B }
$a1 = { 60 E8 EA FD FF FF FF D0 C3 8D 40 00 ?? 000000 2C 000000 ?????? 00 ???? 0000 ?????? 0000 ???? 00 ?????? 00 ?????? 00 ?? 00000000 ???? 00 ???? 0000 ?? 00000000 ???? 0000 10 0000 ?????? 00 40 ?????? 0000 ???? 0000 ???? 00 ?????? 00 40 ?????? 0000 ?? 000000 ???? 00 ???? 0000 40 }
condition:
$a0 or $a1 at pe.entry_point
}
rule CodeCryptv016bv0163b {
meta: author="malware-lu"
strings:
$a0 = { E9 2E 03 0000 EB 02 83 3D 58 EB 02 FF 1D 5B EB 02 0F C7 5F }
condition:
$a0 at pe.entry_point
}
rule VOBProtectCD {
meta: author="malware-lu"
strings:
$a0 = { 5F 81 EF ???????? BE ???? 40 ?? 8B 87 ???????? 03 C6 57 56 8C A7 ???????? FF 10 89 87 ???????? 5E 5F }
condition:
$a0 at pe.entry_point
}
rule diProtectorV1XdiProtectorSoftware {
meta: author="malware-lu"
strings:
$a0 = { 01 00 A0 E3 14 0000 EB 0000 20 E0 44 10 9F E5 03 2A A0 E3 40 30 A0 E3 AE 0000 EB 30 00 8F E5 00 20 A0 E1 3A 0E 8F E2 0000 80 E2 1C 10 9F E5 20 30 8F E2 0E 0000 EB 14 00 9F E5 14 10 9F E5 7F 20 A0 E3 C5 0000 EB 04 C0 8F E2 00 F0 9C E5 }
condition:
$a0 at pe.entry_point
}
rule PrivateexeProtector20SetiSoftTeam {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ???????? 000000000000 }
condition:
$a0
}
rule AHTeamEPProtector03fakekkryptor9kryptoraFEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 60 E8 ???????? 5E B9 00000000 2B C0 02 04 0E D3 C0 49 79 F8 41 8D 7E 2C 33 46 ?? 66 B9 }
condition:
$a0 at pe.entry_point
}
rule PEBundlev310 {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 02 000000 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 07 20 40 00 87 DD ???????? 40 00 01 }
condition:
$a0
}
rule NsPack34NorthStar {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D 83 ED 07 8D 85 ???? FF FF 80 38 01 0F 84 42 02 0000 C6 00 01 8B D5 2B 95 ???? FF FF 89 95 ???? FF FF 01 95 ???? FF FF 8D B5 ???? FF FF 01 16 60 6A 40 68 00 10 0000 68 00 10 0000 6A 00 FF 95 ???? FF FF 85 C0 0F 84 6A 03 0000 89 85 ???? FF FF E8 00000000 5B B9 68 03 0000 03 D9 50 53 E8 B1 02 0000 61 8B 36 8B FD 03 BD ???? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00000000 EB 16 B9 01 000000 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ???? FF FF FF B5 ???? FF FF 8B D6 8B CF 8B 85 ???? FF FF 05 AA 05 0000 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 }
condition:
$a0 at pe.entry_point
}
rule PellesC280290EXEX86CRTLIB {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 6A FF 68 ???????? 68 ???????? 64 FF 35 ???????? 64 89 25 ???????? 83 EC ?? 83 EC ?? 53 56 57 89 65 E8 68 000000 ?? E8 ???????? 59 A3 }
condition:
$a0 at pe.entry_point
}
rule RLPackV115V117Dllap0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 ?? 01 0000 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 ???????? 8D 9D ???????? 33 FF E8 }
condition:
$a0 at pe.entry_point
}
rule PellesC28x45xPelleOrinius {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 6A FF 68 ???????? 68 ???????? 64 FF 35 ???????? 64 89 25 ???????? 83 EC }
condition:
$a0 at pe.entry_point
}
rule Thinstallv2460Jitit {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 51 53 56 57 6A 00 6A 00 FF 15 F4 18 40 00 50 E8 87 FC FF FF 59 59 A1 94 1A 40 00 8B 40 10 03 05 90 1A 40 00 89 45 FC 8B 45 FC FF E0 5F 5E 5B C9 C3 000000 76 0C 0000 D4 0C 0000 1E }
condition:
$a0 at pe.entry_point
}
rule FSGv110Engdulekxt {
meta: author="malware-lu"
strings:
$a0 = { BB D0 01 40 ?? BF ?? 10 40 ?? BE }
$a1 = { E8 01 000000 ???? E8 ?? 000000 }
$a2 = { EB 01 ?? EB 02 ?????? 80 ???? 00 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule PECompactv2xx {
meta: author="malware-lu"
strings:
$a0 = { B8 ?????? 00 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 }
condition:
$a0
}
rule ASPackv10802AlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }
condition:
$a0 at pe.entry_point
}
rule Armadillo440SiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 31 2E 31 2E 34 000000 C2 E0 94 BE 93 FC DE C6 B6 24 83 F7 D2 A4 92 77 40 27 CF EB D8 6F 50 B4 B5 29 24 FA 45 08 04 52 D5 1B D2 8C 8A 1E 6E FF 8C 5F 42 89 F1 83 B1 27 C5 69 57 FC 55 0A DD 44 BE 2A 02 97 6B 65 15 AA 31 E9 28 7D 49 1B DF B5 5D 08 A8 BA A8 }
condition:
$a0
}
rule Armadillov1xxv2xx {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 8B 5D 08 56 8B 75 0C 57 8B 7D 10 85 F6 }
condition:
$a0 at pe.entry_point
}
rule HACKSTOPv111c {
meta: author="malware-lu"
strings:
$a0 = { B4 30 CD 21 86 E0 3D ???? 73 ?? B4 ?? CD 21 B0 ?? B4 4C CD 21 53 BB ???? 5B EB }
condition:
$a0 at pe.entry_point
}
rule EXEStealth276UnregisteredWebtoolMaster {
meta: author="malware-lu"
strings:
$a0 = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }
condition:
$a0
}
rule PseudoSigner02LCCWin32DLLAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 53 56 57 83 7D 0C 01 75 05 E8 17 909090 FF 75 10 FF 75 0C FF 75 08 A1 }
condition:
$a0 at pe.entry_point
}
rule CDSSSv10Beta1CyberDoomTeamX {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED CA 47 40 00 FF 74 24 20 E8 D3 03 0000 0B C0 0F 84 13 03 0000 89 85 B8 4E 40 00 66 8C D8 A8 04 74 0C C7 85 8C 4E 40 00 01 000000 EB 12 64 A1 30 000000 0F B6 40 02 0A C0 0F 85 E8 02 0000 8D 85 F6 4C 40 00 50 FF B5 B8 4E 40 00 E8 FC 03 0000 0B C0 0F 84 CE 02 0000 E8 1E 03 0000 89 85 90 4E 40 00 8D 85 03 4D 40 00 50 FF B5 B8 }
condition:
$a0 at pe.entry_point
}
rule tElockv041x {
meta: author="malware-lu"
strings:
$a0 = { 66 8B C0 8D 24 24 EB 01 EB 60 EB 01 EB 9C E8 00000000 5E 83 C6 50 8B FE 68 78 01 ???? 59 EB 01 EB AC 54 E8 03 ?????? 5C EB 08 }
condition:
$a0 at pe.entry_point
}
rule ZCodeWin32PEProtectorv101 {
meta: author="malware-lu"
strings:
$a0 = { E9 12 000000 ???????????????????????? E9 FB FF FF FF C3 68 ???????? 64 FF 35 }
condition:
$a0 at pe.entry_point
}
rule ABCCryptor10byZloY {
meta: author="malware-lu"
strings:
$a0 = { 68 FF 64 24 F0 68 58 58 58 58 90 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 ???????? BF 00 ?????? B9 00 ?????? 80 37 ?? 47 39 CF 75 F8 ???????????????????????????????????????????????????????????????????????????????????????????????????????????? BF 00 ?????? B9 00 ?????? 80 37 ?? 47 39 CF 75 F8 }
condition:
$a0
}
rule FSGv120EngdulekxtMicrosoftVisualC60 {
meta: author="malware-lu"
strings:
$a0 = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 000000 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 000000 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 }
condition:
$a0 at pe.entry_point
}
rule SLVc0deProtectorv061SLV {
meta: author="malware-lu"
strings:
$a0 = { EB 02 FA 04 E8 49 000000 69 E8 49 000000 95 E8 4F 000000 68 E8 1F 000000 49 E8 E9 FF FF FF 67 E8 1F 00 }
$a1 = { EB 02 FA 04 E8 49 000000 69 E8 49 000000 95 E8 4F 000000 68 E8 1F 000000 49 E8 E9 FF FF FF 67 E8 1F 000000 93 E8 31 000000 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 000000 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00000000 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 0000 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 0000 8B FE AC }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule FSG131dulekxt {
meta: author="malware-lu"
strings:
$a0 = { BE ?????? 00 BF ?????? 00 BB ?????? 00 53 BB ?????? 00 B2 80 }
condition:
$a0 at pe.entry_point
}
rule RLPackV112V114aPlib043ap0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 ???????? 8D 9D ???????? 33 FF EB 0F FF ?????? FF ?????? D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB }
condition:
$a0
}
rule Crypter31SLESH {
meta: author="malware-lu"
strings:
$a0 = { 68 FF 64 24 F0 68 58 58 58 58 FF D4 50 8B 40 F2 05 B0 95 F6 95 0F 85 01 81 BB FF 68 }
condition:
$a0
}
rule PseudoSigner01VBOX43MTEAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 0B C0 E9 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeBJFNT13emadicius {
meta: author="malware-lu"
strings:
$a0 = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 000000 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
condition:
$a0 at pe.entry_point
}
rule FreeCryptor02build002GlOFF {
meta: author="malware-lu"
strings:
$a0 = { 33 D2 90 1E 68 1B ?????? 0F A0 1F 8B 02 90 50 54 8F 02 9090 8E 64 24 08 FF E2 58 50 33 D2 52 83 F8 01 9B 40 8A 10 89 14 24 90 D9 04 24 90 D9 FA D9 5C 24 FC 8B 5C 24 FC 81 F3 C2 FC 1D 1C 75 E3 74 01 62 FF D0 90 5A 33 C0 8B 54 24 08 90 64 8F 00 90 83 C2 08 52 5C 5A }
condition:
$a0
}
rule PackItBitchV10archphase {
meta: author="malware-lu"
strings:
$a0 = { 000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ???????????????? 000000000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 ?? 000000000000 ???????????????? 0000000000000000000000000000000000000000 }
condition:
$a0
}
rule nPackv11250BetaNEOx {
meta: author="malware-lu"
strings:
$a0 = { 83 3D 04 ?????? 00 75 05 E9 01 000000 C3 E8 46 000000 E8 73 000000 B8 2E ?????? 2B 05 08 ?????? A3 00 ?????? E8 9C 000000 E8 04 02 0000 E8 FB 06 0000 E8 1B 06 0000 A1 00 ?????? C7 05 04 ?????? 01 000000 01 05 00 ?????? FF 35 00 }
condition:
$a0 at pe.entry_point
}
rule UnpackedBSSFXArchivev19 {
meta: author="malware-lu"
strings:
$a0 = { 1E 33 C0 50 B8 ???? 8E D8 FA 8E D0 BC ???? FB B8 ???? CD 21 3C 03 73 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01VideoLanClientAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 9090909090909090909090909090 01 FF FF 01 01 01 00 01 9090909090909090909090909090 00 01 00 01 00 01 9090 00 01 E9 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01PECompact14Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 EB 06 68 90909090 C3 9C 60 E8 02 909090 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01DxPack10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 8B FD 81 ED 90909090 2B B9 00000000 81 EF 90909090 83 BD 9090909090 0F 84 00000000 E9 }
condition:
$a0 at pe.entry_point
}
rule Splice11byTw1stedL0gic {
meta: author="malware-lu"
strings:
$a0 = { 68 00 1A 40 00 E8 EE FF FF FF 000000000000 30 000000 40 00000000000000 ???????????????????????????????? 000000000000 01 000000 ???????????? 50 72 6F 6A 65 63 74 31 00 ?????????????? 00000000 06 000000 AC 29 40 00 07 000000 BC 28 40 00 07 000000 74 28 40 00 07 000000 2C 28 40 00 07 000000 08 23 40 00 01 000000 38 21 40 0000000000 FF FF FF FF FF FF FF FF 00000000 8C 21 40 00 08 ?? 40 00 01 000000 AC 19 40 00000000000000000000000000 AC 19 40 00 4F 00 43 00 50 000000 E7 AF 58 2F 9A 4C 17 4D B7 A9 CA 3E 57 6F F7 76 }
condition:
$a0 at pe.entry_point
}
rule PECompactv140v145 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F A0 40 ?? 87 DD 8B 85 A6 A0 40 ?? 01 85 03 A0 40 ?? 66 C7 85 ?? A0 40 ?? 9090 01 85 9E A0 40 ?? BB C3 11 }
condition:
$a0 at pe.entry_point
}
rule Armadillo300aSiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F ?? EB 0F ?? EB 07 ?? EB 0F ?? EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC ?? 59 58 50 51 EB 0F }
condition:
$a0 at pe.entry_point
}
rule NullsoftInstallSystemv20b4 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 F0 91 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 88 72 40 00 BE 00 D4 42 00 BF 00 04 0000 56 57 A3 60 6F 42 00 FF 15 C4 70 40 00 E8 9F FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 0000 56 FF 15 60 71 40 00 }
$a1 = { 83 EC 14 83 64 24 04 00 53 55 56 57 C6 44 24 13 20 FF 15 30 70 40 00 BE 00 20 7A 00 BD 00 04 0000 56 55 FF 15 C4 70 40 00 56 E8 7D 2B 0000 8B 1D 8C 70 40 00 6A 00 56 FF D3 BF 80 92 79 00 56 57 E8 15 26 0000 85 C0 75 38 68 F8 91 40 00 55 56 FF 15 60 71 }
condition:
$a0 or $a1
}
rule PESHiELDv01bMTE {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????????????????????????????????????????????????? B9 1B 01 ???? D1 }
condition:
$a0 at pe.entry_point
}
rule BeRoEXEPackerV100BeRo {
meta: author="malware-lu"
strings:
$a0 = { BA ???????? 8D B2 ???????? 8B 46 ?? 85 C0 74 51 03 C2 8B 7E ?? 8B 1E 85 DB 75 02 8B DF 03 DA 03 FA 52 57 50 FF 15 ???????? 5F 5A 85 C0 74 2F 8B C8 8B 03 85 C0 74 22 0F BA F0 1F 72 04 8D 44 ???? 51 52 57 50 51 FF 15 ???????? 5F 5A 59 85 C0 74 0B AB 83 C3 04 EB D8 83 C6 14 EB AA 61 C3 }
condition:
$a0
}
rule MSLRHv32aemadicius {
meta: author="malware-lu"
strings:
$a0 = { EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 0000 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 }
condition:
$a0 at pe.entry_point
}
rule SpecialEXEPaswordProtectorv101EngPavolCerven {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 89 AD 8C 01 0000 8B C5 2B 85 FE 75 0000 89 85 3E 77 0000 8D 95 C6 77 0000 8D 8D FF 77 0000 55 68 00 20 0000 51 52 6A 00 FF 95 04 7A 0000 5D 6A 00 FF 95 FC 79 0000 8D 8D 60 78 0000 8D 95 85 01 0000 55 68 00 }
condition:
$a0 at pe.entry_point
}
rule PECompactv166 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 ?? 87 DD 8B 85 E6 90 40 ?? 01 85 33 90 40 ?? 66 C7 85 ?? 90 40 ?? 9090 01 85 DA 90 40 ?? 01 85 DE 90 40 ?? 01 85 E2 90 40 ?? BB 5B 11 }
condition:
$a0 at pe.entry_point
}
rule PECompactv167 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 3F 90 40 87 DD 8B 85 E6 90 40 01 85 33 90 40 66 C7 85 90 40 9090 01 85 DA 90 40 01 85 DE 90 40 01 85 E2 90 40 BB 8B 11 }
condition:
$a0 at pe.entry_point
}
rule VIRUSIWormHybris {
meta: author="malware-lu"
strings:
$a0 = { EB 16 A8 54 ???? 47 41 42 4C 4B 43 47 43 ???????????? 52 49 53 ?? FC 68 4C 70 40 ?? FF 15 }
condition:
$a0
}
rule GPInstallv50332 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 33 C9 51 51 51 51 51 51 51 53 56 57 B8 C4 1C 41 00 E8 6B 3E FF FF 33 C0 55 68 76 20 41 00 64 FF 30 64 89 20 BA A0 47 41 00 33 C0 E8 31 0A FF FF 33 D2 A1 A0 }
condition:
$a0
}
rule PseudoSigner02PEIntro10Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 8B 04 24 9C 60 E8 14 000000 5D 81 ED 0A 45 40 90 80 BD 67 44 40 9090 0F 85 48 FF ED 0A }
condition:
$a0 at pe.entry_point
}
rule Armadillov410SiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 D0 EA 49 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 7C A5 4C 00 8B C8 81 E1 FF 000000 89 0D 78 A5 4C 00 C1 E1 08 03 CA 89 0D 74 A5 4C 00 C1 E8 10 A3 70 A5 }
condition:
$a0 at pe.entry_point
}
rule AverCryptor102betaos1r1s {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 0C 17 40 00 8B BD 33 18 40 00 8B 8D 3B 18 40 00 B8 51 18 40 00 03 C5 80 30 05 83 F9 00 74 71 81 7F 1C AB 000000 75 62 8B 57 0C 03 95 37 18 40 00 33 C0 51 33 C9 66 B9 F7 00 66 83 F9 00 74 49 8B 57 0C 03 95 37 18 40 00 8B 85 3F 18 40 00 83 F8 02 75 06 81 C2 00 02 0000 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 0000 57 BF C8 000000 8B F1 E8 27 000000 8B C8 5F B8 51 18 40 00 03 C5 E8 24 000000 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 2F 18 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 23 F7 8B C6 5F 5E C3 }
condition:
$a0 at pe.entry_point
}
rule FSGv131 {
meta: author="malware-lu"
strings:
$a0 = { BB D0 01 40 00 BF 00 10 40 00 BE ???????? 53 BB ???????? B2 80 A4 B6 80 FF D3 73 F9 33 C9 }
condition:
$a0 at pe.entry_point
}
rule FSGv133 {
meta: author="malware-lu"
strings:
$a0 = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 }
condition:
$a0 at pe.entry_point
}
rule HidePE101BGCorp {
meta: author="malware-lu"
strings:
$a0 = { BA ?????? 00 B8 ???????? 89 02 83 C2 04 B8 ???????? 89 02 83 C2 04 B8 ???????? 89 02 83 C2 F8 FF E2 0D 0A 2D 3D 5B 20 48 69 64 65 50 45 20 62 79 20 42 47 43 6F 72 70 20 5D 3D 2D }
condition:
$a0 at pe.entry_point
}
rule EXEStealthv11 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED FB 1D 40 00 B9 7B 09 0000 8B F7 AC }
condition:
$a0 at pe.entry_point
}
rule Thinstallvxx {
meta: author="malware-lu"
strings:
$a0 = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }
condition:
$a0 at pe.entry_point
}
rule Obsidium1200ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 3F 1E 0000 }
condition:
$a0 at pe.entry_point
}
rule PrivatePersonalPackerPPP103ConquestOfTroycom {
meta: author="malware-lu"
strings:
$a0 = { E8 19 000000 9090 E8 68 000000 FF 35 2C 37 00 10 E8 ED 01 0000 6A 00 E8 2E 04 0000 E8 41 04 0000 A3 74 37 00 10 6A 64 E8 5F 04 0000 E8 30 04 0000 A3 78 37 00 10 6A 64 E8 4E 04 0000 E8 1F 04 0000 A3 7C 37 00 10 A1 74 37 00 10 8B 1D 78 37 00 10 2B D8 8B 0D 7C 37 00 10 2B C8 83 FB 64 73 0F 81 F9 C8 000000 73 07 6A 00 E8 D9 03 0000 C3 6A 0A 6A 07 6A 00 E8 D3 03 0000 A3 20 37 00 10 50 6A 00 E8 DE 03 0000 A3 24 37 00 10 FF 35 20 37 00 10 6A 00 E8 EA 03 0000 A3 30 37 00 10 FF 35 24 37 00 10 E8 C2 03 0000 A3 28 37 00 10 8B 0D 30 37 00 10 8B 3D 28 37 00 10 EB 09 49 C0 04 39 55 80 34 39 24 0B C9 }
condition:
$a0 at pe.entry_point
}
rule VIRUSIWormBagle {
meta: author="malware-lu"
strings:
$a0 = { 6A 00 E8 95 01 0000 E8 9F E6 FF FF 83 3D 03 50 40 0000 75 14 68 C8 AF 0000 E8 01 E1 FF FF 05 88 13 0000 A3 03 50 40 00 68 5C 57 40 00 68 F6 30 40 00 FF 35 03 50 40 00 E8 B0 EA FF FF E8 3A FC FF FF 83 3D 54 57 40 0000 74 05 E8 F3 FA FF FF 68 E8 03 00 }
condition:
$a0
}
rule RLPackv118BasicLZMAAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 21 0B 0000 8D 9D FF 02 0000 33 FF E8 9F 01 0000 6A 40 68 00 10 0000 68 00 20 0C 00 6A 00 FF 95 AA 0A 0000 89 85 F9 0A 0000 EB 14 60 FF B5 F9 0A }
condition:
$a0 at pe.entry_point
}
rule StonesPEEncryptorv20 {
meta: author="malware-lu"
strings:
$a0 = { 53 51 52 56 57 55 E8 ???????? 5D 81 ED 42 30 40 ?? FF 95 32 35 40 ?? B8 37 30 40 ?? 03 C5 2B 85 1B 34 40 ?? 89 85 27 34 40 ?? 83 }
condition:
$a0 at pe.entry_point
}
rule Upackv029betaDwing {
meta: author="malware-lu"
strings:
$a0 = { E9 ???????? 42 79 44 77 69 6E 67 40 000000 50 45 0000 4C 01 02 ???????????????????????????????????????? 29 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02BJFNT11bAnorganix {
meta: author="malware-lu"
strings:
$a0 = { EB 01 EA 9C EB 01 EA 53 EB 01 EA 51 EB 01 EA 52 EB 01 EA 56 90 }
condition:
$a0 at pe.entry_point
}
rule UPXScramblerRCv1x {
meta: author="malware-lu"
strings:
$a0 = { 90 61 BE ???????? 8D BE ???????? 57 83 CD FF }
condition:
$a0 at pe.entry_point
}
rule PECrypt15BitShapeSoftware {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 55 20 40 00 B9 7B 09 0000 8D BD 9D 20 40 00 8B F7 AC ???????????????????????????????????????????????????????????????????????????????????????????????? AA E2 CC }
condition:
$a0 at pe.entry_point
}
rule Upackv021BetaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE 88 01 ???? AD 8B F8 ???????? 33 }
condition:
$a0 at pe.entry_point
}
rule UPXFreakV01HMX0101 {
meta: author="malware-lu"
strings:
$a0 = { BE ???????? 83 C6 01 FF E6 0000 }
condition:
$a0 at pe.entry_point
}
rule UnnamedScrambler20p0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 0A 000000 6A 00 6A 00 49 75 F9 53 56 57 B8 1C 2F 40 00 E8 C8 F1 FF FF 33 C0 55 68 FB 33 40 00 64 FF 30 64 89 20 BA 0C 34 40 00 B8 E4 54 40 00 E8 EF FE FF FF 8B D8 85 DB 75 07 6A 00 E8 5A F2 FF FF BA E8 54 40 00 8B C3 8B 0D E4 54 40 00 E8 74 E2 FF FF C7 05 20 6B 40 00 09 000000 BB 98 69 40 00 C7 45 EC E8 54 40 00 C7 45 E8 31 57 40 00 C7 45 E4 43 60 40 00 BE D3 6A 40 00 BF E0 6A 40 00 83 7B 04 00 75 0B 83 3B 00 0F 86 AA 03 0000 EB 06 0F 8E A2 03 0000 8B 03 8B D0 B8 0C 6B 40 00 E8 C1 EE FF FF B8 0C 6B 40 00 E8 6F EE FF FF 8B D0 8B 45 EC 8B 0B E8 0B E2 FF FF 6A 00 6A 1E 6A 00 6A 2C A1 0C 6B 40 00 E8 25 ED FF FF 8D 55 E0 E8 15 FE FF FF 8B 55 E0 B9 10 6B 40 00 A1 0C 6B 40 00 }
condition:
$a0
}
rule HACKSTOPv100 {
meta: author="malware-lu"
strings:
$a0 = { FA BD ???? FF E5 6A 49 48 0C ?? E4 ?? 3F 98 3F }
condition:
$a0 at pe.entry_point
}
rule ExeShield36wwwexeshieldcom {
meta: author="malware-lu"
strings:
$a0 = { B8 ?????? 00 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43 6F 6D 70 61 63 74 32 00 CE 1E 42 AF F8 D6 CC E9 FB C8 4F 1B 22 7C B4 C8 0D BD 71 A9 C8 1F 5F B1 29 8F 11 73 8F 00 D1 88 87 A9 3F 4D 00 6C 3C BF C0 80 F7 AD 35 23 EB 84 82 6F }
condition:
$a0 at pe.entry_point
}
rule Pe123v200644 {
meta: author="malware-lu"
strings:
$a0 = { 8B C0 EB 01 34 60 EB 01 2A 9C EB 02 EA C8 E8 0F 000000 EB 03 3D 23 23 EB 01 4A EB 01 5B C3 8D 40 00 53 EB 01 6C EB 01 7E EB 01 8F E8 15 01 0000 50 E8 67 04 0000 EB 01 9A 8B D8 FF D3 5B C3 8B C0 E8 00000000 58 83 C0 05 C3 8B C0 55 8B EC 60 8B 4D 10 }
condition:
$a0 at pe.entry_point
}
rule SDProtectorV11xRandyLi {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 88 88 88 08 64 A1 }
condition:
$a0 at pe.entry_point
}
rule BobPackv100BoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 0C 24 89 CD 83 E9 06 81 ED ???????? E8 3D 000000 89 85 ???????? 89 C2 B8 5D 0A 0000 8D 04 08 E8 E4 000000 8B 70 04 01 D6 E8 76 000000 E8 51 01 0000 E8 01 01 }
condition:
$a0 at pe.entry_point
}
rule DBPEv210 {
meta: author="malware-lu"
strings:
$a0 = { 9C 6A 10 73 0B EB 02 C1 51 E8 06 ?????? C4 11 73 F7 5B CD 83 C4 04 EB 02 99 EB FF 0C 24 71 01 E8 79 E0 7A 01 75 83 C4 04 9D EB 01 75 68 5F 20 40 ?? E8 B0 EF FF FF 72 03 73 01 75 BE }
condition:
$a0 at pe.entry_point
}
rule NsPackv31NorthStar {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 5D 83 ED 07 8D 9D ???? FF FF 8A 03 3C 00 74 10 8D 9D ???? FF FF 8A 03 3C 01 0F 84 42 02 0000 C6 03 01 8B D5 2B 95 ???? FF FF 89 95 ???? FF FF 01 95 ???? FF FF 8D B5 ???? FF FF 01 16 60 6A 40 68 00 10 0000 68 00 10 0000 6A 00 }
$a1 = { 9C 60 E8 00000000 5D 83 ED 07 8D 9D ???? FF FF 8A 03 3C 00 74 10 8D 9D ???? FF FF 8A 03 3C 01 0F 84 42 02 0000 C6 03 01 8B D5 2B 95 ???? FF FF 89 95 ???? FF FF 01 95 ???? FF FF 8D B5 ???? FF FF 01 16 60 6A 40 68 00 10 0000 68 00 10 0000 6A 00 FF 95 ???? FF FF 85 C0 0F 84 6A 03 0000 89 85 ???? FF FF E8 00000000 5B B9 68 03 0000 03 D9 50 53 E8 B1 02 0000 61 8B 36 8B FD 03 BD ???? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00000000 EB 16 B9 01 000000 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ???? FF FF FF B5 ???? FF FF 8B D6 8B CF 8B 85 ???? FF FF 05 AA 05 0000 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 0000 6A 00 }
condition:
$a0 at pe.entry_point or $a1
}
rule SVKProtectorV13XPavolCerven {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED 06 000000 EB 05 B8 ???? 42 00 64 A0 23 000000 EB 03 C7 84 E8 84 C0 EB 03 C7 84 E9 75 67 B9 49 000000 8D B5 C5 02 0000 56 80 06 44 46 E2 FA 8B 8D C1 02 0000 5E 55 51 6A 00 56 FF 95 0C 61 0000 59 5D 40 85 C0 75 3C 80 3E 00 74 03 46 EB F8 46 E2 E3 8B C5 8B 4C 24 20 2B 85 BD 02 0000 89 85 B9 02 0000 80 BD B4 02 0000 01 75 06 8B 8D 0C 61 0000 89 8D B5 02 0000 8D 85 0E 03 0000 8B DD FF E0 55 68 10 10 0000 8D 85 B4 000000 50 8D 85 B4 01 0000 50 6A 00 FF 95 18 61 0000 5D 6A FF FF 95 10 61 0000 44 65 62 75 67 67 65 72 20 6F 72 20 74 6F 6F 6C 20 66 6F 72 20 6D 6F 6E 69 74 6F 72 69 6E 67 20 64 65 74 65 63 74 65 64 21 21 21 0000000000000000000000000000000000000000000000000000000000000000 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakePECrypt102FEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 E8 00000000 5B 83 EB 05 EB 04 52 4E 44 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02WATCOMCCEXEAnorganix {
meta: author="malware-lu"
strings:
$a0 = { E9 00000000 90909090 57 41 }
condition:
$a0 at pe.entry_point
}
rule PENinja: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { 909090909090909090909090909090909090909090909090909090909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule UpackV036Dwing {
meta: author="malware-lu"
strings:
$a0 = { 0B 01 ???????????????????????????? 18 10 0000 10 000000 ???????????????? 00 10 000000 02 0000 ???????????????????????? 00000000 ???????????????????????????????????????????????????????????????? 00000000 0A 0000000000000000000000 ???????? 14 000000 ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 FF 76 08 FF 76 0C BE 1C 01 }
$a1 = { BE ???????? FF 36 E9 C3 000000 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule yodasProtectorv101AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 53 56 57 E8 03 000000 EB 01 ?? E8 86 000000 E8 03 000000 EB 01 ?? E8 79 000000 E8 03 000000 EB 01 ?? E8 A4 000000 E8 03 000000 EB 01 ?? E8 97 000000 E8 03 000000 EB 01 ?? E8 2D 000000 E8 03 000000 EB 01 ?? 60 E8 00000000 }
condition:
$a0 at pe.entry_point
}
rule UPX050070 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 58 83 E8 3D }
condition:
$a0 at pe.entry_point
}
rule VxVCLencrypted {
meta: author="malware-lu"
strings:
$a0 = { 01 B9 ???? 81 34 ???? 46 46 E2 F8 C3 }
$a1 = { 01 B9 ???? 81 35 ???? 47 47 E2 F8 C3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule VxXRCV1015 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 83 ???? 53 51 1E 06 B4 99 CD 21 80 FC 21 ?????????? 33 C0 50 8C D8 48 8E C0 1F A1 ???? 8B }
condition:
$a0 at pe.entry_point
}
rule RLPackv118BasicDLLaPLibAp0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 ???????? 60 E8 00000000 8B 2C 24 83 C4 04 8D B5 1A 04 0000 8D 9D C1 02 0000 33 FF E8 61 01 0000 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 08 83 C7 08 83 3C 37 00 75 EB 83 BD 06 04 000000 74 0E 83 }
condition:
$a0 at pe.entry_point
}
rule PellesC290300400DLLX86CRTLIB {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 53 56 57 8B 5D 0C 8B 75 10 BF 01 000000 85 DB 75 10 83 3D ???????? 00 75 07 31 C0 E9 ???????? 83 FB 01 74 05 83 FB 02 75 ?? 85 FF 74 }
condition:
$a0 at pe.entry_point
}
rule UnnamedScrambler13Bp0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 08 000000 6A 00 6A 00 49 75 F9 53 56 57 B8 98 56 00 10 E8 48 EB FF FF 33 C0 55 68 AC 5D 00 10 64 FF 30 64 89 20 6A 00 68 BC 5D 00 10 68 C4 5D 00 10 6A 00 E8 23 EC FF FF E8 C6 CE FF FF 6A 00 68 BC 5D 00 10 68 ???????? 6A 00 E8 0B EC FF FF E8 F2 F4 FF FF B8 08 BC 00 10 33 C9 BA 04 01 0000 E8 C1 D2 FF FF 6A 00 68 BC 5D 00 10 68 E4 5D 00 10 6A 00 E8 E2 EB FF FF 68 04 01 0000 68 08 BC 00 10 6A 00 FF 15 68 77 00 10 6A 00 68 BC 5D 00 10 68 FC 5D 00 10 6A 00 E8 BD EB FF FF BA 10 5E 00 10 B8 70 77 00 10 E8 CA F3 FF FF 85 C0 0F 84 F7 05 0000 BA 74 77 00 10 8B 0D 70 77 00 10 E8 FE CD FF FF 6A 00 }
condition:
$a0 at pe.entry_point
}
rule HyingsPEArmor075exeHyingCCG {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 ???? 000000000000 ???? 01 000000000000000000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 0000000000000000 ?????????????????????????????????????? 000000000000000000 74 ?????? 0000000000 }
condition:
$a0
}
rule SimbiOZPolyCryptorvxxExtranger {
meta: author="malware-lu"
strings:
$a0 = { 55 60 E8 00000000 5D 81 ED ???????? 8D 85 ???????? 68 ???????? 50 E8 }
condition:
$a0 at pe.entry_point
}
rule AVPACKv120 {
meta: author="malware-lu"
strings:
$a0 = { 50 1E 0E 1F 16 07 33 F6 8B FE B9 ???? FC F3 A5 06 BB ???? 53 CB }
condition:
$a0 at pe.entry_point
}
rule Armadillov220 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 10 12 41 00 68 F4 A0 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule XPack167 {
meta: author="malware-lu"
strings:
$a0 = { B8 8C D3 15 33 75 81 3E E8 0F 00 9A E8 F9 FF 9A 9C EB 01 9A 59 80 CD 01 51 9D EB }
condition:
$a0 at pe.entry_point
}
rule NullsoftInstallSystemv1xx {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 EC 2C 53 56 33 F6 57 56 89 75 DC 89 75 F4 BB A4 9E 40 00 FF 15 60 70 40 00 BF C0 B2 40 00 68 04 01 0000 57 50 A3 AC B2 40 00 FF 15 4C 70 40 00 56 56 6A 03 56 6A 01 68 000000 80 57 FF 15 9C 70 40 00 8B F8 83 FF FF 89 7D EC 0F 84 C3 000000 }
$a1 = { 83 EC 0C 53 56 57 FF 15 20 71 40 00 05 E8 03 0000 BE 60 FD 41 00 89 44 24 10 B3 20 FF 15 28 70 40 00 68 00 04 0000 FF 15 28 71 40 00 50 56 FF 15 08 71 40 00 80 3D 60 FD 41 00 22 75 08 80 C3 02 BE 61 FD 41 00 8A 06 8B 3D F0 71 40 00 84 C0 74 0F 3A C3 74 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule BobSoftMiniDelphiBoBBobSoft {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 56 B8 ???????? E8 ???????? 33 C0 55 68 ???????? 64 FF 30 64 89 20 B8 }
$a1 = { 55 8B EC 83 C4 F0 53 B8 ???????? E8 ???????? 33 C0 55 68 ???????? 64 FF 30 64 89 20 B8 ???????? E8 }
$a2 = { 55 8B EC 83 C4 F0 B8 ???????? E8 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point or $a2 at pe.entry_point
}
rule UltraProV10SafeNet {
meta: author="malware-lu"
strings:
$a0 = { A1 ???????? 85 C0 0F 85 3B 06 0000 55 56 C7 05 ???????? 01 000000 FF 15 }
condition:
$a0 at pe.entry_point
}
rule PECompactv1242v1243 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 A6 70 40 ?? 01 85 03 70 40 ?? 66 C7 85 70 40 90 ?? 90 01 85 9E 70 40 BB ?? D2 09 }
condition:
$a0 at pe.entry_point
}
rule SimplePack121build0909Method2bagie {
meta: author="malware-lu"
strings:
$a0 = { 4D 5A 90 EB 01 00 52 E9 8A 01 0000 50 45 0000 4C 01 02 00000000000000000000000000 E0 00 0F 03 0B 01 00000000000000000000000000000000000000000000 0C 00000000 ?????? 00 10 000000 02 0000 01 00000000000000 04 00000000000000 }
condition:
$a0
}
rule Obsidium13037ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 02 ???? E8 26 000000 EB 03 ?????? EB 01 ?? 8B 54 24 0C EB 04 ???????? 83 82 B8 000000 26 EB 01 ?? 33 C0 EB 02 ???? C3 EB 01 ?? EB 04 ???????? 64 67 FF 36 0000 EB 01 ?? 64 67 89 26 0000 EB 01 ?? EB 03 ?????? 50 EB 03 ?????? 33 C0 EB 03 ?????? 8B 00 EB 04 ???????? C3 EB 03 ?????? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 04 ???????? EB 01 ?? 58 EB 02 ???? EB 03 ?????? 64 67 8F 06 0000 EB 01 ?? 83 C4 04 EB 03 ?????? E8 23 27 0000 }
condition:
$a0 at pe.entry_point
}
rule VxPhoenix927 {
meta: author="malware-lu"
strings:
$a0 = { E8 0000 5E 81 C6 ???? BF 00 01 B9 04 00 F3 A4 E8 }
condition:
$a0 at pe.entry_point
}
rule Petite14c199899IanLuck {
meta: author="malware-lu"
strings:
$a0 = { 66 9C 60 50 8B D8 03 00 68 54 BC 0000 6A 00 FF 50 14 8B CC 8D A0 54 BC 0000 50 8B C3 8D 90 ?? 16 0000 68 0000 ???? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 0000 8B 44 24 18 F6 }
condition:
$a0 at pe.entry_point
}
rule eXPressorV10CGSoftLabs {
meta: author="malware-lu"
strings:
$a0 = { E9 35 14 0000 E9 31 13 0000 E9 98 12 0000 E9 EF 0C 0000 E9 42 13 0000 E9 E9 02 0000 E9 EF 0B 0000 E9 1B 0D 0000 }
condition:
$a0 at pe.entry_point
}
rule RECryptv07xCruddRETh2 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 55 81 04 24 0A 000000 C3 8B F5 81 C5 ???? 0000 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 000000 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B 17 33 55 58 89 17 83 C7 04 83 C1 FC EB EC 8B }
condition:
$a0 at pe.entry_point
}
rule PassEXEv20 {
meta: author="malware-lu"
strings:
$a0 = { 06 1E 0E 0E 07 1F BE ???? B9 ???? 87 14 81 ?????? EB ?? C7 ?????? 84 00 87 ?????? FB 1F 58 4A }
condition:
$a0 at pe.entry_point
}
rule RECryptv07xCruddRETh1 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED F3 1D 40 00 B9 7B 09 0000 8D BD 3B 1E 40 00 8B F7 61 60 E8 00000000 5D 55 81 04 24 0A 000000 C3 8B F5 81 C5 ???? 0000 89 6D 34 89 75 38 8B 7D 38 81 E7 00 FF FF FF 81 C7 48 000000 47 03 7D 60 8B 4D 5C 83 F9 00 7E 0F 8B }
condition:
$a0 at pe.entry_point
}
rule WIBUKeyV410Ahttpwibucomus {
meta: author="malware-lu"
strings:
$a0 = { F7 05 ???????? FF 000000 75 12 }
condition:
$a0 at pe.entry_point
}
rule Mew501NorthFoxHCC {
meta: author="malware-lu"
strings:
$a0 = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ???? 00 ?????? 0000 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01ExeSmasherAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 9C FE 03 90 60 BE 9090 41 90 8D BE 90 10 FF FF 57 83 CD FF EB 10 90909090909090909090909090909090 FE 0B E9 }
condition:
$a0 at pe.entry_point
}
rule UnnamedScrambler12C12Dp0ke {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC B9 05 000000 6A 00 6A 00 49 75 F9 51 53 56 57 B8 ?? 3A ???? E8 ?? EC FF FF 33 C0 55 68 ???????? 64 FF 30 64 89 20 E8 ?? D7 FF FF E8 ???? FF FF B8 20 ?????? 33 C9 BA 04 01 0000 E8 ?? DB FF FF 68 04 01 0000 68 20 ?????? 6A 00 FF 15 10 ?????? BA ???????? B8 14 ?????? E8 ???? FF FF 85 C0 0F 84 ?? 04 0000 BA 18 ?????? 8B 0D 14 ?????? E8 ???? FF FF 8B 05 88 ?????? 8B D0 B8 54 ?????? E8 ?? E3 FF FF B8 54 ?????? E8 ?? E2 FF FF 8B D0 B8 18 ?????? 8B 0D 88 ?????? E8 ?? D6 FF FF FF 35 34 ?????? FF 35 30 ?????? FF 35 3C ?????? FF 35 38 ?????? 8D 55 E8 A1 88 ?????? E8 ?? F0 FF FF 8B 55 E8 B9 54 }
condition:
$a0
}
rule AlexProtectorv04beta1byAlex {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 01 000000 C7 83 C4 04 33 C9 E8 01 000000 68 83 C4 04 E8 01 000000 68 83 C4 04 B9 ?? 000000 E8 01 000000 68 83 C4 04 E8 00000000 E8 01 000000 C7 83 C4 04 8B 2C 24 83 C4 04 E8 01 000000 A9 83 C4 04 81 ED 3C 13 40 00 E8 01 000000 68 }
condition:
$a0
}
rule UG2002Cruncherv03b3 {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED ???????? E8 0D ???????????????????????????????? 58 }
condition:
$a0 at pe.entry_point
}
rule FishPEShield101HellFish {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 D0 53 56 57 8B 45 10 83 C0 0C 8B 00 89 45 DC 83 7D DC 00 75 08 E8 AD FF FF FF 89 45 DC E8 C1 FE FF FF 8B 10 03 55 DC 89 55 E4 83 C0 04 8B 10 89 55 FC 83 C0 04 8B 10 89 55 F4 83 C0 04 8B 10 89 55 F8 83 C0 04 8B 10 89 55 F0 83 C0 04 8B 10 89 55 EC 83 C0 04 8B 00 89 45 E8 8B 45 E4 8B 58 04 03 5D E4 8B FB 8B 45 E4 8B 30 4E 85 F6 72 2B 46 C7 45 E0 00000000 83 7B 04 00 74 14 }
$a1 = { 60 E8 12 FE FF FF C3 90 09 000000 2C 000000 ???????? C4 03 0000 BC A0 000000 40 01 00 ???????? 00000000000000000000000000000000 99 00000000 8A 000000 10 0000 28 88 0000 40 ?? 4B 000000 02 000000 A0 0000 18 01 0000 40 ?? 4C 000000 0C 000000 B0 0000 38 0A 0000 40 ?? 4E 00000000000000 C0 0000 40 39 0000 40 ?? 4E 000000 08 00000000 01 00 C8 06 0000 40 }
condition:
$a0 or $a1 at pe.entry_point
}
rule PseudoSigner01Neolite20Anorganix {
meta: author="malware-lu"
strings:
$a0 = { E9 A6 000000 9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule PEIntrov10 {
meta: author="malware-lu"
strings:
$a0 = { 8B 04 24 9C 60 E8 ???????? 5D 81 ED 0A 45 40 ?? 80 BD 67 44 40 ???? 0F 85 48 }
condition:
$a0 at pe.entry_point
}
rule Obsidiumv1250ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { E8 0E 000000 8B 54 24 0C 83 82 B8 000000 0D 33 C0 C3 64 67 FF 36 0000 64 67 89 26 0000 50 33 C0 8B 00 C3 E9 FA 000000 E8 D5 FF FF FF 58 64 67 8F 06 0000 83 C4 04 E8 2B 13 0000 }
condition:
$a0 at pe.entry_point
}
rule DevC4992BloodshedSoftware {
meta: author="malware-lu"
strings:
$a0 = { 55 89 E5 83 EC 08 C7 04 24 01 000000 FF 15 ?????? 00 E8 C8 FE FF FF 90 8D B4 26 00000000 55 89 E5 83 EC 08 C7 04 24 02 000000 FF 15 ?????? 00 E8 A8 FE FF FF 90 8D B4 26 00000000 55 8B 0D ?????? 00 89 E5 5D FF E1 8D 74 26 00 55 8B 0D }
condition:
$a0 at pe.entry_point
}
rule RLPackV119DllLZMA430ap0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 C7 01 0000 60 E8 00000000 8B 2C 24 83 C4 04 83 7C 24 28 01 75 0C 8B 44 24 24 89 85 49 0B 0000 EB 0C 8B 85 45 0B 0000 89 85 49 0B 0000 8D B5 6D 0B 0000 8D 9D 2F 03 0000 33 FF 6A 40 68 00 10 0000 68 00 20 0C 00 6A 00 FF 95 DA 0A 0000 89 85 41 0B 0000 E8 76 01 0000 EB 20 60 8B 85 49 0B 0000 FF B5 41 0B 0000 FF 34 37 01 04 24 FF 74 37 04 01 04 24 FF D3 61 83 C7 08 83 3C 37 00 75 DA 83 BD 55 0B 000000 74 0E 83 BD 59 0B 000000 74 05 E8 D7 01 0000 8D 74 37 04 53 6A 40 68 00 10 0000 68 ???????? 6A 00 FF 95 DA 0A 0000 89 85 69 0B 0000 5B 60 FF B5 41 0B 0000 56 FF B5 69 0B 0000 FF D3 61 8B B5 69 0B 0000 8B C6 EB 01 40 80 38 01 75 FA 40 8B 38 03 BD 49 0B 0000 83 C0 04 89 85 65 0B 0000 E9 98 000000 56 FF 95 D2 0A 0000 89 85 61 0B 0000 85 C0 0F 84 C8 000000 8B C6 EB 5F 8B 85 65 0B 0000 8B 00 A9 000000 80 74 14 35 000000 80 50 8B 85 65 0B 0000 C7 00 20 20 20 00 EB 06 FF B5 65 0B 0000 FF B5 61 0B 0000 FF 95 D6 0A 0000 85 C0 0F 84 87 000000 89 07 83 C7 04 8B 85 65 0B 0000 EB 01 40 80 38 00 75 FA 40 89 85 65 0B 0000 66 81 78 02 00 80 74 A1 80 38 00 75 9C EB 01 46 80 3E 00 75 FA 46 40 8B 38 03 BD 49 0B 0000 83 C0 04 89 85 65 0B 0000 80 3E 01 0F 85 5F FF FF FF 68 00 40 0000 68 ???????? FF B5 69 0B 0000 FF 95 DE 0A 0000 68 00 40 0000 68 00 20 0C 00 FF B5 41 0B 0000 FF 95 DE 0A 0000 E8 3D 000000 E8 24 01 0000 61 E9 ???????? 61 C3 }
condition:
$a0 at pe.entry_point
}
rule XJXPALLiNSoN {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???? 40 00 68 ???? 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 44 53 56 57 66 9C }
condition:
$a0 at pe.entry_point
}
rule Armadillov220b1 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 30 12 41 00 68 A4 A5 40 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 }
condition:
$a0 at pe.entry_point
}
rule RCryptor20Vaska {
meta: author="malware-lu"
strings:
$a0 = { F7 D1 83 F1 FF 6A 00 F7 D1 83 F1 FF 81 04 24 ???????? F7 D1 83 F1 FF }
condition:
$a0 at pe.entry_point
}
rule SentinelSuperProAutomaticProtectionv641Safenet {
meta: author="malware-lu"
strings:
$a0 = { A1 ???????? 55 8B ?????? 85 C0 74 ?? 85 ED 75 ?? A1 ???????? 50 55 FF 15 ???????? 8B 0D ???????? 55 51 FF 15 ???????? 85 C0 74 ?? 8B 15 ???????? 52 FF 15 ???????? 6A 00 6A 00 68 ???????? E8 ???????? B8 01 000000 5D C2 0C 00 }
condition:
$a0 at pe.entry_point
}
rule TMTPascalv040 {
meta: author="malware-lu"
strings:
$a0 = { 0E 1F 06 8C 06 ???? 26 A1 ???? A3 ???? 8E C0 66 33 FF 66 33 C9 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02CrunchPEHeuristicAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 E8 0E 000000 5D 83 ED 06 8B C5 55 60 89 AD ???????? 2B 85 00000000 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeMSVCDLLMethod4emadicius {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 56 57 BF 01 000000 8B 75 0C 85 F6 5F 5E 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule VcAsmProtectorV10XVcAsm {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 ???????? 64 A1 00000000 50 64 89 25 00000000 E8 03 000000 }
condition:
$a0 at pe.entry_point
}
rule VBOXv42MTE {
meta: author="malware-lu"
strings:
$a0 = { 8C E0 0B C5 8C E0 0B C4 03 C5 74 00 74 00 8B C5 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeUPX0896102105124emadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 909090909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtBorlandDelphiMicrosoftVisualC {
meta: author="malware-lu"
strings:
$a0 = { 1B DB E8 02 000000 1A 0D 5B 68 80 ???? 00 E8 01 000000 EA 5A 58 EB 02 CD 20 68 F4 000000 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 000000 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 }
$a1 = { C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ???? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule VxHafen809 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 1C ?? 81 EE ???? 50 1E 06 8C C8 8E D8 06 33 C0 8E C0 26 ?????? 07 3D }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEdition117LZMAAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 ?????????????????????????????? 8D B5 73 26 0000 8D 9D 58 03 0000 33 FF ???????????????????? 6A 40 68 ???????? 68 ???????? 6A }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01LTC13Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 54 E8 00000000 5D 8B C5 81 ED F6 73 40 00 2B 85 87 75 40 00 83 E8 06 E9 }
condition:
$a0 at pe.entry_point
}
rule ACProtectv141 {
meta: author="malware-lu"
strings:
$a0 = { 60 76 03 77 01 7B 74 03 75 01 78 47 87 EE E8 01 000000 76 83 C4 04 85 EE EB 01 7F 85 F2 EB 01 79 0F 86 01 000000 FC EB 01 78 79 02 87 F2 61 51 8F 05 19 38 01 01 60 EB 01 E9 E9 01 000000 }
condition:
$a0 at pe.entry_point
}
rule yodasProtectorV1031AshkbizDanehkar {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 ?? BB 55 000000 E8 03 000000 EB 01 ?? E8 8F 000000 E8 03 000000 EB 01 ?? E8 82 000000 E8 03 000000 EB 01 ?? E8 B8 000000 E8 03 000000 EB 01 ?? E8 AB 000000 E8 03 000000 EB 01 ?? 83 FB 55 E8 03 000000 EB 01 ?? 75 2E E8 03 000000 EB 01 ?? C3 60 E8 00000000 5D 81 ED 74 72 42 00 8B D5 81 C2 C3 72 42 00 52 E8 01 000000 C3 C3 E8 03 000000 EB 01 ?? E8 0E 000000 E8 D1 FF FF FF C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 CC C3 E8 03 000000 EB 01 ?? 33 C0 64 FF 30 64 89 20 4B CC C3 E8 03 000000 EB 01 ?? 33 DB B9 3F A9 42 00 81 E9 6E 73 42 00 8B D5 81 C2 6E 73 42 00 8D 3A 8B F7 33 C0 E8 03 000000 EB 01 ?? E8 17 000000 909090 E9 98 2E 0000 33 C0 64 FF 30 64 89 20 43 CC C3 }
condition:
$a0 at pe.entry_point
}
rule tElock096tE {
meta: author="malware-lu"
strings:
$a0 = { E9 59 E4 FF FF 00000000000000 ???????? EE ???? 000000000000000000 0E ???? 00 FE ???? 00 F6 ???? 000000000000000000 1B ???? 00 06 ???? 000000000000000000000000000000000000000000 26 ???? 0000000000 39 ???? 0000000000 26 ???? 0000000000 39 ???? 0000000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C }
condition:
$a0 at pe.entry_point
}
rule WerusCrypter10byKas {
meta: author="malware-lu"
strings:
$a0 = { BB E8 12 40 00 80 33 05 E9 7D FF FF FF }
condition:
$a0 at pe.entry_point
}
rule HEALTHv51byMuslimMPolyak {
meta: author="malware-lu"
strings:
$a0 = { 1E E8 ???? 2E 8C 06 ???? 2E 89 3E ???? 8B D7 B8 ???? CD 21 8B D8 0E 1F E8 ???? 06 57 A1 ???? 26 }
condition:
$a0 at pe.entry_point
}
rule PCGuardv303dv305d {
meta: author="malware-lu"
strings:
$a0 = { 55 50 E8 ???????? 5D EB 01 E3 60 E8 03 ?????? D2 EB 0B 58 EB 01 48 40 EB 01 }
condition:
$a0 at pe.entry_point
}
rule VxNovember17768 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 81 EE ???? 50 33 C0 8E D8 80 3E ?????? 0E 1F ???? FC }
condition:
$a0 at pe.entry_point
}
rule BeRoTinyPascalBeRo {
meta: author="malware-lu"
strings:
$a0 = { E9 ???????? 20 43 6F 6D 70 69 6C 65 64 20 62 79 3A 20 42 65 52 6F 54 69 6E 79 50 61 73 63 61 6C 20 2D 20 28 43 29 20 43 6F 70 79 72 69 67 68 74 20 32 30 30 36 2C 20 42 65 6E 6A 61 6D 69 6E 20 27 42 65 52 6F 27 20 52 6F 73 73 65 61 75 78 20 }
condition:
$a0 at pe.entry_point
}
rule PrivateexeProtector21522XSetiSoftTeam {
meta: author="malware-lu"
strings:
$a0 = { 00000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 0000000000 }
condition:
$a0
}
rule Protectorv1111DDeMPEEnginev09DDeMCIv092 {
meta: author="malware-lu"
strings:
$a0 = { 53 51 56 E8 00000000 5B 81 EB 08 10 0000 8D B3 34 10 0000 B9 F3 03 0000 BA 63 17 2A EE 31 16 83 C6 04 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01XCR011Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 60 8B F0 33 DB 83 C3 01 83 C0 01 E9 }
condition:
$a0 at pe.entry_point
}
rule Trivial173bySMTSMF {
meta: author="malware-lu"
strings:
$a0 = { EB ???? 28 54 72 69 76 69 61 6C 31 37 33 20 62 79 20 53 4D 54 2F 53 4D 46 29 }
condition:
$a0 at pe.entry_point
}
rule ASProtectv11MTE {
meta: author="malware-lu"
strings:
$a0 = { 60 E9 ???????? 91 78 79 79 79 E9 }
condition:
$a0 at pe.entry_point
}
rule WARNINGTROJANRobinPE {
meta: author="malware-lu"
strings:
$a0 = { 60 6A 00 6A 20 6A 02 6A 00 6A 03 68 000000 }
condition:
$a0 at pe.entry_point
}
rule PiCryptor10byScofield {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 000000 6A 03 6A 00 6A 01 68 000000 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 0000 6A 00 6A 00 68 AC 26 0000 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 0000 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 }
$a1 = { 55 8B EC 83 C4 EC 53 56 57 31 C0 89 45 EC B8 40 1E 06 00 E8 48 FA FF FF 33 C0 55 68 36 1F 06 00 64 FF 30 64 89 20 6A 00 68 80 000000 6A 03 6A 00 6A 01 68 000000 80 8D 55 EC 31 C0 E8 4E F4 FF FF 8B 45 EC E8 F6 F7 FF FF 50 E8 CC FA FF FF 8B D8 83 FB FF 74 4E 6A 00 53 E8 CD FA FF FF 8B F8 81 EF AC 26 0000 6A 00 6A 00 68 AC 26 0000 53 E8 DE FA FF FF 89 F8 E8 E3 F1 FF FF 89 C6 6A 00 68 28 31 06 00 57 56 53 E8 AE FA FF FF 53 E8 80 FA FF FF 89 FA 81 EA 72 01 0000 8B C6 E8 55 FE FF FF 89 C6 89 F0 09 C0 74 05 E8 A8 FB FF FF 31 C0 5A 59 59 64 89 10 68 3D 1F 06 00 8D 45 EC E8 C3 F6 FF FF C3 }
$a2 = { 89 55 F8 BB 01 000000 8A 04 1F 24 0F 8B 55 FC 8A 14 32 80 E2 0F 32 C2 8A 14 1F 80 E2 F0 02 D0 88 14 1F 46 8D 45 F4 8B 55 FC E8 ???????? 8B 45 F4 E8 ???????? 3B F0 7E 05 BE 01 000000 43 FF 4D F8 75 C2 ???????? 5A 59 59 64 89 10 68 ???????? 8D 45 F4 E8 ???????? C3 E9 }
condition:
$a0 or $a1 at pe.entry_point or $a2
}
rule PseudoSigner02MacromediaFlashProjector60Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090 68 ???????? 67 64 FF 36 0000 67 64 89 26 0000 F1 90909090 83 EC 44 56 FF 15 24 81 49 00 8B F0 8A 06 3C 22 75 1C 8A 46 01 46 3C 22 74 0C 84 C0 74 08 8A 46 01 46 3C 22 75 F4 80 3E 22 75 0F 46 EB 0C }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeWWPack321xemadicius {
meta: author="malware-lu"
strings:
$a0 = { 53 55 8B E8 33 DB EB 60 0D 0A 0D 0A 57 57 50 61 63 6B 33 32 20 64 65 63 6F 6D 70 72 65 73 73 69 6F 6E 20 72 6F 75 74 69 6E 65 20 76 65 72 73 69 6F 6E 20 31 2E 31 32 0D 0A 28 63 29 20 31 39 39 38 20 50 69 6F 74 72 20 57 61 72 65 7A 61 6B 20 61 6E 64 20 52 61 66 61 6C 20 57 69 65 72 7A 62 69 63 6B 69 0D 0A 0D 0A 5D 5B 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule PEArmor07600765hying {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 ???????? 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????? 00000000 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 0000000000 08 00000000000000 60 E8 00000000 }
condition:
$a0
}
rule PECryptv102 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???????? 5B 83 EB 05 EB 04 52 4E 44 }
condition:
$a0 at pe.entry_point
}
rule ILUCRYPTv4015exe {
meta: author="malware-lu"
strings:
$a0 = { 8B EC FA C7 46 F7 ???? 42 81 FA ???? 75 F9 FF 66 F7 }
condition:
$a0 at pe.entry_point
}
rule NJoy13NEX {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 B8 48 36 40 00 E8 54 EE FF FF 6A 00 68 D8 2B 40 00 6A 0A 6A 00 E8 2C EF FF FF E8 23 E7 FF FF 8D 40 00 }
condition:
$a0 at pe.entry_point
}
rule VBOXv43v46 {
meta: author="malware-lu"
strings:
$a0 = { 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 8B C5 }
$a1 = { 90 03 C4 33 C4 33 C5 2B C5 33 C5 8B C5 ???? 2B C5 48 ???? 0B C0 86 E0 8C E0 ???? 8C E0 86 E0 03 C4 40 }
condition:
$a0 or $a1
}
rule CodeLockvxx {
meta: author="malware-lu"
strings:
$a0 = { 43 4F 44 45 2D 4C 4F 43 4B 2E 4F 43 58 00 }
condition:
$a0 at pe.entry_point
}
rule CipherWallSelfExtratorDecryptorGUIv15 {
meta: author="malware-lu"
strings:
$a0 = { 90 61 BE 00 10 42 00 8D BE 0000 FE FF C7 87 C0 20 02 00 F9 89 C7 6A 57 83 CD FF EB 0E 90909090 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 }
condition:
$a0 at pe.entry_point
}
rule ARMProtectorv01bySMoKE {
meta: author="malware-lu"
strings:
$a0 = { E8 04 000000 83 60 EB 0C 5D EB 05 45 55 EB 04 B8 EB F9 00 C3 E8 00000000 5D EB 01 00 81 ED 5E 1F 40 00 EB 02 83 09 8D B5 EF 1F 40 00 EB 02 83 09 BA A3 11 0000 EB 01 00 8D 8D 92 31 40 00 8B 09 E8 14 000000 83 EB 01 00 8B FE E8 00000000 58 83 C0 }
condition:
$a0
}
rule Upackv037betaDwing {
meta: author="malware-lu"
strings:
$a0 = { BE B0 11 ???? AD 50 FF 76 34 EB 7C 48 01 ???? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 18 10 0000 10 00000000 ?????? 0000 ???? 00 10 000000 02 0000 04 0000000000 37 00 04 0000000000000000 ?????? 00 02 000000000000 }
$a1 = { BE B0 11 ???? AD 50 FF 76 34 EB 7C 48 01 ???? 0B 01 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 18 10 0000 10 00000000 ?????? 0000 ???? 00 10 000000 02 0000 04 0000000000 37 00 04 0000000000000000 ?????? 00 02 000000000000 ?? 0000 ?? 0000 ?? 0000 ???? 000000 10 0000 10 000000000000 0A 0000000000000000000000 EE ?????? 14 00000000 ???????????? 00 FF 76 38 AD 50 8B 3E BE F0 ?????? 6A 27 59 F3 A5 FF 76 04 83 C8 FF 8B DF AB EB 1C 00000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 ?????????? 000000 40 AB 40 B1 04 F3 AB C1 E0 0A B5 ?? F3 AB 8B 7E 0C 57 51 E9 ???????? E3 B1 04 D3 E0 03 E8 8D 53 18 33 C0 55 40 51 D3 E0 8B EA 91 FF 56 4C 33 D2 59 D1 E8 13 D2 E2 FA 5D 03 EA 45 59 89 6B 08 56 8B F7 2B F5 F3 A4 AC 5E B1 80 AA 3B 7E 34 0F 82 8E FE FF FF 58 5F 59 E3 1B 8A 07 47 04 18 3C 02 73 F7 8B 07 3C ?? 75 F1 B0 00 0F C8 03 46 38 2B C7 AB E2 E5 5E 5D 59 51 59 46 AD 85 C0 74 1F }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule PrivateExeProtector1xsetisoft {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? B9 ?? 90 01 ?? BE ?? 10 40 ?? 68 50 91 41 ?? 68 01 ?????? C3 }
condition:
$a0 at pe.entry_point
}
rule Petitev14 {
meta: author="malware-lu"
strings:
$a0 = { B8 ???????? 66 9C 60 50 8B D8 03 00 68 ???????? 6A 00 }
condition:
$a0 at pe.entry_point
}
rule NullsoftInstallSystemv20a0 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 0C 53 56 57 FF 15 B4 10 40 00 05 E8 03 0000 BE E0 E3 41 00 89 44 24 10 B3 20 FF 15 28 10 40 00 68 00 04 0000 FF 15 14 11 40 00 50 56 FF 15 10 11 40 00 80 3D E0 E3 41 00 22 75 08 80 C3 02 BE E1 E3 41 00 8A 06 8B 3D 14 12 40 00 84 C0 74 19 3A C3 74 }
condition:
$a0
}
rule Obsidium1332ObsidiumSoftware {
meta: author="malware-lu"
strings:
$a0 = { EB 01 ?? E8 2B 000000 EB 02 ???? EB 02 ???? 8B 54 24 0C EB 03 ?????? 83 82 B8 000000 24 EB 04 ???????? 33 C0 EB 04 ???????? C3 EB 02 ???? EB 01 ?? 64 67 FF 36 0000 EB 03 ?????? 64 67 89 26 0000 EB 01 ?? EB 02 ???? 50 EB 02 ???? 33 C0 EB 02 ???? 8B 00 EB 02 ???? C3 EB 04 ???????? E9 FA 000000 EB 03 ?????? E8 D5 FF FF FF EB 03 ?????? EB 01 ?? 58 EB 01 ?? EB 02 ???? 64 67 8F 06 0000 EB 02 ???? 83 C4 04 EB 02 ???? E8 3B 27 0000 }
condition:
$a0 at pe.entry_point
}
rule modifiedHACKSTOPv111f {
meta: author="malware-lu"
strings:
$a0 = { 52 B4 30 CD 21 52 FA ?? FB 3D ???? EB ?? CD 20 0E 1F B4 09 E8 }
condition:
$a0 at pe.entry_point
}
rule VxKuku886 {
meta: author="malware-lu"
strings:
$a0 = { 06 1E 50 8C C8 8E D8 BA 70 03 B8 24 25 CD 21 ?????????? 90 B4 2F CD 21 53 }
condition:
$a0 at pe.entry_point
}
rule VxCIHVersion12TTITWIN95CIH {
meta: author="malware-lu"
strings:
$a0 = { 55 8D ?????? 33 DB 64 87 03 E8 ???????? 5B 8D }
condition:
$a0 at pe.entry_point
}
rule ShegerdDongleV478MSCo {
meta: author="malware-lu"
strings:
$a0 = { E8 32 000000 B8 ???????? 8B 18 C1 CB 05 89 DA 36 8B 4C 24 0C }
condition:
$a0 at pe.entry_point
}
rule SDProtectRandyLi {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 88 88 88 08 64 A1 00000000 50 64 89 25 00000000 58 64 A3 00000000 58 58 58 58 8B E8 E8 3B 000000 E8 01 000000 FF 58 05 }
condition:
$a0 at pe.entry_point
}
rule SmokesCryptv12 {
meta: author="malware-lu"
strings:
$a0 = { 60 B8 ???????? B8 ???????? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }
condition:
$a0 at pe.entry_point
}
rule PEncryptv31 {
meta: author="malware-lu"
strings:
$a0 = { E9 ?????? 00 F0 0F C6 }
condition:
$a0 at pe.entry_point
}
rule PEncryptv30 {
meta: author="malware-lu"
strings:
$a0 = { E8 00000000 5D 81 ED 05 10 40 00 8D B5 24 10 40 00 8B FE B9 0F 000000 BB ???????? AD 33 C3 E2 FA }
condition:
$a0 at pe.entry_point
}
rule RJoiner12byVaska250320071658 {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC 0C 02 0000 8D 85 F4 FD FF FF 56 50 68 04 01 0000 FF 15 14 10 40 00 90 8D 85 F4 FD FF FF 50 FF 15 10 10 40 00 90 BE 00 20 40 00 90 83 3E FF 0F 84 84 000000 53 57 33 FF 8D 46 }
condition:
$a0 at pe.entry_point
}
rule Minke101byCodius {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 F0 53 ?????????? 10 E8 7A F6 FF FF BE 68 66 00 10 33 C0 55 68 DB 40 00 10 64 FF 30 64 89 20 E8 FA F8 FF FF BA EC 40 00 10 8B C6 E8 F2 FA FF FF 8B D8 B8 6C 66 00 10 8B 16 E8 88 F2 FF FF B8 6C 66 00 10 E8 76 F2 FF FF 8B D0 8B C3 8B 0E E8 E3 E4 FF FF E8 2A F9 FF FF E8 C1 F8 FF FF B8 6C 66 00 10 8B 16 E8 6D FA FF FF E8 14 F9 FF FF E8 AB F8 FF FF 8B 06 E8 B8 E3 FF FF 8B D8 B8 6C 66 00 10 E8 38 F2 FF FF 8B D3 8B 0E E8 A7 E4 FF ???????? C4 FB FF FF E8 E7 F8 FF FF 8B C3 E8 B0 E3 FF FF E8 DB F8 FF FF 33 C0 5A 59 59 64 89 10 68 E2 40 00 10 C3 E9 50 EB FF FF EB F8 5E 5B E8 BB EF FF FF 000000 43 41 31 38 }
condition:
$a0 at pe.entry_point
}
rule CrypWrapvxx {
meta: author="malware-lu"
strings:
$a0 = { E8 B8 ?????? E8 90 02 ???? 83 F8 ?? 75 07 6A ?? E8 ???????? FF 15 49 8F 40 ?? A9 ?????? 80 74 0E }
condition:
$a0 at pe.entry_point
}
rule WarningmaybeSimbyOZpolycryptorby3xpl01tver2xx250320072200 {
meta: author="malware-lu"
strings:
$a0 = { 57 57 8D 7C 24 04 50 B8 00 D0 17 13 AB 58 5F C3 0000 }
condition:
$a0 at pe.entry_point
}
rule WARNINGTROJANHuiGeZi {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 C4 ?? FE FF FF 53 56 57 33 C0 89 85 ?? FE FF FF }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeyodascryptor12emadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED F3 1D 40 00 B9 7B 09 0000 8D BD 3B 1E 40 00 8B F7 AC 90 2C 8A C0 C0 78 90 04 62 EB 01 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF }
condition:
$a0 at pe.entry_point
}
rule EPv10 {
meta: author="malware-lu"
strings:
$a0 = { 50 83 C0 17 8B F0 97 33 C0 33 C9 B1 24 AC 86 C4 AC AA 86 C4 AA E2 F6 00 B8 40 00 03 00 3C 40 D2 33 8B 66 14 50 70 8B 8D 34 02 44 8B 18 10 48 70 03 BA 0C ???????? C0 33 FE 8B 30 AC 30 D0 C1 F0 10 C2 D0 30 F0 30 C2 C1 AA 10 42 42 CA C1 E2 04 5F E9 5E B1 }
condition:
$a0 at pe.entry_point
}
rule D1S1Gv11betaD1N {
meta: author="malware-lu"
strings:
$a0 = { 00000000 ???????? 000000000000 01 00 0A 000000 18 0000 80 00000000 ???????? 00000000 02 000000 88 0000 80 38 0000 80 96 0000 80 50 0000 80 00000000 ???????? 000000000000 01 0000000000 68 00000000000000 ???????? 000000000000 01 0000000000 78 000000 B0 ???? 00 10 0000000000000000000000 C0 ???????? 0000000000000000000000 06 00 44 00 56 00 43 00 4C 00 41 00 4C 00 0B 00 50 00 41 00 43 00 4B 00 41 00 47 00 45 00 49 00 4E 00 46 00 4F 000000 }
condition:
$a0
}
rule PROPACKv208 {
meta: author="malware-lu"
strings:
$a0 = { 8C D3 8E C3 8C CA 8E DA 8B 0E ???? 8B F1 83 ???? 8B FE D1 ?? FD F3 A5 53 }
condition:
$a0 at pe.entry_point
}
rule BlackEnergyDDoSBotCrypter {
meta: author="malware-lu"
strings:
$a0 = { 55 ???? 81 EC 1C 01 0000 53 56 57 6A 04 BE 00 30 0000 56 FF 35 00 20 11 13 6A 00 E8 ?? 03 0000 ???? 83 C4 10 ?? FF 89 7D F4 0F }
condition:
$a0 at pe.entry_point
}
rule HACKSTOPv113 {
meta: author="malware-lu"
strings:
$a0 = { 52 B8 ???? 1E CD 21 86 E0 3D ???? 73 ?? CD 20 0E 1F B4 09 E8 ???? 24 ?? EA }
condition:
$a0 at pe.entry_point
}
rule FreeJoiner151GlOFF {
meta: author="malware-lu"
strings:
$a0 = { 90 87 FF 9090 B9 2B 000000 BA 07 10 40 00 83 C2 03 90 87 FF 9090 B9 04 000000 90 87 FF 90 33 C9 C7 05 09 30 40 0000000000 68 00 01 0000 68 21 30 40 00 6A 00 E8 B7 02 0000 6A 00 68 80 000000 6A 03 6A 00 6A 00 68 000000 80 68 21 30 40 00 E8 8F 02 0000 A3 19 30 40 00 90 87 FF 90 8B 15 09 30 40 00 81 C2 04 01 0000 F7 DA 6A 02 6A 00 52 }
condition:
$a0 at pe.entry_point
}
rule PeXv099EngbartCrackPl {
meta: author="malware-lu"
strings:
$a0 = { E9 F5 000000 0D 0A C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 C4 }
condition:
$a0 at pe.entry_point
}
rule HACKSTOPv119 {
meta: author="malware-lu"
strings:
$a0 = { 52 BA ???? 5A EB ?? 9A ???????? 30 CD 21 ?????? D6 02 ???? CD 20 0E 1F 52 BA ???? 5A EB }
condition:
$a0 at pe.entry_point
}
rule HACKSTOPv118 {
meta: author="malware-lu"
strings:
$a0 = { 52 BA ???? 5A EB ?? 9A ???????? 30 CD 21 ?????? FD 02 ???? CD 20 0E 1F 52 BA ???? 5A EB }
condition:
$a0 at pe.entry_point
}
rule PKLITEv200b {
meta: author="malware-lu"
strings:
$a0 = { 50 B8 ???? BA ???? 05 ???? 3B 06 02 00 72 ?? B4 09 BA ???? CD 21 B8 01 4C CD 21 ???????????????????????????????????????????????????????????? 59 2D ???? 8E D0 51 2D ???? 8E C0 50 B9 }
condition:
$a0 at pe.entry_point
}
rule PKLITEv200c {
meta: author="malware-lu"
strings:
$a0 = { 50 B8 ???? BA ???? 3B C4 73 ?? 8B C4 2D ???? 25 ???? 8B F8 B9 ???? BE ???? FC }
condition:
$a0 at pe.entry_point
}
rule MSLRHv032afakeNeolite20emadicius {
meta: author="malware-lu"
strings:
$a0 = { E9 A6 000000 B0 7B 40 00 78 60 40 00 7C 60 40 0000000000 B0 3F 0000 12 62 40 00 4E 65 6F 4C 69 74 65 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 43 6F 6D 70 72 65 73 73 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 2C 31 39 39 39 20 4E 65 6F 57 6F 72 78 20 49 6E 63 0D 0A 50 6F 72 74 69 6F 6E 73 20 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 37 2D 31 39 39 39 20 4C 65 65 20 48 61 73 69 75 6B 0D 0A 41 6C 6C 20 52 69 67 68 74 73 20 52 65 73 65 72 76 65 64 2E 00000000 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 000000 29 5A 58 6B C0 03 E8 02 000000 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv300v301Relocationspack {
meta: author="malware-lu"
strings:
$a0 = { BE ???? BA ???? BF ???? B9 ???? 8C CD 8E DD 81 ED ???? 06 06 8B DD 2B DA 8B D3 FC }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02CodeSafe20Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090909090909090909090909090909090909090 EB 0B 83 EC 10 53 56 57 E8 C4 01 00 85 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner02ZCode101Anorganix {
meta: author="malware-lu"
strings:
$a0 = { E9 12 000000000000000000000000000000 E9 FB FF FF FF C3 68 00000000 64 FF 35 00000000 }
condition:
$a0 at pe.entry_point
}
rule VxCaz1204 {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 5E 83 EE 03 1E 06 B8 FF FF CD 2F 3C 10 }
condition:
$a0 at pe.entry_point
}
rule ZealPack10Zeal {
meta: author="malware-lu"
strings:
$a0 = { C7 45 F4 0000 40 00 C7 45 F0 ???????? 8B 45 F4 05 ???????? 89 45 F4 C7 45 FC 00000000 EB 09 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 F0 7D 22 8B 45 F4 03 45 FC 8A 08 88 4D F8 0F BE 55 F8 83 F2 0F 88 55 F8 8B 45 F4 03 45 FC 8A 4D F8 88 08 EB CD FF 65 F4 }
condition:
$a0 at pe.entry_point
}
rule CPAV: Packer PEiD {
meta: author="malware-lu"
strings:
$a0 = { E8 ???? 4D 5A B1 01 93 01 0000 02 }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEdition117iBoxLZMAAp0x {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 8B 2C 24 83 C4 04 ?????????????????????????????? 8D B5 67 30 0000 8D 9D 66 03 0000 33 FF ???????????????????? 6A 40 68 ???????? 68 ???????? 6A }
condition:
$a0 at pe.entry_point
}
rule INCrypter03INinYbyz3e_NiFe {
meta: author="malware-lu"
strings:
$a0 = { 60 64 A1 30 000000 8B 40 0C 8B 40 0C 8D 58 20 C7 03 00000000 E8 00000000 5D 81 ED 4D 16 40 00 8B 9D 0E 17 40 00 64 A1 18 000000 8B 40 30 0F B6 40 02 83 F8 01 75 05 03 DB C1 CB 10 8B 8D 12 17 40 00 8B B5 06 17 40 00 51 81 3E 2E 72 73 72 74 65 8B 85 16 17 40 00 E8 23 000000 8B 85 1A 17 40 00 E8 18 000000 8B 85 1E 17 40 00 E8 0D 000000 8B 85 22 17 40 00 E8 02 000000 EB 18 8B D6 3B 46 0C 72 0A 83 F9 01 74 0B 3B 46 34 72 06 BA 00000000 C3 58 83 FA 00 75 1A 8B 4E 10 8B 7E 0C 03 BD 02 17 40 00 83 F9 00 74 09 F6 17 31 0F 31 1F 47 E2 F7 59 83 C6 28 49 83 F9 00 75 88 8B 85 0A 17 40 00 89 44 24 1C 61 50 C3 }
condition:
$a0
}
rule MorphineV27Holy_FatherRatter29A {
meta: author="malware-lu"
strings:
$a0 = { 0000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????? 00000000 ???????????????? 00000000 4B 65 52 6E 45 6C 33 32 2E 64 4C 6C 0000 47 65 74 50 72 6F 63 41 64 64 72 }
condition:
$a0
}
rule nBinderv361 {
meta: author="malware-lu"
strings:
$a0 = { 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C 00 5C 6E 35 36 34 35 36 35 33 32 33 34 35 34 33 5F 6E 62 33 5C }
condition:
$a0
}
rule MatrixDongleTDiGmbH {
meta: author="malware-lu"
strings:
$a0 = { 000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????? 000000000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 E8 B6 000000000000000000 ???????????? E8 00000000 5B 2B D9 8B F8 8B 4C 24 2C 33 C0 2B CF F2 AA 8B 3C 24 8B 0A 2B CF 89 5C 24 20 80 37 A2 47 49 75 F9 8D 64 24 04 FF 64 24 FC 60 C7 42 08 ???????? E8 C5 FF FF FF C3 C2 F7 29 4E 29 5A 29 E6 86 8A 89 63 5C A2 65 E2 A3 A2 }
$a1 = { E8 00000000 E8 00000000 59 5A 2B CA 2B D1 E8 1A FF FF FF }
condition:
$a0 or $a1 at pe.entry_point
}
rule NullsoftInstallSystemv20RC2 {
meta: author="malware-lu"
strings:
$a0 = { 83 EC 10 53 55 56 57 C7 44 24 14 70 92 40 00 33 ED C6 44 24 13 20 FF 15 2C 70 40 00 55 FF 15 84 72 40 00 BE 00 54 43 00 BF 00 04 0000 56 57 A3 A8 EC 42 00 FF 15 C4 70 40 00 E8 8D FF FF FF 8B 1D 90 70 40 00 85 C0 75 21 68 FB 03 0000 56 FF 15 5C 71 40 00 }
condition:
$a0
}
rule UnoPiX075BaGiE {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 07 000000 61 68 ???? 40 00 C3 83 04 24 18 C3 20 83 B8 ED 20 37 EF C6 B9 79 37 9E 61 }
condition:
$a0 at pe.entry_point
}
rule WWPACKv305c4UnextractablePasswordchecking {
meta: author="malware-lu"
strings:
$a0 = { 03 05 80 1B B8 ???? 8C CA 03 D0 8C C9 81 C1 ???? 51 B9 ???? 51 06 06 B1 ?? 51 8C D3 }
condition:
$a0 at pe.entry_point
}
rule FSGv110EngdulekxtBorlandDelphi20 {
meta: author="malware-lu"
strings:
$a0 = { EB 01 56 E8 02 000000 B2 D9 59 68 80 ?? 41 00 E8 02 000000 65 32 59 5E EB 02 CD 20 BB }
condition:
$a0 at pe.entry_point
}
rule Reg2Exe225byJanVorel {
meta: author="malware-lu"
strings:
$a0 = { 68 68 000000 68 00000000 68 70 7D 40 00 E8 AE 20 0000 83 C4 0C 68 00000000 E8 AF 52 0000 A3 74 7D 40 00 68 00000000 68 00 10 0000 68 00000000 E8 9C 52 0000 A3 70 7D 40 00 E8 24 50 0000 E8 E2 48 0000 E8 44 34 0000 E8 54 28 0000 E8 98 27 0000 E8 93 20 0000 68 01 000000 68 D0 7D 40 00 68 00000000 8B 15 D0 7D 40 00 E8 89 8F 0000 B8 0000 10 00 68 01 000000 E8 9A 8F 0000 FF 35 A4 7F 40 00 68 00 01 0000 E8 3A 23 0000 8D 0D A8 7D 40 00 5A E8 5E 1F 0000 FF 35 A8 7D 40 00 68 00 01 0000 E8 2A 52 0000 A3 B4 7D 40 00 FF 35 A4 7F 40 00 FF 35 B4 7D 40 00 FF 35 A8 7D 40 00 E8 5C 0C 0000 8D 0D A0 7D 40 00 5A E8 26 1F 0000 FF 35 }
condition:
$a0 at pe.entry_point
}
rule Armadillov420SiliconRealmsToolworks {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 F8 8E 4C 00 68 F0 EA 49 00 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 88 31 4C 00 33 D2 8A D4 89 15 84 A5 4C 00 8B C8 81 E1 FF 000000 89 0D 80 A5 4C 00 C1 E1 08 03 CA 89 0D 7C A5 4C 00 C1 E8 10 A3 78 A5 }
condition:
$a0 at pe.entry_point
}
rule DalKrypt10byDalKiT {
meta: author="malware-lu"
strings:
$a0 = { 68 00 10 40 00 58 68 ?????? 00 5F 33 DB EB 0D 8A 14 03 80 EA 07 80 F2 04 88 14 03 43 81 FB ?????? 00 72 EB FF E7 }
condition:
$a0 at pe.entry_point
}
rule RCryptorv15Vaska {
meta: author="malware-lu"
strings:
$a0 = { 83 2C 24 4F 68 ???????? FF 54 24 04 83 44 24 04 4F }
condition:
$a0 at pe.entry_point
}
rule EXECryptor239compressedresources {
meta: author="malware-lu"
strings:
$a0 = { 51 68 ???????? 59 81 F1 12 3C CB 98 E9 53 2C 0000 F7 D7 E9 EB 60 0000 83 45 F8 02 E9 E3 36 0000 F6 45 F8 20 0F 84 1E 21 0000 55 E9 80 62 0000 87 0C 24 8B E9 ???????? 0000 23 C1 81 E9 ???????? 57 E9 ED 000000 0F 88 ???????? E9 2C 0D 0000 81 ED BB 43 CB 79 C1 E0 1C E9 9E 14 0000 0B 15 ???????? 81 E2 2A 70 7F 49 81 C2 9D 83 12 3B E8 0C 50 0000 E9 A0 16 0000 59 5B C3 64 FF 35 00000000 64 89 25 00000000 E8 41 42 0000 E9 93 33 0000 31 DB 89 D8 59 5B C3 A1 ???????? 8A 00 2C 99 E9 82 30 0000 0F 8A ???????? B8 01 000000 31 D2 0F A2 25 FF 0F 0000 E9 72 21 0000 0F 86 57 0B 0000 E9 ???????? C1 C0 03 E8 F0 36 0000 E9 41 0A 0000 81 F7 B3 6E 85 EA 81 C7 ???????? 87 3C 24 E9 74 52 0000 0F 8E ???????? E8 5E 37 0000 68 B1 74 96 13 5A E9 A1 04 0000 81 D1 49 C0 12 27 E9 50 4E 0000 C1 C8 1B 1B C3 81 E1 96 36 E5 }
condition:
$a0 at pe.entry_point
}
rule GameGuardv20065xxexesignbyhot_UNP {
meta: author="malware-lu"
strings:
$a0 = { 31 FF 74 06 61 E9 4A 4D 50 30 5A BA 7D 000000 80 7C 24 08 01 E9 00000000 60 BE 00 }
condition:
$a0 at pe.entry_point
}
rule EnigmaProtectorv112LITE {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 83 ED 06 81 ED ?????? 00 ?????????????????????????????????????????????????????????????? E8 01 000000 9A 83 C4 04 EB 02 FF 35 60 E8 24 0000000000 FF EB 02 CD 20 8B 44 24 0C 83 80 B8 000000 03 31 }
condition:
$a0 at pe.entry_point
}
rule MSLRHv01emadicius {
meta: author="malware-lu"
strings:
$a0 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 }
$a1 = { 60 EB 05 E8 EB 04 40 00 EB FA E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 81 83 C4 04 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 3D FF 0F 0000 EB 01 68 EB 02 CD 20 EB 01 E8 76 1B EB 01 68 EB 02 CD 20 EB 01 E8 CC 66 B8 FE 00 74 04 75 02 EB 02 EB 01 81 66 E7 64 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 000000 E8 EB 0C 0000 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 }
condition:
$a0 or $a1 at pe.entry_point
}
rule Apex_cbeta500mhz {
meta: author="malware-lu"
strings:
$a0 = { 68 ???????? B9 FF FF FF 00 01 D0 F7 E2 72 01 48 E2 F7 B9 FF 000000 8B 34 24 80 36 FD 46 E2 FA C3 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 }
condition:
$a0 at pe.entry_point
}
rule VProtector11A12vcasm {
meta: author="malware-lu"
strings:
$a0 = { 0000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 0000000000 76 63 61 73 6D 5F 70 72 6F 74 65 63 74 5F 32 30 30 35 5F 33 5F 31 38 00000000000000000000000000000000000000000000000000 33 F6 E8 10 000000 8B 64 24 08 64 8F 05 00000000 58 EB 13 C7 83 64 FF 35 00000000 64 89 25 00000000 AD CD 20 EB 01 0F 31 F0 EB 0C 33 C8 EB 03 EB 09 0F 59 74 05 75 F8 51 EB F1 B9 04 000000 E8 1F 000000 EB FA E8 16 000000 E9 EB F8 0000 58 EB 09 0F 25 E8 F2 FF FF FF 0F B9 49 75 F1 EB 05 EB F9 EB F0 D6 E8 07 000000 C7 83 83 C0 13 EB 0B 58 EB 02 CD 20 83 C0 02 EB 01 E9 50 C3 }
condition:
$a0
}
rule codeCrypter031 {
meta: author="malware-lu"
strings:
$a0 = { 50 58 53 5B 90 BB ???? 40 00 FF E3 90 CCCCCC 55 8B EC 5D C3 CCCCCCCCCCCCCCCCCCCCCC }
condition:
$a0
}
rule PKTINYv10withTINYPROGv38 {
meta: author="malware-lu"
strings:
$a0 = { 2E C6 06 ?????? 2E C6 06 ?????? 2E C6 06 ?????? E9 ???? E8 ???? 83 }
condition:
$a0 at pe.entry_point
}
rule AHTeamEPProtector03fakePESHiELD2xFEUERRADER {
meta: author="malware-lu"
strings:
$a0 = { 90 ???????????????????????????????????????????????????????????????????????????????????????????? 90 FF E0 60 E8 00000000 41 4E 41 4B 49 4E 5D 83 ED 06 EB 02 EA 04 }
condition:
$a0 at pe.entry_point
}
rule RLPackFullEditionV11Xap0x {
meta: author="malware-lu"
strings:
$a0 = { 000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ???????????????????????????????????????????????? 000000000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 0000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 0000 56 69 72 74 75 61 6C 41 6C 6C 6F 63 0000 56 69 72 74 75 61 6C 46 72 65 65 0000 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 0000 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 000000 10 }
condition:
$a0
}
rule Excalibur103forgot {
meta: author="malware-lu"
strings:
$a0 = { E9 00000000 60 E8 14 000000 5D 81 ED 00000000 }
condition:
$a0 at pe.entry_point
}
rule RLPack118DllaPlib043ap0x {
meta: author="malware-lu"
strings:
$a0 = { 80 7C 24 08 01 0F 85 5C 01 0000 60 E8 00000000 8B 2C 24 83 C4 ?? 8D B5 1A 04 0000 8D 9D C1 02 0000 33 FF E8 61 01 0000 EB 0F FF 74 37 04 FF 34 37 FF D3 83 C4 ?? 83 C7 ?? 83 3C 37 00 75 EB 83 BD 06 04 000000 74 0E 83 BD 0A 04 000000 74 05 E8 D7 01 0000 8D 74 37 04 53 6A ?? 68 ???????? 68 ???????? 6A ?? FF 95 A7 03 0000 89 85 16 04 0000 5B FF B5 16 04 0000 56 FF D3 83 C4 ?? 8B B5 16 04 0000 8B C6 EB 01 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01MicrosoftVisualC50MFCAnorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 ???????? 64 A1 00000000 50 E9 }
condition:
$a0 at pe.entry_point
}
rule Pohernah101byKas {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 00000000 5D 81 ED F1 26 40 00 8B BD 18 28 40 00 8B 8D 20 28 40 00 B8 38 28 40 00 01 E8 80 30 05 83 F9 00 74 71 81 7F 1C AB 000000 75 62 8B 57 0C 03 95 1C 28 40 00 31 C0 51 31 C9 66 B9 FA 00 66 83 F9 00 74 49 8B 57 0C 03 95 1C 28 40 00 8B 85 24 28 40 00 83 F8 02 75 06 81 C2 00 02 0000 51 8B 4F 10 83 F8 02 75 06 81 E9 00 02 0000 57 BF C8 000000 89 CE E8 27 000000 89 C1 5F B8 38 28 40 00 01 E8 E8 24 000000 59 49 EB B1 59 83 C7 28 49 EB 8A 8B 85 14 28 40 00 89 44 24 1C 61 FF E0 56 57 4F F7 D7 21 FE 89 F0 5F 5E C3 60 83 F0 05 40 90 48 83 F0 05 89 C6 89 D7 60 E8 0B 000000 61 83 C7 08 83 E9 07 E2 F1 61 C3 57 8B 1F 8B 4F 04 68 B9 79 37 9E 5A 42 89 D0 48 C1 E0 05 BF 20 000000 4A 89 DD C1 E5 04 29 E9 8B 6E 08 31 DD 29 E9 89 DD C1 ED 05 31 C5 29 E9 2B 4E 0C 89 CD C1 E5 04 29 EB 8B 2E 31 CD 29 EB 89 CD C1 ED 05 31 C5 29 EB 2B 5E 04 29 D0 4F 75 C8 5F 89 1F 89 4F 04 C3 }
condition:
$a0 at pe.entry_point
}
rule Armadillov25xv26x {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 6A FF 68 ???????? 68 ???????? 64 A1 00000000 50 64 89 25 00000000 83 EC 58 53 56 57 89 65 E8 FF 15 58 ?????? 33 D2 8A D4 89 15 EC }
condition:
$a0 at pe.entry_point
}
rule PESpinv11Cyberbob {
meta: author="malware-lu"
strings:
$a0 = { EB 01 68 60 E8 00000000 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 0000 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }
condition:
$a0 at pe.entry_point
}
rule Escargot01byueMeat {
meta: author="malware-lu"
strings:
$a0 = { EB 08 28 65 73 63 30 2E 31 29 60 68 2B ?????? 64 FF 35 00000000 64 89 25 00000000 B8 5C ?????? 8B 00 FF D0 50 BE 00 10 ???? B9 00 ???? 00 EB 05 49 80 34 31 40 0B C9 75 F7 58 0B C0 74 08 33 C0 C7 00 DE C0 AD 0B BE ???????? E9 AC 000000 8B 46 0C BB 0000 ???? 03 C3 50 50 B8 54 ?????? 8B 00 FF D0 5F 80 3F 00 74 06 C6 07 00 47 EB F5 33 FF 8B 16 0B D2 75 03 8B 56 10 03 D3 03 D7 8B 0A C7 02 00000000 0B C9 74 4B F7 C1 000000 80 74 14 81 E1 FF FF 0000 50 51 50 B8 50 }
condition:
$a0
}
rule EncryptPE2200461622006630WFS {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 7A 01 0000000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????????????????????????????????????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 000000 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 }
condition:
$a0 at pe.entry_point
}
rule tElockv060 {
meta: author="malware-lu"
strings:
$a0 = { E9 00000000 60 E8 00000000 58 83 C0 08 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01BorlandDelphi30Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 83 C4 90909090 68 ???????? 9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090 }
condition:
$a0 at pe.entry_point
}
rule ActiveMARKTMR5311140Trymedia {
meta: author="malware-lu"
strings:
$a0 = { 79 11 7F AB 9A 4A 83 B5 C9 6B 1A 48 F9 27 B4 25 }
condition:
$a0 at pe.entry_point
}
rule PEBundlev244 {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB ???? 40 ?? 87 DD 83 BD }
condition:
$a0 at pe.entry_point
}
rule PECompactv120v1201 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 0F 70 40 ?? 87 DD 8B 85 9A 70 40 }
condition:
$a0 at pe.entry_point
}
rule ASPackv104bAlexeySolodovnikov {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 ???????? 5D 81 ED ???????? B8 ???????? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ???? 80 BD 08 9D }
condition:
$a0 at pe.entry_point
}
rule MESSv120 {
meta: author="malware-lu"
strings:
$a0 = { FA B9 ???? F3 ???? E3 ?? EB ?? EB ?? B6 }
condition:
$a0 at pe.entry_point
}
rule RCryptorv13v14Vaska {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ???????? FF D0 58 59 50 }
$a1 = { 55 8B EC 8B 44 24 04 83 E8 4F 68 ???????? FF D0 58 59 50 B8 ???????? 3D ???????? 74 06 80 30 ?? 40 EB F3 }
condition:
$a0 at pe.entry_point or $a1 at pe.entry_point
}
rule ThinstallV27XJitit {
meta: author="malware-lu"
strings:
$a0 = { 9C 60 E8 00000000 58 BB ???????? 2B C3 50 68 ???????? 68 ???????? 68 ???????? E8 ???????? E9 }
condition:
$a0 at pe.entry_point
}
rule eXPressor120BetaPEPacker {
meta: author="malware-lu"
strings:
$a0 = { 55 8B EC 81 EC ???????? 53 56 57 EB ?? 45 78 50 72 2D 76 2E 31 2E 32 2E 2E }
condition:
$a0 at pe.entry_point
}
rule Packanoid10ackanoid {
meta: author="malware-lu"
strings:
$a0 = { BF 00 ?? 40 00 BE ?????? 00 E8 9D 000000 B8 ?????? 00 8B 30 8B 78 04 BB ?????? 00 8B 43 04 91 E3 1F 51 FF D6 56 96 8B 13 8B 02 91 E3 0D 52 51 56 FF D7 5A 89 02 83 C2 04 EB EE 83 C3 08 5E EB DB B9 ???? 0000 BE 00 ???? 00 EB 01 00 BF ?????? 00 }
condition:
$a0 at pe.entry_point
}
rule EncryptPE1200331812003518WFS {
meta: author="malware-lu"
strings:
$a0 = { 60 9C 64 FF 35 00000000 E8 79 01 0000000000000000000000000000 ???????????????? 0000000000000000000000000000000000000000 ???????????????????????????????????????????????????????????????????????? 00000000 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 000000 47 65 74 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 41 000000 43 72 65 61 74 65 46 69 6C 65 41 000000 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 000000 4D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 55 6E 6D 61 70 56 69 65 77 4F 66 46 69 6C 65 000000 43 6C 6F 73 65 48 61 6E 64 6C 65 000000 4C 6F 61 64 4C 69 62 72 61 72 79 41 000000 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 000000 45 78 69 74 50 72 6F 63 65 73 73 }
condition:
$a0 at pe.entry_point
}
rule PECompactv09781 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB 49 87 40 ?? 87 DD 8B 85 CE 87 }
condition:
$a0 at pe.entry_point
}
rule PECompactv09782 {
meta: author="malware-lu"
strings:
$a0 = { EB 06 68 ???????? C3 9C 60 E8 02 ?????? 33 C0 8B C4 83 C0 04 93 8B E3 8B 5B FC 81 EB D1 84 40 ?? 87 DD 8B 85 56 85 }
condition:
$a0 at pe.entry_point
}
rule PseudoSigner01Gleam100Anorganix {
meta: author="malware-lu"
strings:
$a0 = { 90909090909090909090909090909090909090909090 EB 0B 83 EC 0C 53 56 57 E8 24 02 00 FF E9 }
condition:
$a0 at pe.entry_point
}
rule UPackAltStubDwing {
meta: author="malware-lu"
strings:
$a0 = { 60 E8 09 000000 C3 F6 0000 E9 06 02 0000 33 C9 5E 87 0E E3 F4 2B F1 8B DE AD 2B D8 AD }
condition:
$a0 at pe.entry_point
}
rule VxModificationofHi924 {
meta: author="malware-lu"
strings:
$a0 = { 50 53 51 52 1E 06 9C B8 21 35 CD 21 53 BB ???? 26 ???? 49 48 5B }
condition:
$a0 at pe.entry_point
}
rule EXECryptor226DLLminimumprotection {
meta: author="malware-lu"
strings:
$a0 = { 50 8B C6 87 04 24 68 ???????? 5E E9 ???????? 85 C8 E9 ???????? 81 C3 ???????? 0F 81 ?????? 00 81 FA ???????? 33 D0 E9 ?????? 00 0F 8D ?????? 00 81 D5 ???????? F7 D1 0B 15 ???????? C1 C2 ?? 81 C2 ???????? 9D E9 ???????? C1 E2 ?? C1 E8 ?? 81 EA ???????? 13 DA 81 E9 ???????? 87 04 24 8B C8 E9 ???????? 55 8B EC 83 C4 F8 89 45 FC 8B 45 FC 89 45 F8 8B 45 08 E9 ???????? 8B 45 E0 C6 0000 FF 45 E4 E9 ???????? FF 45 E4 E9 ?????? 00 F7 D3 0F 81 ???????? E9 ???????? 87 34 24 5E 8B 45 F4 E8 ?????? 00 8B 45 F4 8B E5 5D C3 E9 }
condition:
$a0 at pe.entry_point
}
rule yodasProtector102AshkibizDanehlar {
meta: author="malware-lu"
strings:
$a0 = { E8 03 000000 EB 01 ?? BB 55 000000 E8 03 000000 EB 01 ?? E8 8F 000000 E8 03 000000 EB 01 ?? E8 82 000000 E8 03 000000 EB 01 ?? E8 B8 000000 E8 03 000000 EB 01 ?? E8 AB 000000 E8 03 000000 EB 01 ?? 83 FB 55 E8 03 000000 EB 01 ?? 75 }
condition:
$a0 at pe.entry_point
}
rule ACProtectv135riscosoftwareIncAnticrackSoftware {
meta: author="malware-lu"
strings:
$a0 = { 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C 00 ???????????????????????????????????????? 55 53 45 52 33 32 2E 44 4C 4C 00 ?????????????????????????????????????????????????????????????????? 00 47 65 74 50 72 6F 63 }
condition:
$a0
}
rule upx_0_80_to_1_24 : Packer {
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="UPX 0.80 to 1.24"
strings:
$str1={6A 60 68 60 02 4B 00 E8 8B 04 0000 83 65 FC 00 8D 45 90 50 FF 15 8C F1 48 00 C7 45 FC FE FF FF FF BF 94 000000 57}
condition:
$str1 at pe.entry_point
}
rule upx_1_00_to_1_07 : Packer {
meta:
author="Kevin Falcoz"
date_create="19/03/2013"
description="UPX 1.00 to 1.07"
strings:
$str1={60 BE 00 ?0 4? 00 8D BE 00 B0 F? FF ?7 8? [3] ?0 9? [0-9] 90909090 [0-2] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 000000 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0}
condition:
$str1 at pe.entry_point
}
rule upx_3 : Packer {
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="UPX 3.X"
strings:
$str1={60 BE 00 [2] 00 8D BE 00 [2] FF [1-12] EB 1? 9090909090 [1-3] 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01}
condition:
$str1 at pe.entry_point
}
rule obsidium : Packer {
meta:
author="Kevin Falcoz"
date_create="21/01/2013"
last_edit="17/03/2013"
description="Obsidium"
strings:
$str1={EB 02 [2] E8 25 000000 EB 04 [4] EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 000000 23 EB 01 ?? 33 C0 EB 02 [2] C3 EB 02 [2] EB 04} /*EntryPoint*/
condition:
$str1 at pe.entry_point
}
rule pecompact2 : Packer {
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="PECompact"
strings:
$str1={B8 [3] 00 50 64 FF 35 00000000 64 89 25 00000000 33 C0 89 08 50 45 43} /*EntryPoint*/
condition:
$str1 at pe.entry_point
}
rule aspack : Packer {
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="ASPack"
strings:
$str1={60 E8 00000000 5D 81 ED 5D 3B 40 00 64 A1 30 000000 0F B6 40 02 0A C0 74 04 33 C0 87 00 B9 ???? 0000 8D BD B7 3B 40 00 8B F7 AC} /*EntryPoint*/
condition:
$str1 at pe.entry_point
}
rule execryptor : Protector {
meta:
author="Kevin Falcoz"
date_create="25/02/2013"
description="EXECryptor"
strings:
$str1={E8 24 000000 8B 4C 24 0C C7 01 17 00 01 00 C7 81 B8 00000000000000 31 C0 89 41 14 89 41 18 80 A1 C1 000000 FE C3 31 C0 64 FF 30 64 89 20 64 8F 05 00000000} /*EntryPoint*/
condition:
$str1 at pe.entry_point
}
rule winrar_sfx : Packer {
meta:
author="Kevin Falcoz"
date_create="18/03/2013"
description="Winrar SFX Archive"
strings:
$signature1={0000 53 6F 66 74 77 61 72 65 5C 57 69 6E 52 41 52 20 53 46 58 00}
condition:
$signature1
}
rule mpress_2_xx_x86 : Packer {
meta:
author="Kevin Falcoz"
date_create="19/03/2013"
last_edit="24/03/2013"
description="MPRESS v2.XX x86 - no .NET"
strings:
$signature1={60 E8 00000000 58 05 [2] 0000 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6}
condition:
$signature1 at pe.entry_point
}
rule mpress_2_xx_x64 : Packer {
meta:
author="Kevin Falcoz"
date_create="19/03/2013"
last_edit="24/03/2013"
description="MPRESS v2.XX x64 - no .NET"
strings:
$signature1={57 56 53 51 52 41 50 48 8D 05 DE 0A 0000 48 8B 30 48 03 F0 48 2B C0 48 8B FE 66 AD C1 E0 0C 48 8B C8 50 AD 2B C8 48 03 F1 8B C8 57 44 8B C1 FF C9 8A 44 39 06 88 04 31}
condition:
$signature1 at pe.entry_point
}
rule mpress_2_xx_net : Packer {
meta:
author="Kevin Falcoz"
date_create="24/03/2013"
description="MPRESS v2.XX .NET"
strings:
$signature1={21 46 00 69 00 6C 00 65 00 20 00 69 00 73 00 20 00 69 00 6E 00 76 00 61 00 6C 00 69 00 64 00 2E 0000 0D 4D 00 50 00 52 00 45 00 53 00 53 0000000000 2D 2D 93 6B 35 04 2E 43 85 EF}
condition:
$signature1
}
rule rpx_1_xx : Packer {
meta:
author="Kevin Falcoz"
date_create="24/03/2013"
description="RPX v1.XX"
strings:
$signature1= "RPX 1."
$signature2= "Copyright 20"
condition:
$signature1 and $signature2
}
rule mew_11_xx : Packer {
meta:
author="Kevin Falcoz"
date_create="25/03/2013"
description="MEW 11"
strings:
$signature1={50 72 6F 63 41 64 64 72 65 73 73 00 E9 [6-7] 000000000000000000 [7] 00}
$signature2="MEW"
condition:
$signature1 and $signature2
}
rule yoda_crypter_1_2 : Crypter {
meta:
author="Kevin Falcoz"
date_create="15/04/2013"
description="Yoda Crypter 1.2"
strings:
$signature1={60 E8 00000000 5D 81 ED F3 1D 40 00 B9 7B 09 0000 8D BD 3B 1E 40 00 8B F7 AC [19] EB 01 [27] AA E2 CC}
condition:
$signature1 at pe.entry_point
}
rule yoda_crypter_1_3 : Crypter {
meta:
author="Kevin Falcoz"
date_create="15/04/2013"
description="Yoda Crypter 1.3"
strings:
$signature1={55 8B EC 53 56 57 60 E8 00000000 5D 81 ED 6C 28 40 00 B9 5D 34 40 00 81 E9 C6 28 40 00 8B D5 81 C2 C6 28 40 00 8D 3A 8B F7 33 C0 EB 04 90 EB 01 C2 AC}
condition:
$signature1 at pe.entry_point
}
rule dotfuscator : packer {
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "Dotfuscator"
date = "2013-02-01"
filetype = "memory"
version = "1.0"
strings:
$a = "Obfuscated with Dotfuscator"
condition:
$a
}
rule AutoIt_2 : packer {
meta:
author = "Jean-Philippe Teissier / @Jipe_"
description = "AutoIT packer"
date = "2013-02-01"
filetype = "memory"
version = "1.0"
strings:
$a = "This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support."
condition:
$a
}
rule mumblehard_packer {
meta:
description = "Mumblehard i386 assembly code responsible for decrypting Perl code"
author = "Marc-Etienne M.Leveille"
date = "2015-04-07"
reference = "http://www.welivesecurity.com"
version = "1"
strings:
$decrypt = { 31 db [1-10] ba ?? 000000 [0-6] (56 5f | 89 F7) 39 d3 75 13 81 fa ?? 000000 75 02 31 d2 81 c2 ?? 000000 31 db 43 ac 30 d8 aa 43 e2 e2 }
condition:
$decrypt
}
Reference in a new issue View git blame Copy permalink