Merge pull request #815 from avast/improve-molebox-detection

Improve MoleBox packer detection.
avast · Jul 22, 2020 · de06abb · de06abb
2 parents 60ea783 + d5cf711
commit de06abb
Showing 1 changed file with 46 additions and 11 deletions.
diff --git a/support/yara_patterns/tools/pe/x86/packers.yara b/support/yara_patterns/tools/pe/x86/packers.yara
@@ -3741,17 +3741,6 @@ rule beroexepacker_uv_01 {
 		beroexepacker_uv_prologue and 1 of them
 }
 
-rule bitarts {
-	meta:
-		tool = "P"
-		name = "BITARTS"
-		pattern = "55E8000000005D83ED068BC5556089AD????00002B85????00008985????000055BB????000003DD536467FF36000064678926000080BD????0000007509C685"
-	strings:
-		$1 = { 55 E8 00 00 00 00 5D 83 ED 06 8B C5 55 60 89 AD ?? ?? 00 00 2B 85 ?? ?? 00 00 89 85 ?? ?? 00 00 55 BB ?? ?? 00 00 03 DD 53 64 67 FF 36 00 00 64 67 89 26 00 00 80 BD ?? ?? 00 00 00 75 09 C6 85 }
-	condition:
-		$1 at pe.entry_point
-}
-
 rule blackenergy_ddos_bot_crypter {
 	meta:
 		tool = "P"
@@ -8388,6 +8377,28 @@ rule molebox_uv {
 		$1 at pe.entry_point
 }
 
+rule molebox_uv_01 {
+	meta:
+		tool = "P"
+		name = "MoleBox"
+		pattern = "558BEC6AFF6800000000680000000064A1000000005064892500000000"
+	strings:
+		$1 = { 55 8B EC 6A FF 68 00 00 00 00 68 00 00 00 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 }
+	condition:
+		$1 at pe.entry_point
+}
+
+rule molebox_uv_02 {
+	meta:
+		tool = "P"
+		name = "MoleBox"
+		pattern = "584F4A554D414E4A"
+	strings:
+		$1 = { 58 4F 4A 55 4D 41 4E 4A }
+	condition:
+		$1 in (pe.overlay.offset .. pe.overlay.offset + pe.overlay.size)
+}
+
 rule molebox_20 {
 	meta:
 		tool = "P"
@@ -8424,6 +8435,18 @@ rule molebox_23x {
 		$1 at pe.entry_point
 }
 
+rule molebox_236 {
+	meta:
+		tool = "P"
+		name = "MoleBox"
+		version = "2.3.6"
+		pattern = "EB168B15????????FF328F05????????EB068F05????????B8????????833800742050"
+	strings:
+		$1 = { EB 16 8B 15 ?? ?? ?? ?? FF 32 8F 05 ?? ?? ?? ?? EB 06 8F 05 ?? ?? ?? ?? B8 ?? ?? ?? ?? 83 38 00 74 20 50 }
+	condition:
+		$1 at pe.entry_point
+}
+
 rule molebox_254 {
 	meta:
 		tool = "P"
@@ -8448,6 +8471,18 @@ rule molebox_pro_255 {
 		$1 at pe.entry_point
 }
 
+rule molebox_42321 {
+	meta:
+		tool = "P"
+		name = "MoleBox"
+		version = "4.2321"
+		pattern = "6A286870204000E8740200003?FF57FF15????????6681384D5A75"
+	strings:
+		$1 = { 6A 28 68 70 20 40 00 E8 74 02 00 00 3? FF 57 FF 15 ?? ?? ?? ?? 66 81 38 4D 5A }
+	condition:
+		$1 at pe.entry_point
+}
+
 rule molebox_pro_43018 {
 	meta:
 		tool = "P"