Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Tácticas y técnicas observadas del actor, mapeadas a MITRE ATT&CK (clic para ver la ficha oficial). Útil para priorizar detecciones.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
rule win_play_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.play."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.play"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 8b5d08 8d9328442324 8955e8 8d834f86c861 8d9377caeb85 8955ec 8d5103 }
// n = 7, score = 100
// 8b5d08 | mov ebx, dword ptr [ebp + 8]
// 8d9328442324 | lea edx, [ebx + 0x24234428]
// 8955e8 | mov dword ptr [ebp - 0x18], edx
// 8d834f86c861 | lea eax, [ebx + 0x61c8864f]
// 8d9377caeb85 | lea edx, [ebx - 0x7a143589]
// 8955ec | mov dword ptr [ebp - 0x14], edx
// 8d5103 | lea edx, [ecx + 3]
$sequence_1 = { 51 8d147f c1e202 e8???????? 83c408 a3???????? }
// n = 6, score = 100
// 51 | push ecx
// 8d147f | lea edx, [edi + edi*2]
// c1e202 | shl edx, 2
// e8???????? |
// 83c408 | add esp, 8
// a3???????? |
$sequence_2 = { 8d85b1feffff 03c1 50 8d85a8fdffff 6804010000 50 e8???????? }
// n = 7, score = 100
// 8d85b1feffff | lea eax, [ebp - 0x14f]
// 03c1 | add eax, ecx
// 50 | push eax
// 8d85a8fdffff | lea eax, [ebp - 0x258]
// 6804010000 | push 0x104
// 50 | push eax
// e8???????? |
$sequence_3 = { 8a852afeffff 04f6 8885d2feffff 88852afeffff 8d45c8 50 ff35???????? }
// n = 7, score = 100
// 8a852afeffff | mov al, byte ptr [ebp - 0x1d6]
// 04f6 | add al, 0xf6
// 8885d2feffff | mov byte ptr [ebp - 0x12e], al
// 88852afeffff | mov byte ptr [ebp - 0x1d6], al
// 8d45c8 | lea eax, [ebp - 0x38]
// 50 | push eax
// ff35???????? |
$sequence_4 = { 899dbcfeffff 83d600 8995b0feffff 89b568feffff 888d82feffff 85d2 7514 }
// n = 7, score = 100
// 899dbcfeffff | mov dword ptr [ebp - 0x144], ebx
// 83d600 | adc esi, 0
// 8995b0feffff | mov dword ptr [ebp - 0x150], edx
// 89b568feffff | mov dword ptr [ebp - 0x198], esi
// 888d82feffff | mov byte ptr [ebp - 0x17e], cl
// 85d2 | test edx, edx
// 7514 | jne 0x16
$sequence_5 = { c78580fdffff2d51be07 c78584fdffff2f3de01e c78588fdffff760ba609 c7858cfdffff6b188d10 c78590fdffff8739684e c78594fdffff88540000 0f118550fcffff }
// n = 7, score = 100
// c78580fdffff2d51be07 | mov dword ptr [ebp - 0x280], 0x7be512d
// c78584fdffff2f3de01e | mov dword ptr [ebp - 0x27c], 0x1ee03d2f
// c78588fdffff760ba609 | mov dword ptr [ebp - 0x278], 0x9a60b76
// c7858cfdffff6b188d10 | mov dword ptr [ebp - 0x274], 0x108d186b
// c78590fdffff8739684e | mov dword ptr [ebp - 0x270], 0x4e683987
// c78594fdffff88540000 | mov dword ptr [ebp - 0x26c], 0x5488
// 0f118550fcffff | movups xmmword ptr [ebp - 0x3b0], xmm0
$sequence_6 = { 40 6603f2 83f810 7cf0 0fb7c6 ba10000000 }
// n = 6, score = 100
// 40 | inc eax
// 6603f2 | add si, dx
// 83f810 | cmp eax, 0x10
// 7cf0 | jl 0xfffffff2
// 0fb7c6 | movzx eax, si
// ba10000000 | mov edx, 0x10
$sequence_7 = { 6809ed1c23 b6b7 92 e2a8 fc f622 94 }
// n = 7, score = 100
// 6809ed1c23 | push 0x231ced09
// b6b7 | mov dh, 0xb7
// 92 | xchg eax, edx
// e2a8 | loop 0xffffffaa
// fc | cld
// f622 | mul byte ptr [edx]
// 94 | xchg eax, esp
$sequence_8 = { 660fd645e0 b9???????? e8???????? 83c408 8d55d0 8bcf e8???????? }
// n = 7, score = 100
// 660fd645e0 | movq qword ptr [ebp - 0x20], xmm0
// b9???????? |
// e8???????? |
// 83c408 | add esp, 8
// 8d55d0 | lea edx, [ebp - 0x30]
// 8bcf | mov ecx, edi
// e8???????? |
$sequence_9 = { 8b45b0 895db8 c745d801000000 8b048580d24200 8945d0 81f9e9fd0000 0f852d010000 }
// n = 7, score = 100
// 8b45b0 | mov eax, dword ptr [ebp - 0x50]
// 895db8 | mov dword ptr [ebp - 0x48], ebx
// c745d801000000 | mov dword ptr [ebp - 0x28], 1
// 8b048580d24200 | mov eax, dword ptr [eax*4 + 0x42d280]
// 8945d0 | mov dword ptr [ebp - 0x30], eax
// 81f9e9fd0000 | cmp ecx, 0xfde9
// 0f852d010000 | jne 0x133
condition:
7 of them and filesize < 389120
}
PLAY news portal, tor network links: [redactado] [redactado] [redactado]
United States
United States
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| Mundt and Associates | US | Business Services | — | 10 jun 2026 |
| Rainbow Distributors USA | US | Consumer Services | — | 10 jun 2026 |
| Pearson Ford | GB | Transportation/Logistics | — | 6 jun 2026 |
| Urschel Laboratories | US | Agriculture and Food Production | — | 4 jun 2026 |
| Dallis Law Firm | US | Business Services | — | 4 jun 2026 |
| The Chapel | US | Not Found | — | 4 jun 2026 |
| Corley MFG | US | Manufacturing | — | 4 jun 2026 |
| Digitall Graphics | CA | Technology | — | 1 jun 2026 |
| Hightower Communications | US | Telecommunication | — | 1 jun 2026 |
| Amarilla Gas | AR | Energy | — | 13 jun 2024 |
| Madata | MX | Not Found | — | 26 abr 2024 |
| FERRE BARNIEDO | MX | Manufacturing | — | 24 jul 2023 |
| Grupo Corporacion Control | MX | Not Found | — | 22 may 2023 |
| Cervecería Regional | VE | Consumer Services | — | 22 dic 2022 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética
United States
United States
United States
United States