rule win_flawedgrace_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.flawedgrace." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c414 8d4df8 e8???????? 8b4df8 3b4f24 7591 57 } // n = 7, score = 200 // 83c414 | add esp, 0x14 // 8d4df8 | lea ecx, [ebp - 8] // e8???????? | // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 3b4f24 | cmp ecx, dword ptr [edi + 0x24] // 7591 | jne 0xffffff93 // 57 | push edi $sequence_1 = { c68503e4ffff00 c68504e4ffff19 c68505e4ffffa0 c68506e4ffff3e c68507e4ffffa0 c68508e4ffff66 c68509e4ffffa0 } // n = 7, score = 200 // c68503e4ffff00 | mov byte ptr [ebp - 0x1bfd], 0 // c68504e4ffff19 | mov byte ptr [ebp - 0x1bfc], 0x19 // c68505e4ffffa0 | mov byte ptr [ebp - 0x1bfb], 0xa0 // c68506e4ffff3e | mov byte ptr [ebp - 0x1bfa], 0x3e // c68507e4ffffa0 | mov byte ptr [ebp - 0x1bf9], 0xa0 // c68508e4ffff66 | mov byte ptr [ebp - 0x1bf8], 0x66 // c68509e4ffffa0 | mov byte ptr [ebp - 0x1bf7], 0xa0 $sequence_2 = { 0fb6c0 85c0 741f 8b8de4c0ffff 8b5108 8995ccc0ffff 8b95e4c0ffff } // n = 7, score = 200 // 0fb6c0 | movzx eax, al // 85c0 | test eax, eax // 741f | je 0x21 // 8b8de4c0ffff | mov ecx, dword ptr [ebp - 0x3f1c] // 8b5108 | mov edx, dword ptr [ecx + 8] // 8995ccc0ffff | mov dword ptr [ebp - 0x3f34], edx // 8b95e4c0ffff | mov edx, dword ptr [ebp - 0x3f1c] $sequence_3 = { c6853ec3ffff00 c6853fc3ffff00 c68540c3ffff10 c68541c3ffff00 c68542c3ffff00 c68543c3ffff00 c68544c3ffff00 } // n = 7, score = 200 // c6853ec3ffff00 | mov byte ptr [ebp - 0x3cc2], 0 // c6853fc3ffff00 | mov byte ptr [ebp - 0x3cc1], 0 // c68540c3ffff10 | mov byte ptr [ebp - 0x3cc0], 0x10 // c68541c3ffff00 | mov byte ptr [ebp - 0x3cbf], 0 // c68542c3ffff00 | mov byte ptr [ebp - 0x3cbe], 0 // c68543c3ffff00 | mov byte ptr [ebp - 0x3cbd], 0 // c68544c3ffff00 | mov byte ptr [ebp - 0x3cbc], 0 $sequence_4 = { c685f9c9ffffe8 c685fac9ffffda c685fbc9ffff0a c685fcc9ffff00 c685fdc9ffff00 c685fec9ffff48 c685ffc9ffff83 } // n = 7, score = 200 // c685f9c9ffffe8 | mov byte ptr [ebp - 0x3607], 0xe8 // c685fac9ffffda | mov byte ptr [ebp - 0x3606], 0xda // c685fbc9ffff0a | mov byte ptr [ebp - 0x3605], 0xa // c685fcc9ffff00 | mov byte ptr [ebp - 0x3604], 0 // c685fdc9ffff00 | mov byte ptr [ebp - 0x3603], 0 // c685fec9ffff48 | mov byte ptr [ebp - 0x3602], 0x48 // c685ffc9ffff83 | mov byte ptr [ebp - 0x3601], 0x83 $sequence_5 = { 0fb6c3 330c85e0934500 334f48 894de4 c1eb18 8b45ec c1e810 } // n = 7, score = 200 // 0fb6c3 | movzx eax, bl // 330c85e0934500 | xor ecx, dword ptr [eax*4 + 0x4593e0] // 334f48 | xor ecx, dword ptr [edi + 0x48] // 894de4 | mov dword ptr [ebp - 0x1c], ecx // c1eb18 | shr ebx, 0x18 // 8b45ec | mov eax, dword ptr [ebp - 0x14] // c1e810 | shr eax, 0x10 $sequence_6 = { c6857de1ffff00 c6857ee1ffff00 c6857fe1ffff00 c68580e1ffff00 c68581e1ffff00 c68582e1ffff00 c68583e1ffff00 } // n = 7, score = 200 // c6857de1ffff00 | mov byte ptr [ebp - 0x1e83], 0 // c6857ee1ffff00 | mov byte ptr [ebp - 0x1e82], 0 // c6857fe1ffff00 | mov byte ptr [ebp - 0x1e81], 0 // c68580e1ffff00 | mov byte ptr [ebp - 0x1e80], 0 // c68581e1ffff00 | mov byte ptr [ebp - 0x1e7f], 0 // c68582e1ffff00 | mov byte ptr [ebp - 0x1e7e], 0 // c68583e1ffff00 | mov byte ptr [ebp - 0x1e7d], 0 $sequence_7 = { c68580e4ffff00 c68581e4ffff00 c68582e4ffff00 c68583e4ffff00 c68584e4ffff00 } // n = 5, score = 200 // c68580e4ffff00 | mov byte ptr [ebp - 0x1b80], 0 // c68581e4ffff00 | mov byte ptr [ebp - 0x1b7f], 0 // c68582e4ffff00 | mov byte ptr [ebp - 0x1b7e], 0 // c68583e4ffff00 | mov byte ptr [ebp - 0x1b7d], 0 // c68584e4ffff00 | mov byte ptr [ebp - 0x1b7c], 0 $sequence_8 = { 8b4e04 8b45e8 8d0441 eb06 8b4604 0345e8 8945d8 } // n = 7, score = 200 // 8b4e04 | mov ecx, dword ptr [esi + 4] // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 8d0441 | lea eax, [ecx + eax*2] // eb06 | jmp 8 // 8b4604 | mov eax, dword ptr [esi + 4] // 0345e8 | add eax, dword ptr [ebp - 0x18] // 8945d8 | mov dword ptr [ebp - 0x28], eax $sequence_9 = { 0fb6c0 330c85e0d74500 0fb6c2 330c85e0d34500 338f90000000 8b879c000000 33d9 } // n = 7, score = 200 // 0fb6c0 | movzx eax, al // 330c85e0d74500 | xor ecx, dword ptr [eax*4 + 0x45d7e0] // 0fb6c2 | movzx eax, dl // 330c85e0d34500 | xor ecx, dword ptr [eax*4 + 0x45d3e0] // 338f90000000 | xor ecx, dword ptr [edi + 0x90] // 8b879c000000 | mov eax, dword ptr [edi + 0x9c] // 33d9 | xor ebx, ecx condition: 7 of them and filesize < 966656 }