rule win_banpolmex_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.banpolmex." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488d05bd9c0700 0f1f440000 837afc00 7406 66833a00 7512 4883c206 } // n = 7, score = 100 // 488d05bd9c0700 | test byte ptr [ebx + 0x368], 0x10 // 0f1f440000 | mov ecx, 0x300 // 837afc00 | and word ptr [ebx + 0x368], ax // 7406 | xor eax, eax // 66833a00 | cmp byte ptr [ebx + 0x25e], 0xfe // 7512 | sete al // 4883c206 | and ax, 1 $sequence_1 = { 488b0f 85c0 488d55e0 410f45de e8???????? 488b0f 85c0 } // n = 7, score = 100 // 488b0f | dec eax // 85c0 | add ecx, 0x1c4 // 488d55e0 | test eax, eax // 410f45de | je 0x1490 // e8???????? | // 488b0f | dec eax // 85c0 | test edi, edi $sequence_2 = { 41bd04000000 488945f7 488d4577 4c8d45f7 488d557f 458bcd 4883c9ff } // n = 7, score = 100 // 41bd04000000 | dec esp // 488945f7 | lea eax, [ebp - 9] // 488d4577 | dec eax // 4c8d45f7 | lea edx, [ebp + 0x7f] // 488d557f | inc ebp // 458bcd | mov ecx, ebp // 4883c9ff | dec eax $sequence_3 = { 4d8bc5 2bde 413bde 410f4fde 4903cf 8d5302 e8???????? } // n = 7, score = 100 // 4d8bc5 | lea edx, [eax + 1] // 2bde | mov ecx, 0x40 // 413bde | dec esp // 410f4fde | mov dword ptr [esp + 0x2e8], esp // 4903cf | dec esp // 8d5302 | mov dword ptr [esp + 0x298], esi // e8???????? | $sequence_4 = { 0f85c7010000 498b4e08 448bff e8???????? 4d8b4e58 498b4650 4c8b23 } // n = 7, score = 100 // 0f85c7010000 | lea edx, [0x3422e] // 498b4e08 | inc esp // 448bff | mov eax, ebx // e8???????? | // 4d8b4e58 | dec esp // 498b4650 | mov ecx, eax // 4c8b23 | dec eax $sequence_5 = { 85c0 0f857e020000 4885db 741f 488b4b18 4c8d86c0000000 488d9680000000 } // n = 7, score = 100 // 85c0 | je 0xbae // 0f857e020000 | dec eax // 4885db | lea edx, [ebx + 0x311] // 741f | dec ecx // 488b4b18 | mov ecx, ebp // 4c8d86c0000000 | inc ecx // 488d9680000000 | cmp esi, 0x3b $sequence_6 = { 488d4c2440 e8???????? 807c242200 0f848e000000 488d4c2440 e8???????? 8bd8 } // n = 7, score = 100 // 488d4c2440 | dec eax // e8???????? | // 807c242200 | add ecx, 0x168 // 0f848e000000 | inc ecx // 488d4c2440 | mov eax, 0x30 // e8???????? | // 8bd8 | dec eax $sequence_7 = { 4883ec20 b9d0000000 e8???????? 488bd8 4885c0 7430 33d2 } // n = 7, score = 100 // 4883ec20 | lea eax, [0x1b20a] // b9d0000000 | dec eax // e8???????? | // 488bd8 | lea edx, [0x1c873] // 4885c0 | dec eax // 7430 | mov ecx, ebx // 33d2 | jne 0x1fae $sequence_8 = { 897b08 33c0 4c8b6c2438 4c8b642440 4883c448 415f 415e } // n = 7, score = 100 // 897b08 | lea ecx, [ebp + 0x5c0] // 33c0 | dec esp // 4c8b6c2438 | mov ecx, esi // 4c8b642440 | mov edx, 0x103 // 4883c448 | inc ecx // 415f | mov eax, 0x24c // 415e | mov dword ptr [esp + 0x30], edi $sequence_9 = { 5e 5d 5b e9???????? 83fe0e 7324 85ed } // n = 7, score = 100 // 5e | inc ecx // 5d | mov eax, 4 // 5b | dec eax // e9???????? | // 83fe0e | mov edx, ebx // 7324 | test eax, eax // 85ed | je 0x1ba condition: 7 of them and filesize < 1555456 }