rule win_bazarbackdoor_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.bazarbackdoor." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 41b80f100000 488bce 4889442420 ff15???????? 85c0 780a 4898 } // n = 7, score = 1500 // 41b80f100000 | movzx ebp, ax // 488bce | movzx ecx, word ptr [edi + 2] // 4889442420 | movzx ebx, ax // ff15???????? | // 85c0 | movzx ecx, word ptr [edi + 8] // 780a | inc esp // 4898 | movzx ebp, ax $sequence_1 = { 8bcf ffd0 488bd8 eb02 } // n = 4, score = 1300 // 8bcf | test eax, eax // ffd0 | js 0x13 // 488bd8 | dec eax // eb02 | cwde $sequence_2 = { 813963736de0 755e 83791804 7558 } // n = 4, score = 1300 // 813963736de0 | dec eax // 755e | mov ecx, esi // 83791804 | dec eax // 7558 | mov dword ptr [esp + 0x20], eax $sequence_3 = { ffd0 b802000000 e9???????? 48637e3c 488d55e0 488b4c2458 } // n = 6, score = 1300 // ffd0 | dec eax // b802000000 | mov dword ptr [esp + 0x20], eax // e9???????? | // 48637e3c | test eax, eax // 488d55e0 | js 0xc // 488b4c2458 | dec eax $sequence_4 = { 730b 498bc8 e8???????? 4c8bc0 } // n = 4, score = 1300 // 730b | lea eax, [esp + 0x70] // 498bc8 | inc ecx // e8???????? | // 4c8bc0 | mov eax, 0x100f $sequence_5 = { 488d4d80 e8???????? 498bd6 488d4d80 } // n = 4, score = 1100 // 488d4d80 | mov dword ptr [esp + 0x20], eax // e8???????? | // 498bd6 | inc ecx // 488d4d80 | mov eax, 0x100f $sequence_6 = { 0fb70f ff15???????? 0fb74f02 0fb7d8 ff15???????? 0fb74f08 } // n = 6, score = 1100 // 0fb70f | movzx ecx, word ptr [edi] // ff15???????? | // 0fb74f02 | movzx ecx, word ptr [edi + 2] // 0fb7d8 | movzx ebx, ax // ff15???????? | // 0fb74f08 | movzx ecx, word ptr [edi + 8] $sequence_7 = { ff15???????? 0fb74f08 440fb7e8 ff15???????? } // n = 4, score = 1000 // ff15???????? | // 0fb74f08 | movzx ecx, word ptr [edi + 8] // 440fb7e8 | inc esp // ff15???????? | $sequence_8 = { 7507 33c0 e9???????? b8ff000000 } // n = 4, score = 1000 // 7507 | jne 9 // 33c0 | xor eax, eax // e9???????? | // b8ff000000 | mov eax, 0xff $sequence_9 = { c3 0fb74c0818 b80b010000 663bc8 } // n = 4, score = 900 // c3 | dec eax // 0fb74c0818 | lea edx, [ebp + 0x7a0] // b80b010000 | dec eax // 663bc8 | lea eax, [esp + 0x70] $sequence_10 = { cc e8???????? cc 4053 4883ec20 b902000000 e8???????? } // n = 7, score = 900 // cc | mov dword ptr [esp + 0x20], eax // e8???????? | // cc | test eax, eax // 4053 | inc ecx // 4883ec20 | mov eax, 0x100f // b902000000 | dec eax // e8???????? | $sequence_11 = { 0fb6c9 4881e9c0000000 48c1e108 4803c8 8bc1 488d94059f070000 } // n = 6, score = 800 // 0fb6c9 | lea eax, [ebp - 0x80] // 4881e9c0000000 | inc ecx // 48c1e108 | mov eax, 0x100f // 4803c8 | xor edx, edx // 8bc1 | dec eax // 488d94059f070000 | mov ecx, eax $sequence_12 = { e8???????? 4c89e1 e8???????? 8b05???????? } // n = 4, score = 800 // e8???????? | // 4c89e1 | call eax // e8???????? | // 8b05???????? | $sequence_13 = { 488d9590050000 488bce ff15???????? 85c0 } // n = 4, score = 800 // 488d9590050000 | mov dword ptr [esp + 0x20], eax // 488bce | test eax, eax // ff15???????? | // 85c0 | js 0x16 $sequence_14 = { 488d95a0070000 488d442470 41b80f100000 488bce } // n = 4, score = 800 // 488d95a0070000 | mov dword ptr [esp + 0x28], eax // 488d442470 | dec eax // 41b80f100000 | lea edx, [ebp + 0x3b0] // 488bce | dec eax $sequence_15 = { 31ff 4889c1 31d2 4989f0 } // n = 4, score = 800 // 31ff | dec eax // 4889c1 | add ecx, eax // 31d2 | mov dword ptr [esp + 0x38], eax // 4989f0 | dec eax $sequence_16 = { 4533c9 4889442428 488d95a0070000 488d442470 } // n = 4, score = 800 // 4533c9 | dec eax // 4889442428 | cwde // 488d95a0070000 | dec eax // 488d442470 | mov ecx, esi $sequence_17 = { e8???????? 4889c7 8b05???????? 8b0d???????? } // n = 4, score = 800 // e8???????? | // 4889c7 | dec eax // 8b05???????? | // 8b0d???????? | $sequence_18 = { 418d5508 488bc8 ff15???????? 488bd8 4885c0 } // n = 5, score = 800 // 418d5508 | movzx ecx, word ptr [edi + 8] // 488bc8 | inc esp // ff15???????? | // 488bd8 | movzx ebp, ax // 4885c0 | movzx ecx, word ptr [edi + 2] $sequence_19 = { 33d2 488bc8 ff15???????? e9???????? ff15???????? } // n = 5, score = 700 // 33d2 | dec eax // 488bc8 | mov ebx, eax // ff15???????? | // e9???????? | // ff15???????? | $sequence_20 = { 0fb64b04 0fb6d1 80f973 7504 } // n = 4, score = 700 // 0fb64b04 | dec eax // 0fb6d1 | cwde // 80f973 | mov eax, 6 // 7504 | inc esp $sequence_21 = { c744242003000000 4889f9 ba00000080 41b801000000 4531c9 } // n = 5, score = 700 // c744242003000000 | mov ebx, eax // 4889f9 | jmp 7 // ba00000080 | call eax // 41b801000000 | mov eax, 2 // 4531c9 | dec eax $sequence_22 = { 4889442428 488d95b0030000 488d4580 41b80f100000 } // n = 4, score = 700 // 4889442428 | movzx ebp, ax // 488d95b0030000 | inc ecx // 488d4580 | lea edx, [ebp + 8] // 41b80f100000 | dec eax $sequence_23 = { 488bd3 e8???????? ff15???????? 4c8bc3 33d2 } // n = 5, score = 700 // 488bd3 | dec eax // e8???????? | // ff15???????? | // 4c8bc3 | mov ecx, esi // 33d2 | dec eax $sequence_24 = { e8???????? 4889f1 e8???????? 8b05???????? 8b0d???????? } // n = 5, score = 700 // e8???????? | // 4889f1 | inc ecx // e8???????? | // 8b05???????? | // 8b0d???????? | $sequence_25 = { 31ed 4889c1 31d2 4989d8 } // n = 4, score = 700 // 31ed | arpl word ptr [esp + 0x30], ax // 4889c1 | dec eax // 31d2 | imul eax, eax, 0x10 // 4989d8 | dec eax $sequence_26 = { 08ca 80f201 7502 ebfe } // n = 4, score = 700 // 08ca | xor eax, eax // 80f201 | cmp cl, 0x73 // 7502 | cmp cl, 0x73 // ebfe | jne 6 $sequence_27 = { 8b0d???????? 8b05???????? 8d51ff 0fafd1 89d1 83f1fe } // n = 6, score = 700 // 8b0d???????? | // 8b05???????? | // 8d51ff | mov eax, 0x100f // 0fafd1 | dec eax // 89d1 | mov ecx, esi // 83f1fe | dec eax $sequence_28 = { 80f973 7504 0fb65305 33c0 } // n = 4, score = 700 // 80f973 | dec eax // 7504 | mov ecx, esi // 0fb65305 | dec eax // 33c0 | mov dword ptr [esp + 0x20], eax $sequence_29 = { 0fb65305 33c0 80f973 0f94c0 } // n = 4, score = 700 // 0fb65305 | dec eax // 33c0 | mov ecx, esi // 80f973 | dec eax // 0f94c0 | mov dword ptr [esp + 0x20], eax $sequence_30 = { 84c1 7504 30c1 744a } // n = 4, score = 700 // 84c1 | mov ecx, esi // 7504 | dec eax // 30c1 | mov dword ptr [esp + 0x20], eax // 744a | test eax, eax $sequence_31 = { 08c1 80f101 7502 ebfe } // n = 4, score = 700 // 08c1 | movzx edx, byte ptr [ebx + 5] // 80f101 | xor eax, eax // 7502 | cmp cl, 0x73 // ebfe | sete al $sequence_32 = { 4533c9 4533c0 c744242002000000 ba1f000f00 } // n = 4, score = 700 // 4533c9 | dec eax // 4533c0 | mov dword ptr [esp + 0x28], eax // c744242002000000 | dec eax // ba1f000f00 | lea edx, [ebp + 0x3b0] $sequence_33 = { 89c1 83f1fe 85c1 0f94c1 83ff0a 0f9cc0 } // n = 6, score = 700 // 89c1 | mov ecx, esi // 83f1fe | dec eax // 85c1 | mov dword ptr [esp + 0x20], eax // 0f94c1 | test eax, eax // 83ff0a | js 0x13 // 0f9cc0 | dec eax $sequence_34 = { ebfe 8b05???????? 8b0d???????? 8d50ff } // n = 4, score = 700 // ebfe | mov dword ptr [esp + 0x20], eax // 8b05???????? | // 8b0d???????? | // 8d50ff | inc ecx $sequence_35 = { 0f95c1 0f94c3 83f809 0f9fc2 83f80a 0f9cc0 } // n = 6, score = 700 // 0f95c1 | test dl, dl // 0f94c3 | je 7 // 83f809 | cmp dl, 0x2e // 0f9fc2 | jne 0x16 // 83f80a | test dl, dl // 0f9cc0 | je 7 $sequence_36 = { 0f94c2 833d????????0a 0f9cc3 84d3 7504 } // n = 5, score = 700 // 0f94c2 | cmp cl, 0x73 // 833d????????0a | // 0f9cc3 | jne 6 // 84d3 | movzx edx, byte ptr [ebx + 5] // 7504 | xor eax, eax $sequence_37 = { ff15???????? 31db 4889c1 31d2 } // n = 4, score = 700 // ff15???????? | // 31db | dec eax // 4889c1 | mov eax, dword ptr [eax] // 31d2 | mov eax, dword ptr [eax + 0x28] $sequence_38 = { 4889c1 31d2 4d89f8 ffd3 } // n = 4, score = 600 // 4889c1 | lea eax, [0x202a] // 31d2 | dec eax // 4d89f8 | mov edx, dword ptr [esp + 0x28] // ffd3 | dec eax $sequence_39 = { 7405 80fa2e 750f 0fb6c1 } // n = 4, score = 600 // 7405 | mov ecx, esi // 80fa2e | movzx ecx, cl // 750f | dec eax // 0fb6c1 | sub ecx, 0xc0 $sequence_40 = { e8???????? 4c897c2420 4889d9 89fa } // n = 4, score = 600 // e8???????? | // 4c897c2420 | dec eax // 4889d9 | mov ecx, dword ptr [esp + 0x40] // 89fa | inc ecx $sequence_41 = { 8d4833 ff15???????? c744242810000000 4533c9 } // n = 4, score = 500 // 8d4833 | inc ecx // ff15???????? | // c744242810000000 | mov eax, 0x100f // 4533c9 | dec eax $sequence_42 = { 48c744243000000000 c744242880000000 c744242003000000 4889f1 ba00000080 } // n = 5, score = 500 // 48c744243000000000 | lea ecx, [esp + 0x20] // c744242880000000 | mov edx, 1 // c744242003000000 | dec eax // 4889f1 | mov ecx, dword ptr [esp + 0x40] // ba00000080 | call dword ptr [esp + 0xa0] $sequence_43 = { 4889fa 4189f0 4d89f1 ffd0 } // n = 4, score = 500 // 4889fa | cmp cl, 0x73 // 4189f0 | movzx edx, cl // 4d89f1 | cmp cl, 0x73 // ffd0 | jne 6 $sequence_44 = { 66890d???????? 0fb7ca ff15???????? b901000000 66c746020100 668906 ff15???????? } // n = 7, score = 400 // 66890d???????? | // 0fb7ca | js 0xe // ff15???????? | // b901000000 | dec eax // 66c746020100 | cwde // 668906 | test eax, eax // ff15???????? | $sequence_45 = { 59 895c2438 8d4b0c 85c9 } // n = 4, score = 400 // 59 | pop ecx // 895c2438 | mov dword ptr [esp + 0x38], ebx // 8d4b0c | lea ecx, [ebx + 0xc] // 85c9 | test ecx, ecx $sequence_46 = { 81fb80000000 760c 80e1f2 80c902 } // n = 4, score = 400 // 81fb80000000 | mov ecx, esi // 760c | dec eax // 80e1f2 | mov dword ptr [esp + 0x20], eax // 80c902 | test eax, eax $sequence_47 = { 4531c0 41b904000000 e8???????? 85c0 } // n = 4, score = 400 // 4531c0 | call eax // 41b904000000 | dec eax // e8???????? | // 85c0 | mov dword ptr [esp + 0x20], eax $sequence_48 = { 85f6 754d 85ff 7449 } // n = 4, score = 400 // 85f6 | test esi, esi // 754d | jne 0x4f // 85ff | test edi, edi // 7449 | je 0x4b $sequence_49 = { 885df4 8bce e8???????? a3???????? } // n = 4, score = 400 // 885df4 | mov byte ptr [ebp - 0xc], bl // 8bce | mov ecx, esi // e8???????? | // a3???????? | $sequence_50 = { 6685ff 0f849c000000 837c2460ff 0f858c000000 } // n = 4, score = 400 // 6685ff | mov dword ptr [esp + 0x20], eax // 0f849c000000 | test eax, eax // 837c2460ff | js 0xe // 0f858c000000 | dec eax $sequence_51 = { 50 0fb745ea 50 0fb745e8 50 68???????? e8???????? } // n = 7, score = 400 // 50 | push eax // 0fb745ea | movzx eax, word ptr [ebp - 0x16] // 50 | push eax // 0fb745e8 | movzx eax, word ptr [ebp - 0x18] // 50 | push eax // 68???????? | // e8???????? | $sequence_52 = { a3???????? 85c0 7507 6a04 } // n = 4, score = 400 // a3???????? | // 85c0 | test eax, eax // 7507 | jne 9 // 6a04 | push 4 $sequence_53 = { 8bf1 6a02 682680acc8 42 } // n = 4, score = 400 // 8bf1 | mov esi, ecx // 6a02 | push 2 // 682680acc8 | push 0xc8ac8026 // 42 | inc edx $sequence_54 = { 0fb7ca 2b4e10 eb4c 8b6e20 } // n = 4, score = 400 // 0fb7ca | movzx ecx, dx // 2b4e10 | sub ecx, dword ptr [esi + 0x10] // eb4c | jmp 0x4e // 8b6e20 | mov ebp, dword ptr [esi + 0x20] $sequence_55 = { 31ed eb16 ff15???????? 31ed } // n = 4, score = 400 // 31ed | dec eax // eb16 | mov dword ptr [esp + 0x20], eax // ff15???????? | // 31ed | test eax, eax $sequence_56 = { 8d4b01 51 e8???????? 33d2 83c40c } // n = 5, score = 300 // 8d4b01 | lea ecx, [ebx + 1] // 51 | push ecx // e8???????? | // 33d2 | xor edx, edx // 83c40c | add esp, 0xc $sequence_57 = { 660f73d801 660febd0 660f7ed0 84c0 } // n = 4, score = 300 // 660f73d801 | psrldq xmm0, 1 // 660febd0 | por xmm2, xmm0 // 660f7ed0 | movd eax, xmm2 // 84c0 | test al, al $sequence_58 = { c1f808 0fb6c0 50 0fb6c2 50 } // n = 5, score = 300 // c1f808 | sar eax, 8 // 0fb6c0 | movzx eax, al // 50 | push eax // 0fb6c2 | movzx eax, dl // 50 | push eax $sequence_59 = { 51 e8???????? 0fb70d???????? 83c40c } // n = 4, score = 300 // 51 | mov ecx, esi // e8???????? | // 0fb70d???????? | // 83c40c | test eax, eax $sequence_60 = { 740d 33d2 83f902 0f95c2 83c224 eb05 } // n = 6, score = 300 // 740d | je 0xf // 33d2 | xor edx, edx // 83f902 | cmp ecx, 2 // 0f95c2 | setne dl // 83c224 | add edx, 0x24 // eb05 | jmp 7 $sequence_61 = { e8???????? 83c410 b800308804 6a00 50 } // n = 5, score = 300 // e8???????? | // 83c410 | add esp, 0x10 // b800308804 | mov eax, 0x4883000 // 6a00 | push 0 // 50 | push eax $sequence_62 = { ffd3 0fb7d8 0fb74708 50 ff15???????? } // n = 5, score = 300 // ffd3 | call ebx // 0fb7d8 | movzx ebx, ax // 0fb74708 | movzx eax, word ptr [edi + 8] // 50 | push eax // ff15???????? | $sequence_63 = { ffd3 0fb7f0 0fb74702 50 } // n = 4, score = 300 // ffd3 | call ebx // 0fb7f0 | movzx esi, ax // 0fb74702 | movzx eax, word ptr [edi + 2] // 50 | push eax $sequence_64 = { 8bd1 41 3bcf 72e5 53 8b1d???????? ffd3 } // n = 7, score = 300 // 8bd1 | mov edx, ecx // 41 | inc ecx // 3bcf | cmp ecx, edi // 72e5 | jb 0xffffffe7 // 53 | push ebx // 8b1d???????? | // ffd3 | call ebx $sequence_65 = { eb08 c744242c00000000 8b44242c 89442438 4863442430 486bc010 488d0de3380200 } // n = 7, score = 100 // eb08 | dec eax // c744242c00000000 | mov dword ptr [esp + 0x20], eax // 8b44242c | test eax, eax // 89442438 | js 0xe // 4863442430 | dec eax // 486bc010 | cwde // 488d0de3380200 | test eax, eax $sequence_66 = { 48894c2408 4883ec48 8b442458 89442424 48c744242800000000 41b800100200 } // n = 6, score = 100 // 48894c2408 | js 0xe // 4883ec48 | dec eax // 8b442458 | cwde // 89442424 | mov ecx, edi // 48c744242800000000 | call eax // 41b800100200 | dec eax $sequence_67 = { 48898424a0000000 4533c0 ba01000000 488b4c2440 ff9424a0000000 } // n = 5, score = 100 // 48898424a0000000 | cwde // 4533c0 | inc ecx // ba01000000 | mov eax, 0x100f // 488b4c2440 | dec eax // ff9424a0000000 | mov ecx, esi $sequence_68 = { 83782800 0f848c000000 488b442430 83782000 7460 488b442430 } // n = 6, score = 100 // 83782800 | dec eax // 0f848c000000 | mov dword ptr [esp + 0x20], eax // 488b442430 | test eax, eax // 83782000 | js 0x13 // 7460 | dec eax // 488b442430 | cwde $sequence_69 = { 486bc010 488d0de3380200 4803c8 488bc1 48634c2434 } // n = 5, score = 100 // 486bc010 | dec eax // 488d0de3380200 | mov dword ptr [esp + 0x20], eax // 4803c8 | test eax, eax // 488bc1 | js 0xc // 48634c2434 | dec eax $sequence_70 = { 41b800100200 488d15d02f0000 488d4c2420 e8???????? 4889442428 4c8d052a200000 } // n = 6, score = 100 // 41b800100200 | mov eax, 0x100f // 488d15d02f0000 | dec eax // 488d4c2420 | mov ecx, esi // e8???????? | // 4889442428 | dec eax // 4c8d052a200000 | mov dword ptr [esp + 0x20], eax $sequence_71 = { 83782000 7460 488b442430 488b00 8b4028 488b4c2440 } // n = 6, score = 100 // 83782000 | je 7 // 7460 | cmp dl, 0x2e // 488b442430 | jne 0x16 // 488b00 | lea ecx, [eax + 0x33] // 8b4028 | mov dword ptr [esp + 0x28], 0x10 // 488b4c2440 | inc ebp $sequence_72 = { 488b4c2440 ff9424a0000000 89842480000000 83bc248000000000 750f b95a040000 } // n = 6, score = 100 // 488b4c2440 | dec eax // ff9424a0000000 | mov dword ptr [esp + 0x20], eax // 89842480000000 | inc ecx // 83bc248000000000 | mov eax, 0x100f // 750f | dec eax // b95a040000 | mov ecx, esi condition: 7 of them and filesize < 2088960 }