rule win_valley_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.valley_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 005c7e46 00847e46008a46 0323 d188470383ee } // n = 4, score = 100 // 005c7e46 | add byte ptr [esi + edi*2 + 0x46], bl // 00847e46008a46 | add byte ptr [esi + edi*2 + 0x468a0046], al // 0323 | add esp, dword ptr [ebx] // d188470383ee | ror dword ptr [eax - 0x117cfcb9], 1 $sequence_1 = { c785a8feffffab9ba19b c785acfefffff79bf09b c785b0feffffe79bab9b c785b4feffffa19bf39b c785b8feffffe89be79b c785bcfeffffab9ba19b c785c0fefffff79bff9b } // n = 7, score = 100 // c785a8feffffab9ba19b | mov dword ptr [ebp - 0x158], 0x9ba19bab // c785acfefffff79bf09b | mov dword ptr [ebp - 0x154], 0x9bf09bf7 // c785b0feffffe79bab9b | mov dword ptr [ebp - 0x150], 0x9bab9be7 // c785b4feffffa19bf39b | mov dword ptr [ebp - 0x14c], 0x9bf39ba1 // c785b8feffffe89be79b | mov dword ptr [ebp - 0x148], 0x9be79be8 // c785bcfeffffab9ba19b | mov dword ptr [ebp - 0x144], 0x9ba19bab // c785c0fefffff79bff9b | mov dword ptr [ebp - 0x140], 0x9bff9bf7 $sequence_2 = { 00bcaf4500c5af 45 00f8 af } // n = 4, score = 100 // 00bcaf4500c5af | add byte ptr [edi + ebp*4 - 0x503affbb], bh // 45 | inc ebp // 00f8 | add al, bh // af | scasd eax, dword ptr es:[edi] $sequence_3 = { 0101 0101 0201 0102 } // n = 4, score = 100 // 0101 | add dword ptr [ecx], eax // 0101 | add dword ptr [ecx], eax // 0201 | add al, byte ptr [ecx] // 0102 | add dword ptr [edx], eax $sequence_4 = { 0101 33c0 8be5 5d } // n = 4, score = 100 // 0101 | add dword ptr [ecx], eax // 33c0 | xor eax, eax // 8be5 | mov esp, ebp // 5d | pop ebp $sequence_5 = { c785a8faffff02246d9b c785acfaffff9b9b6c64 c785b0faffff10e8c398 c785b4faffffee6310de c785b8faffff63f1911b c785bcfaffff59d7ab8d c785c0faffff02c56c65 } // n = 7, score = 100 // c785a8faffff02246d9b | mov dword ptr [ebp - 0x558], 0x9b6d2402 // c785acfaffff9b9b6c64 | mov dword ptr [ebp - 0x554], 0x646c9b9b // c785b0faffff10e8c398 | mov dword ptr [ebp - 0x550], 0x98c3e810 // c785b4faffffee6310de | mov dword ptr [ebp - 0x54c], 0xde1063ee // c785b8faffff63f1911b | mov dword ptr [ebp - 0x548], 0x1b91f163 // c785bcfaffff59d7ab8d | mov dword ptr [ebp - 0x544], 0x8dabd759 // c785c0faffff02c56c65 | mov dword ptr [ebp - 0x540], 0x656cc502 $sequence_6 = { c78598f8ffffbffbf34c c7859cf8ffffe6c5e373 c785a0f8ffff7f9f9b9b c785a4f8ffff64efbfdb c785a8f8ffff12dfbff7 c785acf8fffff3531fa1 c785b0f8ffffaa73499f } // n = 7, score = 100 // c78598f8ffffbffbf34c | mov dword ptr [ebp - 0x768], 0x4cf3fbbf // c7859cf8ffffe6c5e373 | mov dword ptr [ebp - 0x764], 0x73e3c5e6 // c785a0f8ffff7f9f9b9b | mov dword ptr [ebp - 0x760], 0x9b9b9f7f // c785a4f8ffff64efbfdb | mov dword ptr [ebp - 0x75c], 0xdbbfef64 // c785a8f8ffff12dfbff7 | mov dword ptr [ebp - 0x758], 0xf7bfdf12 // c785acf8fffff3531fa1 | mov dword ptr [ebp - 0x754], 0xa11f53f3 // c785b0f8ffffaa73499f | mov dword ptr [ebp - 0x750], 0x9f4973aa $sequence_7 = { c785e4f6ffff9d9b9b64 c785e8f6ffffefbfa312 c785ecf6ffffdfbfdff3 c785f0f6ffffe81bd39d c785f4f6ffff73149d9b } // n = 5, score = 100 // c785e4f6ffff9d9b9b64 | mov dword ptr [ebp - 0x91c], 0x649b9b9d // c785e8f6ffffefbfa312 | mov dword ptr [ebp - 0x918], 0x12a3bfef // c785ecf6ffffdfbfdff3 | mov dword ptr [ebp - 0x914], 0xf3dfbfdf // c785f0f6ffffe81bd39d | mov dword ptr [ebp - 0x910], 0x9dd31be8 // c785f4f6ffff73149d9b | mov dword ptr [ebp - 0x90c], 0x9b9d1473 $sequence_8 = { 68a0120000 6a00 68???????? e8???????? } // n = 4, score = 100 // 68a0120000 | push 0x12a0 // 6a00 | push 0 // 68???????? | // e8???????? | $sequence_9 = { 0101 33c0 5e 5b } // n = 4, score = 100 // 0101 | add dword ptr [ecx], eax // 33c0 | xor eax, eax // 5e | pop esi // 5b | pop ebx $sequence_10 = { 0101 0505050505 0505050505 0505050505 0505050505 0505050505 } // n = 6, score = 100 // 0101 | add dword ptr [ecx], eax // 0505050505 | add eax, 0x5050505 // 0505050505 | add eax, 0x5050505 // 0505050505 | add eax, 0x5050505 // 0505050505 | add eax, 0x5050505 // 0505050505 | add eax, 0x5050505 $sequence_11 = { 3c58 770f 0fbec2 0fbe80186e0110 } // n = 4, score = 100 // 3c58 | cmp al, 0x58 // 770f | ja 0x11 // 0fbec2 | movsx eax, dl // 0fbe80186e0110 | movsx eax, byte ptr [eax + 0x10016e18] $sequence_12 = { 0001 0101 0102 0101 } // n = 4, score = 100 // 0001 | add byte ptr [ecx], al // 0101 | add dword ptr [ecx], eax // 0102 | add dword ptr [edx], eax // 0101 | add dword ptr [ecx], eax $sequence_13 = { c7857cf6ffffa864a050 c78580f6ffffe584942c c78584f6ffffa9185999 c78588f6ffff1865fae9 c7858cf6ffff9d1a5d7b c78590f6ffff649b9bf2 c78594f6ffff64189b9b } // n = 7, score = 100 // c7857cf6ffffa864a050 | mov dword ptr [ebp - 0x984], 0x50a064a8 // c78580f6ffffe584942c | mov dword ptr [ebp - 0x980], 0x2c9484e5 // c78584f6ffffa9185999 | mov dword ptr [ebp - 0x97c], 0x995918a9 // c78588f6ffff1865fae9 | mov dword ptr [ebp - 0x978], 0xe9fa6518 // c7858cf6ffff9d1a5d7b | mov dword ptr [ebp - 0x974], 0x7b5d1a9d // c78590f6ffff649b9bf2 | mov dword ptr [ebp - 0x970], 0xf29b9b64 // c78594f6ffff64189b9b | mov dword ptr [ebp - 0x96c], 0x9b9b1864 $sequence_14 = { 0101 0101 0101 0101 0101 0505050505 } // n = 6, score = 100 // 0101 | add dword ptr [ecx], eax // 0101 | add dword ptr [ecx], eax // 0101 | add dword ptr [ecx], eax // 0101 | add dword ptr [ecx], eax // 0101 | add dword ptr [ecx], eax // 0505050505 | add eax, 0x5050505 $sequence_15 = { 8d4dcc c74508???????? e8???????? 68???????? 8d45cc 50 c745ccf0860110 } // n = 7, score = 100 // 8d4dcc | lea ecx, [ebp - 0x34] // c74508???????? | // e8???????? | // 68???????? | // 8d45cc | lea eax, [ebp - 0x34] // 50 | push eax // c745ccf0860110 | mov dword ptr [ebp - 0x34], 0x100186f0 condition: 7 of them and filesize < 2256896 }