SYMBOLCOMMON_NAMEaka. SYNONYMS
win.adylkuzz (Back to overview)

Adylkuzz

VTCollection    

There is no description at this point.

References
2017-05-15ProofpointKafeine
Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar
Adylkuzz
Yara Rules
[TLP:WHITE] win_adylkuzz_auto (20260504 | Detects win.adylkuzz.)
rule win_adylkuzz_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.adylkuzz."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb41 83f805 7529 8b4310 8b4804 8d5104 83faf6 }
            // n = 7, score = 100
            //   eb41                 | jmp                 0x43
            //   83f805               | cmp                 eax, 5
            //   7529                 | jne                 0x2b
            //   8b4310               | mov                 eax, dword ptr [ebx + 0x10]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8d5104               | lea                 edx, [ecx + 4]
            //   83faf6               | cmp                 edx, -0xa

        $sequence_1 = { e8???????? 89c6 eb18 85f6 7914 897c2408 c744240469060000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   89c6                 | mov                 esi, eax
            //   eb18                 | jmp                 0x1a
            //   85f6                 | test                esi, esi
            //   7914                 | jns                 0x16
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   c744240469060000     | mov                 dword ptr [esp + 4], 0x669

        $sequence_2 = { 98 86e4 9c 6623c7 0fbaf814 8f442500 66f7d0 }
            // n = 7, score = 100
            //   98                   | cwde                
            //   86e4                 | xchg                ah, ah
            //   9c                   | pushfd              
            //   6623c7               | and                 ax, di
            //   0fbaf814             | btc                 eax, 0x14
            //   8f442500             | pop                 dword ptr [ebp]
            //   66f7d0               | not                 ax

        $sequence_3 = { e8???????? ebf2 8b4314 c1e80a eb4b 8b4314 25ff030000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ebf2                 | jmp                 0xfffffff4
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   c1e80a               | shr                 eax, 0xa
            //   eb4b                 | jmp                 0x4d
            //   8b4314               | mov                 eax, dword ptr [ebx + 0x14]
            //   25ff030000           | and                 eax, 0x3ff

        $sequence_4 = { ff510c 8b4618 85c0 7428 807e0700 7f22 c1e003 }
            // n = 7, score = 100
            //   ff510c               | call                dword ptr [ecx + 0xc]
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]
            //   85c0                 | test                eax, eax
            //   7428                 | je                  0x2a
            //   807e0700             | cmp                 byte ptr [esi + 7], 0
            //   7f22                 | jg                  0x24
            //   c1e003               | shl                 eax, 3

        $sequence_5 = { b801000000 7522 8b06 0fb74006 89442404 8b442420 890424 }
            // n = 7, score = 100
            //   b801000000           | mov                 eax, 1
            //   7522                 | jne                 0x24
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   0fb74006             | movzx               eax, word ptr [eax + 6]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   890424               | mov                 dword ptr [esp], eax

        $sequence_6 = { 8b442420 f644241480 894350 8a442425 884354 8a442426 884355 }
            // n = 7, score = 100
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   f644241480           | test                byte ptr [esp + 0x14], 0x80
            //   894350               | mov                 dword ptr [ebx + 0x50], eax
            //   8a442425             | mov                 al, byte ptr [esp + 0x25]
            //   884354               | mov                 byte ptr [ebx + 0x54], al
            //   8a442426             | mov                 al, byte ptr [esp + 0x26]
            //   884355               | mov                 byte ptr [ebx + 0x55], al

        $sequence_7 = { f9 35281d135f f8 c1c803 81fda95ea722 f8 663bfb }
            // n = 7, score = 100
            //   f9                   | stc                 
            //   35281d135f           | xor                 eax, 0x5f131d28
            //   f8                   | clc                 
            //   c1c803               | ror                 eax, 3
            //   81fda95ea722         | cmp                 ebp, 0x22a75ea9
            //   f8                   | clc                 
            //   663bfb               | cmp                 di, bx

        $sequence_8 = { f7d0 85ed f6c637 f5 f7d8 c1c003 f7d8 }
            // n = 7, score = 100
            //   f7d0                 | not                 eax
            //   85ed                 | test                ebp, ebp
            //   f6c637               | test                dh, 0x37
            //   f5                   | cmc                 
            //   f7d8                 | neg                 eax
            //   c1c003               | rol                 eax, 3
            //   f7d8                 | neg                 eax

        $sequence_9 = { c3 8b442408 8b542404 c7400400000000 895008 8d500c 8910 }
            // n = 7, score = 100
            //   c3                   | ret                 
            //   8b442408             | mov                 eax, dword ptr [esp + 8]
            //   8b542404             | mov                 edx, dword ptr [esp + 4]
            //   c7400400000000       | mov                 dword ptr [eax + 4], 0
            //   895008               | mov                 dword ptr [eax + 8], edx
            //   8d500c               | lea                 edx, [eax + 0xc]
            //   8910                 | mov                 dword ptr [eax], edx

    condition:
        7 of them and filesize < 6438912
}
Download all Yara Rules