There is no description at this point.
rule win_alureon_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.alureon." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c0f8 743e 44 8d50ff 41 d1ea } // n = 6, score = 200 // 83c0f8 | add eax, -8 // 743e | je 0x40 // 44 | inc esp // 8d50ff | lea edx, [eax - 1] // 41 | inc ecx // d1ea | shr edx, 1 $sequence_1 = { 48 ffc5 48 8d44ad00 } // n = 4, score = 200 // 48 | dec eax // ffc5 | inc ebp // 48 | dec eax // 8d44ad00 | lea eax, [ebp + ebp*4] $sequence_2 = { 0fb74314 8b7350 57 56 8d441818 } // n = 5, score = 200 // 0fb74314 | movzx eax, word ptr [ebx + 0x14] // 8b7350 | mov esi, dword ptr [ebx + 0x50] // 57 | push edi // 56 | push esi // 8d441818 | lea eax, [eax + ebx + 0x18] $sequence_3 = { 7511 8b0a 41 81e0ff0f0000 4b 8d0403 } // n = 6, score = 200 // 7511 | jne 0x13 // 8b0a | mov ecx, dword ptr [edx] // 41 | inc ecx // 81e0ff0f0000 | and eax, 0xfff // 4b | dec ebx // 8d0403 | lea eax, [ebx + eax] $sequence_4 = { 72e0 4d 634b3c 4d 03cb 0f84fa010000 } // n = 6, score = 200 // 72e0 | jb 0xffffffe2 // 4d | dec ebp // 634b3c | arpl word ptr [ebx + 0x3c], cx // 4d | dec ebp // 03cb | add ecx, ebx // 0f84fa010000 | je 0x200 $sequence_5 = { 02ca 004dfd 0fb64dfd 8d8c0dfcfeffff 8a19 } // n = 5, score = 200 // 02ca | add cl, dl // 004dfd | add byte ptr [ebp - 3], cl // 0fb64dfd | movzx ecx, byte ptr [ebp - 3] // 8d8c0dfcfeffff | lea ecx, [ebp + ecx - 0x104] // 8a19 | mov bl, byte ptr [ecx] $sequence_6 = { 75d1 8b7df4 8b4514 85f6 75b0 } // n = 5, score = 200 // 75d1 | jne 0xffffffd3 // 8b7df4 | mov edi, dword ptr [ebp - 0xc] // 8b4514 | mov eax, dword ptr [ebp + 0x14] // 85f6 | test esi, esi // 75b0 | jne 0xffffffb2 $sequence_7 = { 41 8bb1b4000000 49 8d1403 eb4f 8b4204 48 } // n = 7, score = 200 // 41 | inc ecx // 8bb1b4000000 | mov esi, dword ptr [ecx + 0xb4] // 49 | dec ecx // 8d1403 | lea edx, [ebx + eax] // eb4f | jmp 0x51 // 8b4204 | mov eax, dword ptr [edx + 4] // 48 | dec eax $sequence_8 = { 56 6a01 53 ff15???????? 53 89442414 } // n = 6, score = 100 // 56 | push esi // 6a01 | push 1 // 53 | push ebx // ff15???????? | // 53 | push ebx // 89442414 | mov dword ptr [esp + 0x14], eax $sequence_9 = { 56 56 6a08 56 57 ff15???????? 8b2d???????? } // n = 7, score = 100 // 56 | push esi // 56 | push esi // 6a08 | push 8 // 56 | push esi // 57 | push edi // ff15???????? | // 8b2d???????? | $sequence_10 = { 50 ff75f8 ff75e8 ff15???????? 85c0 7527 } // n = 6, score = 100 // 50 | push eax // ff75f8 | push dword ptr [ebp - 8] // ff75e8 | push dword ptr [ebp - 0x18] // ff15???????? | // 85c0 | test eax, eax // 7527 | jne 0x29 $sequence_11 = { 53 8d8424b0000000 89842488000000 6a01 8d44247c 50 } // n = 6, score = 100 // 53 | push ebx // 8d8424b0000000 | lea eax, [esp + 0xb0] // 89842488000000 | mov dword ptr [esp + 0x88], eax // 6a01 | push 1 // 8d44247c | lea eax, [esp + 0x7c] // 50 | push eax $sequence_12 = { 7527 8d85e4fbffff 50 e8???????? 84c0 59 } // n = 6, score = 100 // 7527 | jne 0x29 // 8d85e4fbffff | lea eax, [ebp - 0x41c] // 50 | push eax // e8???????? | // 84c0 | test al, al // 59 | pop ecx $sequence_13 = { 59 c3 33c9 394c2408 7614 8b442404 8ad1 } // n = 7, score = 100 // 59 | pop ecx // c3 | ret // 33c9 | xor ecx, ecx // 394c2408 | cmp dword ptr [esp + 8], ecx // 7614 | jbe 0x16 // 8b442404 | mov eax, dword ptr [esp + 4] // 8ad1 | mov dl, cl $sequence_14 = { 895c246e c7442472832c240a c6442476b8 89442477 } // n = 4, score = 100 // 895c246e | mov dword ptr [esp + 0x6e], ebx // c7442472832c240a | mov dword ptr [esp + 0x72], 0xa242c83 // c6442476b8 | mov byte ptr [esp + 0x76], 0xb8 // 89442477 | mov dword ptr [esp + 0x77], eax $sequence_15 = { 81ec58010000 56 57 6a00 6a00 8d45ac 50 } // n = 7, score = 100 // 81ec58010000 | sub esp, 0x158 // 56 | push esi // 57 | push edi // 6a00 | push 0 // 6a00 | push 0 // 8d45ac | lea eax, [ebp - 0x54] // 50 | push eax condition: 7 of them and filesize < 278528 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
