There is no description at this point.
rule win_arcane_stealer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.arcane_stealer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arcane_stealer" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 44894c2474 e8???????? ba07010000 488dbc2400100000 4889f9 4c8d05f9b50000 48895c2458 } // n = 7, score = 100 // 44894c2474 | imul eax, esi // e8???????? | // ba07010000 | dec ebp // 488dbc2400100000 | mov edx, esi // 4889f9 | dec esp // 4c8d05f9b50000 | imul edx, ebp // 48895c2458 | dec eax $sequence_1 = { 415e 415f c3 4c8b4c2468 0f57c0 0f11442428 4c89642420 } // n = 7, score = 100 // 415e | dec eax // 415f | mov ecx, ebx // c3 | dec esp // 4c8b4c2468 | lea eax, [0xaf64] // 0f57c0 | dec esp // 0f11442428 | mov ecx, dword ptr [esp + 0x48] // 4c89642420 | dec esp $sequence_2 = { 4989c7 4801c0 4939ef 72f5 4c89f1 4c89fa } // n = 6, score = 100 // 4989c7 | movaps xmmword ptr [esp + 0x20], xmm0 // 4801c0 | movaps xmmword ptr [esp + 0x80], xmm0 // 4939ef | movaps xmmword ptr [esp + 0x70], xmm0 // 72f5 | movaps xmmword ptr [esp + 0x60], xmm0 // 4c89f1 | movaps xmmword ptr [esp + 0x50], xmm0 // 4c89fa | movaps xmmword ptr [esp + 0x40], xmm0 $sequence_3 = { ba20000000 4889f1 e8???????? eb07 488d35bae30000 4889f1 ff15???????? } // n = 7, score = 100 // ba20000000 | inc ecx // 4889f1 | mov eax, 3 // e8???????? | // eb07 | dec ebp // 488d35bae30000 | mov ecx, esp // 4889f1 | inc ecx // ff15???????? | $sequence_4 = { 41b840040000 4889d9 31d2 e8???????? 4889f9 31d2 4531c0 } // n = 7, score = 100 // 41b840040000 | mov dword ptr [esp + 0x48], edi // 4889d9 | dec eax // 31d2 | lea eax, [edi + 0x10] // e8???????? | // 4889f9 | dec eax // 31d2 | mov dword ptr [esp + 0x50], eax // 4531c0 | dec eax $sequence_5 = { 488b4c2448 31d2 ff15???????? 488d4c2450 e8???????? 488d4c2430 e8???????? } // n = 7, score = 100 // 488b4c2448 | mov ecx, 0x80000001 // 31d2 | push edi // ff15???????? | // 488d4c2450 | dec eax // e8???????? | // 488d4c2430 | sub esp, 0x238 // e8???????? | $sequence_6 = { 89542430 89442428 894c2420 ba40000000 488d8c24b0030000 4c8d0549f80000 e8???????? } // n = 7, score = 100 // 89542430 | inc esi // 89442428 | dec eax // 894c2420 | cmp esi, 4 // ba40000000 | jne 0x1803 // 488d8c24b0030000 | xor esi, esi // 4c8d0549f80000 | nop word ptr [eax + eax] // e8???????? | $sequence_7 = { 74ed 4c89f1 e8???????? 4989c7 4889d9 4c89f2 4989c0 } // n = 7, score = 100 // 74ed | mov ecx, 0xfde9 // 4c89f1 | xor edx, edx // e8???????? | // 4989c7 | inc ecx // 4889d9 | mov ecx, 0xffffffff // 4c89f2 | xorps xmm0, xmm0 // 4989c0 | movups xmmword ptr [esp + 0x30], xmm0 $sequence_8 = { 7420 4a8b8c3430010000 4885c9 74ea e8???????? } // n = 5, score = 100 // 7420 | mov ecx, edi // 4a8b8c3430010000 | dec eax // 4885c9 | mov ecx, ebx // 74ea | dec ebp // e8???????? | $sequence_9 = { 85c0 7442 488b8424a0000000 448b4808 8b400c 410fb7c9 } // n = 6, score = 100 // 85c0 | dec eax // 7442 | mov esi, edx // 488b8424a0000000 | dec eax // 448b4808 | mov edi, ecx // 8b400c | dec eax // 410fb7c9 | test eax, eax condition: 7 of them and filesize < 346112 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY