There is no description at this point.
rule win_atlantida_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.atlantida." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atlantida" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { d0c2 80f20a 0bc1 33c8 f6da 32da 23c0 } // n = 7, score = 100 // d0c2 | rol dl, 1 // 80f20a | xor dl, 0xa // 0bc1 | or eax, ecx // 33c8 | xor ecx, eax // f6da | neg dl // 32da | xor bl, dl // 23c0 | and eax, eax $sequence_1 = { ffe2 8b17 b8ae3fbb95 660fb60c22 66894c2702 0fbfc8 8b8c314ec0ffff } // n = 7, score = 100 // ffe2 | jmp edx // 8b17 | mov edx, dword ptr [edi] // b8ae3fbb95 | mov eax, 0x95bb3fae // 660fb60c22 | movzx cx, byte ptr [edx] // 66894c2702 | mov word ptr [edi + 2], cx // 0fbfc8 | movsx ecx, ax // 8b8c314ec0ffff | mov ecx, dword ptr [ecx + esi - 0x3fb2] $sequence_2 = { ffe6 f7d9 f7d1 41 0fbef5 4a c7843c6ceb46ec07f22abc } // n = 7, score = 100 // ffe6 | jmp esi // f7d9 | neg ecx // f7d1 | not ecx // 41 | inc ecx // 0fbef5 | movsx esi, ch // 4a | dec edx // c7843c6ceb46ec07f22abc | mov dword ptr [esp + edi - 0x13b91494], 0xbc2af207 $sequence_3 = { e9???????? d3840c9e29cbff 8994483c5396ff 8bd1 23ca 5a 8b940da629cbff } // n = 7, score = 100 // e9???????? | // d3840c9e29cbff | rol dword ptr [esp + ecx - 0x34d662], cl // 8994483c5396ff | mov dword ptr [eax + ecx*2 - 0x69acc4], edx // 8bd1 | mov edx, ecx // 23ca | and ecx, edx // 5a | pop edx // 8b940da629cbff | mov edx, dword ptr [ebp + ecx - 0x34d65a] $sequence_4 = { ff742400 9d 48 8d642408 e8???????? b9336dacca f7d9 } // n = 7, score = 100 // ff742400 | push dword ptr [esp] // 9d | popfd // 48 | dec eax // 8d642408 | lea esp, [esp + 8] // e8???????? | // b9336dacca | mov ecx, 0xcaac6d33 // f7d9 | neg ecx $sequence_5 = { e8???????? 4a 51 66c1f8a7 89840c0600a1e9 f7d2 13d0 } // n = 7, score = 100 // e8???????? | // 4a | dec edx // 51 | push ecx // 66c1f8a7 | sar ax, 0xa7 // 89840c0600a1e9 | mov dword ptr [esp + ecx - 0x165efffa], eax // f7d2 | not edx // 13d0 | adc edx, eax $sequence_6 = { ffe0 8a943a1e001185 f6d0 0fa3c9 51 66194c2410 f6d2 } // n = 7, score = 100 // ffe0 | jmp eax // 8a943a1e001185 | mov dl, byte ptr [edx + edi - 0x7aeeffe2] // f6d0 | not al // 0fa3c9 | bt ecx, ecx // 51 | push ecx // 66194c2410 | sbb word ptr [esp + 0x10], cx // f6d2 | not dl $sequence_7 = { ffce 51 0f8f9f51eaff 8bbc1c7c69e2ac e8???????? ffc7 81e292291ace } // n = 7, score = 100 // ffce | dec esi // 51 | push ecx // 0f8f9f51eaff | jg 0xffea51a5 // 8bbc1c7c69e2ac | mov edi, dword ptr [esp + ebx - 0x531d9684] // e8???????? | // ffc7 | inc edi // 81e292291ace | and edx, 0xce1a2992 $sequence_8 = { ffc7 4a 8d8c361e280a7a 4e 23ac6c92feadb6 4e 898c6ca2feadb6 } // n = 7, score = 100 // ffc7 | inc edi // 4a | dec edx // 8d8c361e280a7a | lea ecx, [esi + esi + 0x7a0a281e] // 4e | dec esi // 23ac6c92feadb6 | and ebp, dword ptr [esp + ebp*2 - 0x4952016e] // 4e | dec esi // 898c6ca2feadb6 | mov dword ptr [esp + ebp*2 - 0x4952015e], ecx $sequence_9 = { ff75e8 c645cc00 ff75cc 51 8d4dd0 e8???????? 46 } // n = 7, score = 100 // ff75e8 | push dword ptr [ebp - 0x18] // c645cc00 | mov byte ptr [ebp - 0x34], 0 // ff75cc | push dword ptr [ebp - 0x34] // 51 | push ecx // 8d4dd0 | lea ecx, [ebp - 0x30] // e8???????? | // 46 | inc esi condition: 7 of them and filesize < 13793280 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY