Actor(s): Lazarus Group
There is no description at this point.
rule win_badcall_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.badcall." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83c108 8901 8b44240c 895104 8b542410 } // n = 5, score = 300 // 83c108 | add ecx, 8 // 8901 | mov dword ptr [ecx], eax // 8b44240c | mov eax, dword ptr [esp + 0xc] // 895104 | mov dword ptr [ecx + 4], edx // 8b542410 | mov edx, dword ptr [esp + 0x10] $sequence_1 = { 83c408 8bce 6a17 6a01 57 53 e8???????? } // n = 7, score = 300 // 83c408 | add esp, 8 // 8bce | mov ecx, esi // 6a17 | push 0x17 // 6a01 | push 1 // 57 | push edi // 53 | push ebx // e8???????? | $sequence_2 = { 89442408 c1e902 f3a5 8bca 50 83e103 8d442410 } // n = 7, score = 300 // 89442408 | mov dword ptr [esp + 8], eax // c1e902 | shr ecx, 2 // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 8bca | mov ecx, edx // 50 | push eax // 83e103 | and ecx, 3 // 8d442410 | lea eax, [esp + 0x10] $sequence_3 = { 6a01 8d542420 53 52 50 ff15???????? } // n = 6, score = 300 // 6a01 | push 1 // 8d542420 | lea edx, [esp + 0x20] // 53 | push ebx // 52 | push edx // 50 | push eax // ff15???????? | $sequence_4 = { 894204 8b4108 894208 8b490c 894a0c 8d4c243c e8???????? } // n = 7, score = 300 // 894204 | mov dword ptr [edx + 4], eax // 8b4108 | mov eax, dword ptr [ecx + 8] // 894208 | mov dword ptr [edx + 8], eax // 8b490c | mov ecx, dword ptr [ecx + 0xc] // 894a0c | mov dword ptr [edx + 0xc], ecx // 8d4c243c | lea ecx, [esp + 0x3c] // e8???????? | $sequence_5 = { eb05 1bc0 83d8ff 85c0 754b bf???????? } // n = 6, score = 300 // eb05 | jmp 7 // 1bc0 | sbb eax, eax // 83d8ff | sbb eax, -1 // 85c0 | test eax, eax // 754b | jne 0x4d // bf???????? | $sequence_6 = { ff15???????? 83f8ff 7421 8b4604 68ffffff7f 50 } // n = 6, score = 300 // ff15???????? | // 83f8ff | cmp eax, -1 // 7421 | je 0x23 // 8b4604 | mov eax, dword ptr [esi + 4] // 68ffffff7f | push 0x7fffffff // 50 | push eax $sequence_7 = { 89542412 6689542416 ff15???????? 8b4e04 6689442406 } // n = 5, score = 300 // 89542412 | mov dword ptr [esp + 0x12], edx // 6689542416 | mov word ptr [esp + 0x16], dx // ff15???????? | // 8b4e04 | mov ecx, dword ptr [esi + 4] // 6689442406 | mov word ptr [esp + 6], ax $sequence_8 = { 8b84243c010000 52 8b94243c010000 50 52 e8???????? 85c0 } // n = 7, score = 200 // 8b84243c010000 | mov eax, dword ptr [esp + 0x13c] // 52 | push edx // 8b94243c010000 | mov edx, dword ptr [esp + 0x13c] // 50 | push eax // 52 | push edx // e8???????? | // 85c0 | test eax, eax $sequence_9 = { 8bbc244c430000 3b7804 7c12 5f 5e } // n = 5, score = 200 // 8bbc244c430000 | mov edi, dword ptr [esp + 0x434c] // 3b7804 | cmp edi, dword ptr [eax + 4] // 7c12 | jl 0x14 // 5f | pop edi // 5e | pop esi $sequence_10 = { 899024020000 8b94242c010000 898828020000 89902c020000 83c004 50 8d44240c } // n = 7, score = 200 // 899024020000 | mov dword ptr [eax + 0x224], edx // 8b94242c010000 | mov edx, dword ptr [esp + 0x12c] // 898828020000 | mov dword ptr [eax + 0x228], ecx // 89902c020000 | mov dword ptr [eax + 0x22c], edx // 83c004 | add eax, 4 // 50 | push eax // 8d44240c | lea eax, [esp + 0xc] $sequence_11 = { 81c438430000 c21000 8b16 52 e8???????? 83c404 8bc7 } // n = 7, score = 200 // 81c438430000 | add esp, 0x4338 // c21000 | ret 0x10 // 8b16 | mov edx, dword ptr [esi] // 52 | push edx // e8???????? | // 83c404 | add esp, 4 // 8bc7 | mov eax, edi $sequence_12 = { 83fd03 7336 8b4c2410 85c9 0f844d070000 8bd1 } // n = 6, score = 200 // 83fd03 | cmp ebp, 3 // 7336 | jae 0x38 // 8b4c2410 | mov ecx, dword ptr [esp + 0x10] // 85c9 | test ecx, ecx // 0f844d070000 | je 0x753 // 8bd1 | mov edx, ecx $sequence_13 = { 668b10 8d442400 8d4c2408 50 51 } // n = 5, score = 200 // 668b10 | mov dx, word ptr [eax] // 8d442400 | lea eax, [esp] // 8d4c2408 | lea ecx, [esp + 8] // 50 | push eax // 51 | push ecx $sequence_14 = { 56 57 8b7c241c 83ff01 741b } // n = 5, score = 200 // 56 | push esi // 57 | push edi // 8b7c241c | mov edi, dword ptr [esp + 0x1c] // 83ff01 | cmp edi, 1 // 741b | je 0x1d $sequence_15 = { 83fa12 750a c744241c07000000 eb07 83c2f2 8954241c } // n = 6, score = 200 // 83fa12 | cmp edx, 0x12 // 750a | jne 0xc // c744241c07000000 | mov dword ptr [esp + 0x1c], 7 // eb07 | jmp 9 // 83c2f2 | add edx, -0xe // 8954241c | mov dword ptr [esp + 0x1c], edx $sequence_16 = { e9???????? e8???????? 83c408 85c0 0f849dfcffff 8b8424a8000000 c7442428ae080000 } // n = 7, score = 100 // e9???????? | // e8???????? | // 83c408 | add esp, 8 // 85c0 | test eax, eax // 0f849dfcffff | je 0xfffffca3 // 8b8424a8000000 | mov eax, dword ptr [esp + 0xa8] // c7442428ae080000 | mov dword ptr [esp + 0x28], 0x8ae $sequence_17 = { 6a01 53 8915???????? 66ab ff15???????? 8b2d???????? 8d4c242c } // n = 7, score = 100 // 6a01 | push 1 // 53 | push ebx // 8915???????? | // 66ab | stosw word ptr es:[edi], ax // ff15???????? | // 8b2d???????? | // 8d4c242c | lea ecx, [esp + 0x2c] $sequence_18 = { c1f905 8d04c0 8b0c8de0ad0110 8d44810c 50 ff15???????? c3 } // n = 7, score = 100 // c1f905 | sar ecx, 5 // 8d04c0 | lea eax, [eax + eax*8] // 8b0c8de0ad0110 | mov ecx, dword ptr [ecx*4 + 0x1001ade0] // 8d44810c | lea eax, [ecx + eax*4 + 0xc] // 50 | push eax // ff15???????? | // c3 | ret $sequence_19 = { 8bd9 762f 8b6c2414 8bc7 2bc6 } // n = 5, score = 100 // 8bd9 | mov ebx, ecx // 762f | jbe 0x31 // 8b6c2414 | mov ebp, dword ptr [esp + 0x14] // 8bc7 | mov eax, edi // 2bc6 | sub eax, esi $sequence_20 = { 8a4dff 8d3c85e0ad0110 8bc3 80c901 83e01f 884d0b } // n = 6, score = 100 // 8a4dff | mov cl, byte ptr [ebp - 1] // 8d3c85e0ad0110 | lea edi, [eax*4 + 0x1001ade0] // 8bc3 | mov eax, ebx // 80c901 | or cl, 1 // 83e01f | and eax, 0x1f // 884d0b | mov byte ptr [ebp + 0xb], cl $sequence_21 = { 898424a0000000 ff15???????? 8d942498000000 6a10 52 } // n = 5, score = 100 // 898424a0000000 | mov dword ptr [esp + 0xa0], eax // ff15???????? | // 8d942498000000 | lea edx, [esp + 0x98] // 6a10 | push 0x10 // 52 | push edx $sequence_22 = { 6a00 50 8d842424010000 50 51 } // n = 5, score = 100 // 6a00 | push 0 // 50 | push eax // 8d842424010000 | lea eax, [esp + 0x124] // 50 | push eax // 51 | push ecx $sequence_23 = { ff12 e9???????? 8b442438 3bc3 8d8424a8000000 50 56 } // n = 7, score = 100 // ff12 | call dword ptr [edx] // e9???????? | // 8b442438 | mov eax, dword ptr [esp + 0x38] // 3bc3 | cmp eax, ebx // 8d8424a8000000 | lea eax, [esp + 0xa8] // 50 | push eax // 56 | push esi condition: 7 of them and filesize < 483328 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
