There is no description at this point.
rule win_banatrix_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.banatrix." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 85c0 74e3 8b5320 0345d0 } // n = 4, score = 200 // 85c0 | test eax, eax // 74e3 | je 0xffffffe5 // 8b5320 | mov edx, dword ptr [ebx + 0x20] // 0345d0 | add eax, dword ptr [ebp - 0x30] $sequence_1 = { 0fb706 3b4314 7798 8d0487 03431c 0338 89f8 } // n = 7, score = 200 // 0fb706 | movzx eax, word ptr [esi] // 3b4314 | cmp eax, dword ptr [ebx + 0x14] // 7798 | ja 0xffffff9a // 8d0487 | lea eax, [edi + eax*4] // 03431c | add eax, dword ptr [ebx + 0x1c] // 0338 | add edi, dword ptr [eax] // 89f8 | mov eax, edi $sequence_2 = { 891c24 89442408 e8???????? 8b55c0 85c0 } // n = 5, score = 200 // 891c24 | mov dword ptr [esp], ebx // 89442408 | mov dword ptr [esp + 8], eax // e8???????? | // 8b55c0 | mov edx, dword ptr [ebp - 0x40] // 85c0 | test eax, eax $sequence_3 = { 8b55c4 8b4dc0 89c6 83ec10 894208 89f7 } // n = 6, score = 200 // 8b55c4 | mov edx, dword ptr [ebp - 0x3c] // 8b4dc0 | mov ecx, dword ptr [ebp - 0x40] // 89c6 | mov esi, eax // 83ec10 | sub esp, 0x10 // 894208 | mov dword ptr [edx + 8], eax // 89f7 | mov edi, esi $sequence_4 = { 8b7508 8b4a10 037214 89c7 } // n = 4, score = 200 // 8b7508 | mov esi, dword ptr [ebp + 8] // 8b4a10 | mov ecx, dword ptr [edx + 0x10] // 037214 | add esi, dword ptr [edx + 0x14] // 89c7 | mov edi, eax $sequence_5 = { 8b03 c745d000000000 0fb75014 8d741018 e9???????? } // n = 5, score = 200 // 8b03 | mov eax, dword ptr [ebx] // c745d000000000 | mov dword ptr [ebp - 0x30], 0 // 0fb75014 | movzx edx, word ptr [eax + 0x14] // 8d741018 | lea esi, [eax + edx + 0x18] // e9???????? | $sequence_6 = { 75d3 eb30 8b55d0 8d440202 ebd4 8b4320 } // n = 6, score = 200 // 75d3 | jne 0xffffffd5 // eb30 | jmp 0x32 // 8b55d0 | mov edx, dword ptr [ebp - 0x30] // 8d440202 | lea eax, [edx + eax + 2] // ebd4 | jmp 0xffffffd6 // 8b4320 | mov eax, dword ptr [ebx + 0x20] $sequence_7 = { 8b02 85c0 740c 8b55d0 } // n = 4, score = 200 // 8b02 | mov eax, dword ptr [edx] // 85c0 | test eax, eax // 740c | je 0xe // 8b55d0 | mov edx, dword ptr [ebp - 0x30] $sequence_8 = { 7514 a840 7405 8b4a20 eb07 a880 74a6 } // n = 7, score = 200 // 7514 | jne 0x16 // a840 | test al, 0x40 // 7405 | je 7 // 8b4a20 | mov ecx, dword ptr [edx + 0x20] // eb07 | jmp 9 // a880 | test al, 0x80 // 74a6 | je 0xffffffa8 $sequence_9 = { 894c2404 c744240c04000000 c744240800100000 03420c 894dc0 } // n = 5, score = 200 // 894c2404 | mov dword ptr [esp + 4], ecx // c744240c04000000 | mov dword ptr [esp + 0xc], 4 // c744240800100000 | mov dword ptr [esp + 8], 0x1000 // 03420c | add eax, dword ptr [edx + 0xc] // 894dc0 | mov dword ptr [ebp - 0x40], ecx condition: 7 of them and filesize < 180224 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY