Actor(s): Lazarus Group, Silent Chollima
There is no description at this point.
rule win_bistromath_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.bistromath." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { eb4c 8b4de8 33c0 8bd7 66894314 e8???????? 85c0 } // n = 7, score = 400 // eb4c | jmp 0x4e // 8b4de8 | mov ecx, dword ptr [ebp - 0x18] // 33c0 | xor eax, eax // 8bd7 | mov edx, edi // 66894314 | mov word ptr [ebx + 0x14], ax // e8???????? | // 85c0 | test eax, eax $sequence_1 = { e8???????? 2500030000 c3 8bff 55 8bec 668b4d0e } // n = 7, score = 400 // e8???????? | // 2500030000 | and eax, 0x300 // c3 | ret // 8bff | mov edi, edi // 55 | push ebp // 8bec | mov ebp, esp // 668b4d0e | mov cx, word ptr [ebp + 0xe] $sequence_2 = { eb03 8b5dc4 8b5508 83c730 3b7de4 0f8200ffffff 33ff } // n = 7, score = 400 // eb03 | jmp 5 // 8b5dc4 | mov ebx, dword ptr [ebp - 0x3c] // 8b5508 | mov edx, dword ptr [ebp + 8] // 83c730 | add edi, 0x30 // 3b7de4 | cmp edi, dword ptr [ebp - 0x1c] // 0f8200ffffff | jb 0xffffff06 // 33ff | xor edi, edi $sequence_3 = { e8???????? 3b450c 7430 8bcf e8???????? 8903 85c0 } // n = 7, score = 400 // e8???????? | // 3b450c | cmp eax, dword ptr [ebp + 0xc] // 7430 | je 0x32 // 8bcf | mov ecx, edi // e8???????? | // 8903 | mov dword ptr [ebx], eax // 85c0 | test eax, eax $sequence_4 = { eb16 84db 7406 02c3 3c62 75db 8b4d0c } // n = 7, score = 400 // eb16 | jmp 0x18 // 84db | test bl, bl // 7406 | je 8 // 02c3 | add al, bl // 3c62 | cmp al, 0x62 // 75db | jne 0xffffffdd // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] $sequence_5 = { ffd0 83c414 85c0 0f850f010000 8b4df4 8b5340 83c104 } // n = 7, score = 400 // ffd0 | call eax // 83c414 | add esp, 0x14 // 85c0 | test eax, eax // 0f850f010000 | jne 0x115 // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 8b5340 | mov edx, dword ptr [ebx + 0x40] // 83c104 | add ecx, 4 $sequence_6 = { eb0b 85f6 0f85c9000000 8b4508 8d34dd01000000 8bc8 8bd6 } // n = 7, score = 400 // eb0b | jmp 0xd // 85f6 | test esi, esi // 0f85c9000000 | jne 0xcf // 8b4508 | mov eax, dword ptr [ebp + 8] // 8d34dd01000000 | lea esi, [ebx*8 + 1] // 8bc8 | mov ecx, eax // 8bd6 | mov edx, esi $sequence_7 = { ff742424 e8???????? 83c410 8b442418 c6401101 8b442440 ff4018 } // n = 7, score = 400 // ff742424 | push dword ptr [esp + 0x24] // e8???????? | // 83c410 | add esp, 0x10 // 8b442418 | mov eax, dword ptr [esp + 0x18] // c6401101 | mov byte ptr [eax + 0x11], 1 // 8b442440 | mov eax, dword ptr [esp + 0x40] // ff4018 | inc dword ptr [eax + 0x18] $sequence_8 = { eb09 ff7708 50 68???????? 50 53 e8???????? } // n = 7, score = 400 // eb09 | jmp 0xb // ff7708 | push dword ptr [edi + 8] // 50 | push eax // 68???????? | // 50 | push eax // 53 | push ebx // e8???????? | $sequence_9 = { 8bec 83ec20 803900 7506 33c0 8be5 5d } // n = 7, score = 400 // 8bec | mov ebp, esp // 83ec20 | sub esp, 0x20 // 803900 | cmp byte ptr [ecx], 0 // 7506 | jne 8 // 33c0 | xor eax, eax // 8be5 | mov esp, ebp // 5d | pop ebp condition: 7 of them and filesize < 33816576 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
