There is no description at this point.
rule win_blacklotus_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.blacklotus." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488bf0 e8???????? 4533c0 8d530d 488d0da31c0000 } // n = 5, score = 100 // 488bf0 | dec eax // e8???????? | // 4533c0 | mov edx, dword ptr [ebp + 0x30] // 8d530d | movzx eax, byte ptr [edx + 2] // 488d0da31c0000 | dec eax $sequence_1 = { 4c8bf0 e8???????? 4c8bf8 4885f6 } // n = 4, score = 100 // 4c8bf0 | test eax, eax // e8???????? | // 4c8bf8 | je 0x6db // 4885f6 | dec eax $sequence_2 = { 663905???????? 0f85c2000000 be06000000 488d15741d0000 448bc6 488bcb } // n = 6, score = 100 // 663905???????? | // 0f85c2000000 | inc ecx // be06000000 | mov cl, dh // 488d15741d0000 | xor bl, al // 448bc6 | inc ecx // 488bcb | mov cl, byte ptr [edi + 1] $sequence_3 = { 7c10 6642837cc11010 7507 42395cc114 } // n = 4, score = 100 // 7c10 | mov esi, edx // 6642837cc11010 | dec esp // 7507 | lea eax, [ebp + 0x38] // 42395cc114 | dec eax $sequence_4 = { c745487fff0400 e8???????? 488bcf 488bd8 e8???????? 498bce 488bf8 } // n = 7, score = 100 // c745487fff0400 | inc ecx // e8???????? | // 488bcf | add eax, eax // 488bd8 | mov edx, eax // e8???????? | // 498bce | movzx edi, word ptr [ebp + eax*2 + 8] // 488bf8 | inc eax $sequence_5 = { 418a400e 4188480a 418a4806 41884006 418a4007 4188480e } // n = 6, score = 100 // 418a400e | mov esi, edx // 4188480a | dec esp // 418a4806 | mov eax, edx // 41884006 | dec eax // 418a4007 | mov edx, ecx // 4188480e | dec eax $sequence_6 = { 488b4940 e8???????? 3db01d0000 7277 3df0230000 } // n = 5, score = 100 // 488b4940 | sub eax, ebx // e8???????? | // 3db01d0000 | jmp 0x1e5f // 7277 | inc ebp // 3df0230000 | mov eax, dword ptr [ecx + 0x14] $sequence_7 = { 4889742410 57 4883ec20 488364244000 488bf2 } // n = 5, score = 100 // 4889742410 | mov cl, bh // 57 | dec esp // 4883ec20 | mov edi, eax // 488364244000 | dec eax // 488bf2 | test esi, esi $sequence_8 = { ffc8 03c3 44888430d8070000 453bd1 72b9 8b15???????? ffca } // n = 7, score = 100 // ffc8 | mov dword ptr [ebp + 8], 0xb9573561 // 03c3 | mov dword ptr [ebp + 0xc], 0x9e1dc186 // 44888430d8070000 | mov dword ptr [ebp + 0x10], 0x1198f8e1 // 453bd1 | mov dword ptr [ebp + 0x14], 0x948ed969 // 72b9 | mov dword ptr [ebp + 0x18], 0xe9871e9b // 8b15???????? | // ffca | mov dword ptr [ebp + 0x1c], 0xdf2855ce $sequence_9 = { 8bda 488bf9 83fa02 0f824d010000 488d35b1160100 4585c0 } // n = 6, score = 100 // 8bda | dec eax // 488bf9 | inc ecx // 83fa02 | add eax, ecx // 0f824d010000 | mov word ptr [ebp + eax*2 + 8], di // 488d35b1160100 | inc ebp // 4585c0 | cmp edx, eax condition: 7 of them and filesize < 181248 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY