SYMBOLCOMMON_NAMEaka. SYNONYMS
win.boatlaunch (Back to overview)

BOATLAUNCH

Actor(s): FIN7

VTCollection    

FIN7 uses this malware as helper module during intrusion operations. BOATLAUNCH is continuously looking for PowerShell processes on infected systems and patches them to bypuss Windows AntiMalware Scan Interface (AMSI).

References
Yara Rules
[TLP:WHITE] win_boatlaunch_auto (20260504 | Detects win.boatlaunch.)
rule win_boatlaunch_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.boatlaunch."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boatlaunch"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 57 4883ec38 488d6c2430 48c745f800000000 488d35901e0000 }
            // n = 6, score = 100
            //   56                   | lea                 ecx, [ebp - 0x20]
            //   57                   | mov                 dword ptr [ecx], 0x30
            //   4883ec38             | dec                 eax
            //   488d6c2430           | and                 dword ptr [ecx + 8], 0
            //   48c745f800000000     | pop                 ebx
            //   488d35901e0000       | pop                 ebp

        $sequence_1 = { 85c0 0f8440010000 8b75f4 ad 85c0 7505 }
            // n = 6, score = 100
            //   85c0                 | sub                 esp, 0x38
            //   0f8440010000         | dec                 eax
            //   8b75f4               | lea                 ebp, [esp + 0x30]
            //   ad                   | dec                 eax
            //   85c0                 | mov                 dword ptr [ebp - 8], 0
            //   7505                 | dec                 eax

        $sequence_2 = { e8???????? 488945c8 488b8d50110000 488b55d8 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   488945c8             | dec                 eax
            //   488b8d50110000       | mov                 dword ptr [ebp + 0x18], 0
            //   488b55d8             | dec                 eax

        $sequence_3 = { 488b75e0 48ad 4885c0 7505 e9???????? 488bf8 }
            // n = 6, score = 100
            //   488b75e0             | lea                 ecx, [ebp + 0xf0]
            //   48ad                 | dec                 eax
            //   4885c0               | mov                 esi, dword ptr [ebp - 0x20]
            //   7505                 | dec                 eax
            //   e9????????           |                     
            //   488bf8               | lodsd               eax, dword ptr [esi]

        $sequence_4 = { 6a00 ff35???????? e8???????? 8b45fc 5f 5e 5a }
            // n = 7, score = 100
            //   6a00                 | shl                 eax, 1
            //   ff35????????         |                     
            //   e8????????           |                     
            //   8b45fc               | push                eax
            //   5f                   | push                dword ptr [ebx + 0x3c]
            //   5e                   | push                -1
            //   5a                   | test                eax, eax

        $sequence_5 = { e8???????? 83c404 53 8d85e0eeffff 50 6aff }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   53                   | pop                 ecx
            //   8d85e0eeffff         | push                eax
            //   50                   | push                ecx
            //   6aff                 | push                -1

        $sequence_6 = { 7430 4c8d45f4 41c7004833c0c3 488b4df8 49c7c104000000 }
            // n = 5, score = 100
            //   7430                 | ret                 
            //   4c8d45f4             | dec                 eax
            //   41c7004833c0c3       | mov                 dword ptr [esp + 8], ecx
            //   488b4df8             | mov                 dword ptr [esp + 0x10], edx
            //   49c7c104000000       | dec                 eax

        $sequence_7 = { d1e0 50 ff733c 6aff }
            // n = 4, score = 100
            //   d1e0                 | mov                 edx, dword ptr [ebp - 0x28]
            //   50                   | push                esi
            //   ff733c               | push                edi
            //   6aff                 | dec                 eax

        $sequence_8 = { 5b 5d c3 48894c2408 89542410 }
            // n = 5, score = 100
            //   5b                   | lea                 edx, [0x19a1]
            //   5d                   | dec                 eax
            //   c3                   | mov                 eax, dword ptr [ebp + 0x80]
            //   48894c2408           | dec                 eax
            //   89542410             | mov                 dword ptr [ebp + 0x10], eax

        $sequence_9 = { 0f84a6000000 894dec 03cf 894df0 8b487c }
            // n = 5, score = 100
            //   0f84a6000000         | je                  0x146
            //   894dec               | mov                 esi, dword ptr [ebp - 0xc]
            //   03cf                 | lodsd               eax, dword ptr [esi]
            //   894df0               | test                eax, eax
            //   8b487c               | jne                 0x13

        $sequence_10 = { 488b8580000000 48894510 48c7451800000000 488d4de0 c70130000000 4883610800 }
            // n = 6, score = 100
            //   488b8580000000       | jne                 7
            //   48894510             | dec                 eax
            //   48c7451800000000     | mov                 edi, eax
            //   488d4de0             | dec                 eax
            //   c70130000000         | mov                 ecx, 0xffffffff
            //   4883610800           | dec                 eax

        $sequence_11 = { 8345e802 4b 85db 75af eb05 e9???????? }
            // n = 6, score = 100
            //   8345e802             | mov                 esi, dword ptr [ebp - 0xc]
            //   4b                   | lodsd               eax, dword ptr [esi]
            //   85db                 | test                eax, eax
            //   75af                 | jne                 0xa
            //   eb05                 | mov                 edi, eax
            //   e9????????           |                     

        $sequence_12 = { 83c404 ff733c e8???????? 83c404 d1e0 50 }
            // n = 6, score = 100
            //   83c404               | cmp                 dword ptr [ebp - 0x38], 0
            //   ff733c               | je                  0x14
            //   e8????????           |                     
            //   83c404               | xor                 edx, edx
            //   d1e0                 | dec                 esp
            //   50                   | mov                 eax, dword ptr [ebp - 0x38]

        $sequence_13 = { 83c404 59 50 51 6aff e8???????? }
            // n = 6, score = 100
            //   83c404               | lea                 esi, [0x1e90]
            //   59                   | je                  0x32
            //   50                   | dec                 esp
            //   51                   | lea                 eax, [ebp - 0xc]
            //   6aff                 | inc                 ecx
            //   e8????????           |                     

        $sequence_14 = { 48c7c1ffffffff 488d15a1190000 e8???????? e8???????? }
            // n = 4, score = 100
            //   48c7c1ffffffff       | dec                 eax
            //   488d15a1190000       | test                eax, eax
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_15 = { e8???????? 85c0 0f84fc000000 488d8df0000000 e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f84fc000000         | je                  0x102
            //   488d8df0000000       | dec                 eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 33792
}
Download all Yara Rules