There is no description at this point.
rule win_bundestrojaner_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.bundestrojaner." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { dfe0 f6c441 7505 d94668 eb33 d94664 d9466c } // n = 7, score = 100 // dfe0 | fnstsw ax // f6c441 | test ah, 0x41 // 7505 | jne 7 // d94668 | fld dword ptr [esi + 0x68] // eb33 | jmp 0x35 // d94664 | fld dword ptr [esi + 0x64] // d9466c | fld dword ptr [esi + 0x6c] $sequence_1 = { 8b4618 40 894618 5e c3 8b4618 c7461402000000 } // n = 7, score = 100 // 8b4618 | mov eax, dword ptr [esi + 0x18] // 40 | inc eax // 894618 | mov dword ptr [esi + 0x18], eax // 5e | pop esi // c3 | ret // 8b4618 | mov eax, dword ptr [esi + 0x18] // c7461402000000 | mov dword ptr [esi + 0x14], 2 $sequence_2 = { 895068 8bd6 8bde 89706c c1ea18 c1eb10 8b1495c8f40310 } // n = 7, score = 100 // 895068 | mov dword ptr [eax + 0x68], edx // 8bd6 | mov edx, esi // 8bde | mov ebx, esi // 89706c | mov dword ptr [eax + 0x6c], esi // c1ea18 | shr edx, 0x18 // c1eb10 | shr ebx, 0x10 // 8b1495c8f40310 | mov edx, dword ptr [edx*4 + 0x1003f4c8] $sequence_3 = { f2ae f7d1 2bf9 8d6c2418 8bc1 8bf7 c1e902 } // n = 7, score = 100 // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx // 2bf9 | sub edi, ecx // 8d6c2418 | lea ebp, [esp + 0x18] // 8bc1 | mov eax, ecx // 8bf7 | mov esi, edi // c1e902 | shr ecx, 2 $sequence_4 = { 6a00 50 a1???????? 8d4c2424 6a04 51 52 } // n = 7, score = 100 // 6a00 | push 0 // 50 | push eax // a1???????? | // 8d4c2424 | lea ecx, [esp + 0x24] // 6a04 | push 4 // 51 | push ecx // 52 | push edx $sequence_5 = { 894c2418 03ea 8bcd 2bc8 894c2420 8bcd } // n = 6, score = 100 // 894c2418 | mov dword ptr [esp + 0x18], ecx // 03ea | add ebp, edx // 8bcd | mov ecx, ebp // 2bc8 | sub ecx, eax // 894c2420 | mov dword ptr [esp + 0x20], ecx // 8bcd | mov ecx, ebp $sequence_6 = { 83c9ff 33c0 f2ae 8b5c2418 8b6c241c f7d1 49 } // n = 7, score = 100 // 83c9ff | or ecx, 0xffffffff // 33c0 | xor eax, eax // f2ae | repne scasb al, byte ptr es:[edi] // 8b5c2418 | mov ebx, dword ptr [esp + 0x18] // 8b6c241c | mov ebp, dword ptr [esp + 0x1c] // f7d1 | not ecx // 49 | dec ecx $sequence_7 = { 8945f4 8b4514 c745f0e8d60210 40 894df8 8945fc 64a100000000 } // n = 7, score = 100 // 8945f4 | mov dword ptr [ebp - 0xc], eax // 8b4514 | mov eax, dword ptr [ebp + 0x14] // c745f0e8d60210 | mov dword ptr [ebp - 0x10], 0x1002d6e8 // 40 | inc eax // 894df8 | mov dword ptr [ebp - 8], ecx // 8945fc | mov dword ptr [ebp - 4], eax // 64a100000000 | mov eax, dword ptr fs:[0] $sequence_8 = { 894c2420 7581 8b54244c 8b442434 3b442438 7f6a 8bce } // n = 7, score = 100 // 894c2420 | mov dword ptr [esp + 0x20], ecx // 7581 | jne 0xffffff83 // 8b54244c | mov edx, dword ptr [esp + 0x4c] // 8b442434 | mov eax, dword ptr [esp + 0x34] // 3b442438 | cmp eax, dword ptr [esp + 0x38] // 7f6a | jg 0x6c // 8bce | mov ecx, esi $sequence_9 = { d94630 dc0d???????? ded9 dfe0 f6c441 7422 } // n = 6, score = 100 // d94630 | fld dword ptr [esi + 0x30] // dc0d???????? | // ded9 | fcompp // dfe0 | fnstsw ax // f6c441 | test ah, 0x41 // 7422 | je 0x24 condition: 7 of them and filesize < 729088 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY