There is no description at this point.
rule win_chainshot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.chainshot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ffc9 7438 ffc9 742b ffc9 741e } // n = 6, score = 300 // ffc9 | mov dword ptr [esp + 0x28], esi // 7438 | jmp 0x49b // ffc9 | cmp dword ptr [ebp + 0xc], edi // 742b | jne 0x447 // ffc9 | test eax, eax // 741e | je 0x43b $sequence_1 = { 84c0 7507 b901050080 ebbd b901020000 e8???????? e8???????? } // n = 7, score = 300 // 84c0 | add edi, 0xc // 7507 | add edi, esi // b901050080 | jmp 0x11cc // ebbd | mov esi, dword ptr [edi] // b901020000 | lea eax, [ebp - 0x208] // e8???????? | // e8???????? | $sequence_2 = { 7408 ffd1 8905???????? bf7e000080 } // n = 4, score = 300 // 7408 | test al, al // ffd1 | mov word ptr [esp + 0x28], ax // 8905???????? | // bf7e000080 | mov eax, 0x100 $sequence_3 = { b8ffff0000 663bc5 7513 bb17000080 eb33 } // n = 5, score = 300 // b8ffff0000 | lea ecx, [edi + 0x460] // 663bc5 | dec eax // 7513 | cmp dword ptr [ecx], 0 // bb17000080 | je 0xa47 // eb33 | lea ecx, [edi + 0x1b88] $sequence_4 = { 7408 ffd0 8905???????? b849000080 e9???????? } // n = 5, score = 300 // 7408 | mov ebx, 0x22 // ffd0 | dec esp // 8905???????? | // b849000080 | mov word ptr [ecx], bx // e9???????? | $sequence_5 = { b849890000 668901 c7410348894c24 c6410708 c7410848895424 } // n = 5, score = 300 // b849890000 | dec eax // 668901 | test esi, esi // c7410348894c24 | lea eax, [ebx + 0x4a] // c6410708 | mov word ptr [ebp + 0x200], ax // c7410848895424 | dec esp $sequence_6 = { e9???????? 83e827 0f844e0e0000 ffc8 0f84d8110000 } // n = 5, score = 300 // e9???????? | // 83e827 | dec eax // 0f844e0e0000 | lea ecx, [0x2557d] // ffc8 | dec eax // 0f84d8110000 | lea ecx, [0x255ad] $sequence_7 = { 33d2 84c0 b900050080 7405 b908020000 } // n = 5, score = 300 // 33d2 | inc ecx // 84c0 | lea ecx, [eax - 0x10] // b900050080 | and edi, eax // 7405 | ja 0x6ae // b908020000 | shr eax, 1 $sequence_8 = { 33d2 b902060080 e8???????? 32db } // n = 4, score = 300 // 33d2 | xor eax, esp // b902060080 | mov dword ptr [esp + 0x838], eax // e8???????? | // 32db | push esi $sequence_9 = { 7408 ffd0 8905???????? bb65000080 } // n = 4, score = 300 // 7408 | js 0x11c1 // ffd0 | mov word ptr [ecx], bp // 8905???????? | // bb65000080 | inc ebp condition: 7 of them and filesize < 802816 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY