There is no description at this point.
rule win_chewbacca_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.chewbacca." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? eb55 8b442478 89442414 895c2410 c744240c9c976600 c7442408???????? } // n = 7, score = 100 // e8???????? | // eb55 | jmp 0x57 // 8b442478 | mov eax, dword ptr [esp + 0x78] // 89442414 | mov dword ptr [esp + 0x14], eax // 895c2410 | mov dword ptr [esp + 0x10], ebx // c744240c9c976600 | mov dword ptr [esp + 0xc], 0x66979c // c7442408???????? | $sequence_1 = { ff33 74fd 0389cfc1ef10 81e7ff000000 3374fd02 89d7 c1ef18 } // n = 7, score = 100 // ff33 | push dword ptr [ebx] // 74fd | je 0xffffffff // 0389cfc1ef10 | add ecx, dword ptr [ecx + 0x10efc1cf] // 81e7ff000000 | and edi, 0xff // 3374fd02 | xor esi, dword ptr [ebp + edi*8 + 2] // 89d7 | mov edi, edx // c1ef18 | shr edi, 0x18 $sequence_2 = { e8???????? c744241426a36700 c744241048cf6700 c744240c20060000 89442408 c7442404???????? a1???????? } // n = 7, score = 100 // e8???????? | // c744241426a36700 | mov dword ptr [esp + 0x14], 0x67a326 // c744241048cf6700 | mov dword ptr [esp + 0x10], 0x67cf48 // c744240c20060000 | mov dword ptr [esp + 0xc], 0x620 // 89442408 | mov dword ptr [esp + 8], eax // c7442404???????? | // a1???????? | $sequence_3 = { a3???????? 8b442424 89442408 8b442420 89442404 a1???????? 890424 } // n = 7, score = 100 // a3???????? | // 8b442424 | mov eax, dword ptr [esp + 0x24] // 89442408 | mov dword ptr [esp + 8], eax // 8b442420 | mov eax, dword ptr [esp + 0x20] // 89442404 | mov dword ptr [esp + 4], eax // a1???????? | // 890424 | mov dword ptr [esp], eax $sequence_4 = { c7042424040000 e8???????? 89c2 85c0 0f84a0000000 89c7 be24040000 } // n = 7, score = 100 // c7042424040000 | mov dword ptr [esp], 0x424 // e8???????? | // 89c2 | mov edx, eax // 85c0 | test eax, eax // 0f84a0000000 | je 0xa6 // 89c7 | mov edi, eax // be24040000 | mov esi, 0x424 $sequence_5 = { e8???????? c7042401000000 e8???????? e8???????? 89c3 e8???????? 895c2410 } // n = 7, score = 100 // e8???????? | // c7042401000000 | mov dword ptr [esp], 1 // e8???????? | // e8???????? | // 89c3 | mov ebx, eax // e8???????? | // 895c2410 | mov dword ptr [esp + 0x10], ebx $sequence_6 = { eb0c be00000000 eb05 be00000000 89f0 83c410 5b } // n = 7, score = 100 // eb0c | jmp 0xe // be00000000 | mov esi, 0 // eb05 | jmp 7 // be00000000 | mov esi, 0 // 89f0 | mov eax, esi // 83c410 | add esp, 0x10 // 5b | pop ebx $sequence_7 = { f2ae f7d1 8b442440 8d4408ff 89442440 e9???????? 89e8 } // n = 7, score = 100 // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx // 8b442440 | mov eax, dword ptr [esp + 0x40] // 8d4408ff | lea eax, [eax + ecx - 1] // 89442440 | mov dword ptr [esp + 0x40], eax // e9???????? | // 89e8 | mov eax, ebp $sequence_8 = { 8945fc 89d3 89ce 8a4508 84c0 7409 8b45fc } // n = 7, score = 100 // 8945fc | mov dword ptr [ebp - 4], eax // 89d3 | mov ebx, edx // 89ce | mov esi, ecx // 8a4508 | mov al, byte ptr [ebp + 8] // 84c0 | test al, al // 7409 | je 0xb // 8b45fc | mov eax, dword ptr [ebp - 4] $sequence_9 = { 8b542454 8b442450 e8???????? 85c0 740b 83c43c 5b } // n = 7, score = 100 // 8b542454 | mov edx, dword ptr [esp + 0x54] // 8b442450 | mov eax, dword ptr [esp + 0x50] // e8???????? | // 85c0 | test eax, eax // 740b | je 0xd // 83c43c | add esp, 0x3c // 5b | pop ebx condition: 7 of them and filesize < 9764864 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY