Actor(s): Pirate Panda
There is no description at this point.
rule win_chiser_client_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.chiser_client." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chiser_client" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 488b542458 4885db b923810000 480f45d1 4889542458 4d85ed } // n = 7, score = 100 // e8???????? | // 488b542458 | lea eax, [0x3c9d6] // 4885db | mov dword ptr [ebx + 0x48], 0x720054 // b923810000 | lea edx, [ebp + 0x50] // 480f45d1 | mov dword ptr [ebx + 0x4c], 0x69 // 4889542458 | mov dword ptr [ebx + 0x48], 0x720054 // 4d85ed | lea edx, [ebp + 0x50] $sequence_1 = { 4d8bf0 4c8bfa 488bf9 488b5908 48895c2448 488bcb e8???????? } // n = 7, score = 100 // 4d8bf0 | inc ebp // 4c8bfa | xor edi, edi // 488bf9 | inc ecx // 488b5908 | mov ebx, edi // 48895c2448 | dec esp // 488bcb | lea ecx, [0xffff3212] // e8???????? | $sequence_2 = { 4c8d05e4ca0300 c7431828005700 ba50000000 c7431c69000000 488bcb e8???????? 4c8d05c6ca0300 } // n = 7, score = 100 // 4c8d05e4ca0300 | lea esi, [eax + eax] // c7431828005700 | dec eax // ba50000000 | arpl di, ax // c7431c69000000 | dec ecx // 488bcb | lea edi, [esi + eax*2] // e8???????? | // 4c8d05c6ca0300 | dec eax $sequence_3 = { 4883ec20 488bd9 488bc2 488d0d1dc20200 48890b 488d5308 33c9 } // n = 7, score = 100 // 4883ec20 | mov eax, dword ptr [esi] // 488bd9 | mov ecx, 0x20 // 488bc2 | inc ecx // 488d0d1dc20200 | mov edi, 0x6e // 48890b | inc sp // 488d5308 | mov dword ptr [eax], edi // 33c9 | dec ecx $sequence_4 = { 488bcf e8???????? 4863c3 66833c465c 740e 4863c5 } // n = 6, score = 100 // 488bcf | dec eax // e8???????? | // 4863c3 | test eax, eax // 66833c465c | dec eax // 740e | mov ecx, eax // 4863c5 | dec eax $sequence_5 = { 3d05005000 7562 807c243101 7552 488d542470 e8???????? 85c0 } // n = 7, score = 100 // 3d05005000 | nop dword ptr [eax + eax] // 7562 | movzx eax, word ptr [esp + 0x7e] // 807c243101 | movzx ecx, word ptr [esp + 0x7c] // 7552 | jne 0xa6 // 488d542470 | je 0x16a // e8???????? | // 85c0 | nop dword ptr [eax + eax] $sequence_6 = { 7504 32c0 eb1b 488d156a0e0400 8bc8 e8???????? 85c0 } // n = 7, score = 100 // 7504 | mov word ptr [ebp - 0x49], ax // 32c0 | dec eax // eb1b | lea edx, [ebp - 0x49] // 488d156a0e0400 | dec eax // 8bc8 | lea ecx, [ebp - 0x29] // e8???????? | // 85c0 | inc sp $sequence_7 = { 488d442460 48894c2450 4c8d4c2458 4889442420 e8???????? 85c0 } // n = 6, score = 100 // 488d442460 | dec eax // 48894c2450 | mov dword ptr [esp + 0x10058], edi // 4c8d4c2458 | dec esp // 4889442420 | mov dword ptr [esp + 0x10050], ebp // e8???????? | // 85c0 | dec ecx $sequence_8 = { 488bc8 e8???????? 4c634e08 488d146d00000000 4c8b06 4d03c9 488bc8 } // n = 7, score = 100 // 488bc8 | mov esp, ecx // e8???????? | // 4c634e08 | cmp word ptr [edx], 0x22 // 488d146d00000000 | dec esp // 4c8b06 | mov esi, edx // 4d03c9 | dec ecx // 488bc8 | arpl ax, bp $sequence_9 = { e8???????? e9???????? 6683f833 0f858d000000 } // n = 4, score = 100 // e8???????? | // e9???????? | // 6683f833 | mov dword ptr [esp + 0x20], eax // 0f858d000000 | mov dword ptr [eax], 0x400004 condition: 7 of them and filesize < 714752 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY