There is no description at this point.
rule win_cinobi_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cinobi." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c9 c3 55 8bec 51 e8???????? 58 } // n = 7, score = 200 // c9 | leave // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 51 | push ecx // e8???????? | // 58 | pop eax $sequence_1 = { 88459e 8b45c0 8a403a 88459f 8b45c0 8a4003 8845a0 } // n = 7, score = 100 // 88459e | mov byte ptr [ebp - 0x62], al // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // 8a403a | mov al, byte ptr [eax + 0x3a] // 88459f | mov byte ptr [ebp - 0x61], al // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // 8a4003 | mov al, byte ptr [eax + 3] // 8845a0 | mov byte ptr [ebp - 0x60], al $sequence_2 = { ff969b000000 5f 5e 5b c9 } // n = 5, score = 100 // ff969b000000 | call dword ptr [esi + 0x9b] // 5f | pop edi // 5e | pop esi // 5b | pop ebx // c9 | leave $sequence_3 = { 66898f881e0000 660fbe0e 66898f8a1e0000 660fbe4e14 66898f8c1e0000 } // n = 5, score = 100 // 66898f881e0000 | mov word ptr [edi + 0x1e88], cx // 660fbe0e | movsx cx, byte ptr [esi] // 66898f8a1e0000 | mov word ptr [edi + 0x1e8a], cx // 660fbe4e14 | movsx cx, byte ptr [esi + 0x14] // 66898f8c1e0000 | mov word ptr [edi + 0x1e8c], cx $sequence_4 = { 8845f8 8b45c0 8a4003 8845f9 } // n = 4, score = 100 // 8845f8 | mov byte ptr [ebp - 8], al // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // 8a4003 | mov al, byte ptr [eax + 3] // 8845f9 | mov byte ptr [ebp - 7], al $sequence_5 = { 0345b4 8985a8faffff 8b85a8faffff 660fbe00 } // n = 4, score = 100 // 0345b4 | add eax, dword ptr [ebp - 0x4c] // 8985a8faffff | mov dword ptr [ebp - 0x558], eax // 8b85a8faffff | mov eax, dword ptr [ebp - 0x558] // 660fbe00 | movsx ax, byte ptr [eax] $sequence_6 = { 8a4646 88442429 8a06 8844242a } // n = 4, score = 100 // 8a4646 | mov al, byte ptr [esi + 0x46] // 88442429 | mov byte ptr [esp + 0x29], al // 8a06 | mov al, byte ptr [esi] // 8844242a | mov byte ptr [esp + 0x2a], al $sequence_7 = { 660fbe463a 66898768230000 660fbe463f 6689876a230000 660fbe4654 } // n = 5, score = 100 // 660fbe463a | movsx ax, byte ptr [esi + 0x3a] // 66898768230000 | mov word ptr [edi + 0x2368], ax // 660fbe463f | movsx ax, byte ptr [esi + 0x3f] // 6689876a230000 | mov word ptr [edi + 0x236a], ax // 660fbe4654 | movsx ax, byte ptr [esi + 0x54] $sequence_8 = { 8b45c0 8a4052 8845cd 8b45c0 } // n = 4, score = 100 // 8b45c0 | mov eax, dword ptr [ebp - 0x40] // 8a4052 | mov al, byte ptr [eax + 0x52] // 8845cd | mov byte ptr [ebp - 0x33], al // 8b45c0 | mov eax, dword ptr [ebp - 0x40] $sequence_9 = { 8bec 837d10ff 750c ff750c e8???????? 59 894510 } // n = 7, score = 100 // 8bec | mov ebp, esp // 837d10ff | cmp dword ptr [ebp + 0x10], -1 // 750c | jne 0xe // ff750c | push dword ptr [ebp + 0xc] // e8???????? | // 59 | pop ecx // 894510 | mov dword ptr [ebp + 0x10], eax $sequence_10 = { 8a4624 88442417 8a4634 88442418 8a4624 88442419 } // n = 6, score = 100 // 8a4624 | mov al, byte ptr [esi + 0x24] // 88442417 | mov byte ptr [esp + 0x17], al // 8a4634 | mov al, byte ptr [esi + 0x34] // 88442418 | mov byte ptr [esp + 0x18], al // 8a4624 | mov al, byte ptr [esi + 0x24] // 88442419 | mov byte ptr [esp + 0x19], al $sequence_11 = { ff75f4 e8???????? ff765f 8986eb000000 ffb6ef000000 57 } // n = 6, score = 100 // ff75f4 | push dword ptr [ebp - 0xc] // e8???????? | // ff765f | push dword ptr [esi + 0x5f] // 8986eb000000 | mov dword ptr [esi + 0xeb], eax // ffb6ef000000 | push dword ptr [esi + 0xef] // 57 | push edi $sequence_12 = { 6a02 ff75ec 8b45f8 ff90cf000000 83f801 750a } // n = 6, score = 100 // 6a02 | push 2 // ff75ec | push dword ptr [ebp - 0x14] // 8b45f8 | mov eax, dword ptr [ebp - 8] // ff90cf000000 | call dword ptr [eax + 0xcf] // 83f801 | cmp eax, 1 // 750a | jne 0xc $sequence_13 = { ff75ec 8b45f8 ff90d3000000 6a00 ff75f0 } // n = 5, score = 100 // ff75ec | push dword ptr [ebp - 0x14] // 8b45f8 | mov eax, dword ptr [ebp - 8] // ff90d3000000 | call dword ptr [eax + 0xd3] // 6a00 | push 0 // ff75f0 | push dword ptr [ebp - 0x10] $sequence_14 = { 885ddd 8a584f 884dbe 8855bf 8855d8 } // n = 5, score = 100 // 885ddd | mov byte ptr [ebp - 0x23], bl // 8a584f | mov bl, byte ptr [eax + 0x4f] // 884dbe | mov byte ptr [ebp - 0x42], cl // 8855bf | mov byte ptr [ebp - 0x41], dl // 8855d8 | mov byte ptr [ebp - 0x28], dl condition: 7 of them and filesize < 32768 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY