There is no description at this point.
rule win_cohhoc_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cohhoc." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 50 6804010000 ff15???????? 8b8c240c010000 8d542404 51 6a00 } // n = 7, score = 300 // 50 | push eax // 6804010000 | push 0x104 // ff15???????? | // 8b8c240c010000 | mov ecx, dword ptr [esp + 0x10c] // 8d542404 | lea edx, [esp + 4] // 51 | push ecx // 6a00 | push 0 $sequence_1 = { 83e103 f3a4 8b4c241c 03c8 894c241c 8b4c2420 e8???????? } // n = 7, score = 300 // 83e103 | and ecx, 3 // f3a4 | rep movsb byte ptr es:[edi], byte ptr [esi] // 8b4c241c | mov ecx, dword ptr [esp + 0x1c] // 03c8 | add ecx, eax // 894c241c | mov dword ptr [esp + 0x1c], ecx // 8b4c2420 | mov ecx, dword ptr [esp + 0x20] // e8???????? | $sequence_2 = { c705????????01000000 c705????????84000000 891d???????? 891d???????? } // n = 4, score = 300 // c705????????01000000 | // c705????????84000000 | // 891d???????? | // 891d???????? | $sequence_3 = { f3ab 8b436c 33f6 3bc6 c744241401000000 } // n = 5, score = 300 // f3ab | rep stosd dword ptr es:[edi], eax // 8b436c | mov eax, dword ptr [ebx + 0x6c] // 33f6 | xor esi, esi // 3bc6 | cmp eax, esi // c744241401000000 | mov dword ptr [esp + 0x14], 1 $sequence_4 = { 6804010000 ff15???????? 8b8c240c010000 8d542404 } // n = 4, score = 300 // 6804010000 | push 0x104 // ff15???????? | // 8b8c240c010000 | mov ecx, dword ptr [esp + 0x10c] // 8d542404 | lea edx, [esp + 4] $sequence_5 = { 75dc 33c0 eb05 1bc0 83d8ff 85c0 0f84ba000000 } // n = 7, score = 300 // 75dc | jne 0xffffffde // 33c0 | xor eax, eax // eb05 | jmp 7 // 1bc0 | sbb eax, eax // 83d8ff | sbb eax, -1 // 85c0 | test eax, eax // 0f84ba000000 | je 0xc0 $sequence_6 = { 8dbc2468010000 33c0 8d542420 f2ae f7d1 2bf9 } // n = 6, score = 300 // 8dbc2468010000 | lea edi, [esp + 0x168] // 33c0 | xor eax, eax // 8d542420 | lea edx, [esp + 0x20] // f2ae | repne scasb al, byte ptr es:[edi] // f7d1 | not ecx // 2bf9 | sub edi, ecx $sequence_7 = { 8b442408 8bc8 80e107 f6d9 1bc9 } // n = 5, score = 300 // 8b442408 | mov eax, dword ptr [esp + 8] // 8bc8 | mov ecx, eax // 80e107 | and cl, 7 // f6d9 | neg cl // 1bc9 | sbb ecx, ecx $sequence_8 = { 57 6a0f ff15???????? 8b4c2458 8bf8 8d442414 50 } // n = 7, score = 300 // 57 | push edi // 6a0f | push 0xf // ff15???????? | // 8b4c2458 | mov ecx, dword ptr [esp + 0x58] // 8bf8 | mov edi, eax // 8d442414 | lea eax, [esp + 0x14] // 50 | push eax $sequence_9 = { 83e203 c1f904 83e10f c1e204 8d4c0c10 } // n = 5, score = 300 // 83e203 | and edx, 3 // c1f904 | sar ecx, 4 // 83e10f | and ecx, 0xf // c1e204 | shl edx, 4 // 8d4c0c10 | lea ecx, [esp + ecx + 0x10] condition: 7 of them and filesize < 253952 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY