Actor(s): Lazarus Group
Potential Lazarus sample.
rule win_cur1_downloader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cur1_downloader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cur1_downloader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488bc1 4889842498000000 488b442460 4883c008 4889442458 } // n = 5, score = 100 // 488bc1 | dec ebp // 4889842498000000 | lea ecx, [ebp + 0x10] // 488b442460 | dec esp // 4883c008 | lea edi, [0x15368] // 4889442458 | inc ecx $sequence_1 = { c68424b402000061 c68424b502000064 c68424b602000045 c68424b702000078 c68424b802000000 } // n = 5, score = 100 // c68424b402000061 | mov dword ptr [esp + 4], eax // c68424b502000064 | dec eax // c68424b602000045 | mov eax, dword ptr [esp + 0x40] // c68424b702000078 | mov eax, dword ptr [eax] // c68424b802000000 | mov eax, dword ptr [esp + 0x20] $sequence_2 = { ff15???????? 488905???????? 488d9424b0030000 488b4c2420 ff15???????? 488905???????? 488d942468030000 } // n = 7, score = 100 // ff15???????? | // 488905???????? | // 488d9424b0030000 | dec esp // 488b4c2420 | lea eax, [0xb473] // ff15???????? | // 488905???????? | // 488d942468030000 | dec eax $sequence_3 = { c684243801000065 c684243901000079 c684243a01000045 c684243b01000078 c684243c01000057 } // n = 5, score = 100 // c684243801000065 | mov eax, eax // c684243901000079 | dec eax // c684243a01000045 | lea edx, [esp + 0xd0] // c684243b01000078 | jne 0x391 // c684243c01000057 | dec eax $sequence_4 = { 488b9424d0000000 488d8c2498000000 e8???????? 488d8c24d0010000 e8???????? 90 488d8c2438010000 } // n = 7, score = 100 // 488b9424d0000000 | je 0x8bd // 488d8c2498000000 | dec eax // e8???????? | // 488d8c24d0010000 | mov eax, dword ptr [esp + 0x38] // e8???????? | // 90 | movzx edx, dl // 488d8c2438010000 | dec eax $sequence_5 = { c684241d0200006e c684241e02000065 c684241f02000074 c684242002000052 c684242102000065 c684242202000061 } // n = 6, score = 100 // c684241d0200006e | lea edx, [0xb3c7] // c684241e02000065 | push edi // c684241f02000074 | dec eax // c684242002000052 | sub esp, 0x50 // c684242102000065 | inc ecx // c684242202000061 | mov ebx, ecx $sequence_6 = { 8b8c2468010000 e8???????? 4889442430 c744242040000000 488d442420 4889442428 4c8b442428 } // n = 7, score = 100 // 8b8c2468010000 | lea ecx, [esp + 0x98] // e8???????? | // 4889442430 | nop // c744242040000000 | dec eax // 488d442420 | mov edx, dword ptr [esp + 0x58] // 4889442428 | dec eax // 4c8b442428 | lea ecx, [esp + 0x138] $sequence_7 = { c684245502000073 c684245602000074 c684245702000041 c684245802000000 c684242003000049 } // n = 5, score = 100 // c684245502000073 | mov eax, dword ptr [esp + 0x44] // c684245602000074 | cmp dword ptr [esp + 0x54], 1 // c684245702000041 | jne 0x9c8 // c684245802000000 | cmp dword ptr [esp + 0x50], 1 // c684242003000049 | jne 0x9c8 $sequence_8 = { 41b804010000 488d942400030000 33c9 ff15???????? c744245801000000 e8???????? 833d????????01 } // n = 7, score = 100 // 41b804010000 | mov byte ptr [esp + 0xf0], 0x47 // 488d942400030000 | mov byte ptr [esp + 0xf1], 0x65 // 33c9 | mov byte ptr [esp + 0xf2], 0x74 // ff15???????? | // c744245801000000 | mov byte ptr [esp + 0xf3], 0x46 // e8???????? | // 833d????????01 | $sequence_9 = { c68424a101000072 c68424a201000065 c68424a301000061 c68424a401000074 c68424a501000065 c68424a601000050 c68424a701000072 } // n = 7, score = 100 // c68424a101000072 | mov eax, 0x65 // c68424a201000065 | mov word ptr [esp + 0xe2], ax // c68424a301000061 | mov eax, 0x78 // c68424a401000074 | mov word ptr [esp + 0xe4], ax // c68424a501000065 | mov word ptr [esp + 0xe0], ax // c68424a601000050 | mov eax, 0x65 // c68424a701000072 | mov word ptr [esp + 0xe2], ax condition: 7 of them and filesize < 402432 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY