Actor(s): NARWHAL SPIDER
There is no description at this point.
rule win_cutwail_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cutwail." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a01 6a19 8b85e8fdffff 8b0c8500f62004 51 e8???????? } // n = 6, score = 100 // 6a01 | push 1 // 6a19 | push 0x19 // 8b85e8fdffff | mov eax, dword ptr [ebp - 0x218] // 8b0c8500f62004 | mov ecx, dword ptr [eax*4 + 0x420f600] // 51 | push ecx // e8???????? | $sequence_1 = { 7d04 32c0 eb7d c745fc00000000 837d1000 } // n = 5, score = 100 // 7d04 | jge 6 // 32c0 | xor al, al // eb7d | jmp 0x7f // c745fc00000000 | mov dword ptr [ebp - 4], 0 // 837d1000 | cmp dword ptr [ebp + 0x10], 0 $sequence_2 = { 5e 5b c20800 837c24140c 752f } // n = 5, score = 100 // 5e | pop esi // 5b | pop ebx // c20800 | ret 8 // 837c24140c | cmp dword ptr [esp + 0x14], 0xc // 752f | jne 0x31 $sequence_3 = { 6a38 8d4dae 8d7c031c e8???????? 83c004 } // n = 5, score = 100 // 6a38 | push 0x38 // 8d4dae | lea ecx, [ebp - 0x52] // 8d7c031c | lea edi, [ebx + eax + 0x1c] // e8???????? | // 83c004 | add eax, 4 $sequence_4 = { 894500 8bc2 c1e808 23c6 } // n = 4, score = 100 // 894500 | mov dword ptr [ebp], eax // 8bc2 | mov eax, edx // c1e808 | shr eax, 8 // 23c6 | and eax, esi $sequence_5 = { 52 e8???????? 83c408 6a0c e8???????? 83c404 } // n = 6, score = 100 // 52 | push edx // e8???????? | // 83c408 | add esp, 8 // 6a0c | push 0xc // e8???????? | // 83c404 | add esp, 4 $sequence_6 = { 837d0800 745e 837d0c00 7458 c745f800000000 eb09 } // n = 6, score = 100 // 837d0800 | cmp dword ptr [ebp + 8], 0 // 745e | je 0x60 // 837d0c00 | cmp dword ptr [ebp + 0xc], 0 // 7458 | je 0x5a // c745f800000000 | mov dword ptr [ebp - 8], 0 // eb09 | jmp 0xb $sequence_7 = { 81ec28020000 c745fc00000000 c745f803000000 c785f4fdffff00000000 eb0f 8b85f4fdffff 83c001 } // n = 7, score = 100 // 81ec28020000 | sub esp, 0x228 // c745fc00000000 | mov dword ptr [ebp - 4], 0 // c745f803000000 | mov dword ptr [ebp - 8], 3 // c785f4fdffff00000000 | mov dword ptr [ebp - 0x20c], 0 // eb0f | jmp 0x11 // 8b85f4fdffff | mov eax, dword ptr [ebp - 0x20c] // 83c001 | add eax, 1 $sequence_8 = { 83c41c 3bfb 751d 68ca000000 } // n = 4, score = 100 // 83c41c | add esp, 0x1c // 3bfb | cmp edi, ebx // 751d | jne 0x1f // 68ca000000 | push 0xca $sequence_9 = { 8b5508 52 e8???????? 8945f8 837d1800 } // n = 5, score = 100 // 8b5508 | mov edx, dword ptr [ebp + 8] // 52 | push edx // e8???????? | // 8945f8 | mov dword ptr [ebp - 8], eax // 837d1800 | cmp dword ptr [ebp + 0x18], 0 $sequence_10 = { 8b08 83c41c ff75e0 6848ec6814 } // n = 4, score = 100 // 8b08 | mov ecx, dword ptr [eax] // 83c41c | add esp, 0x1c // ff75e0 | push dword ptr [ebp - 0x20] // 6848ec6814 | push 0x1468ec48 $sequence_11 = { 33f6 897524 897538 c6455d00 e9???????? } // n = 5, score = 100 // 33f6 | xor esi, esi // 897524 | mov dword ptr [ebp + 0x24], esi // 897538 | mov dword ptr [ebp + 0x38], esi // c6455d00 | mov byte ptr [ebp + 0x5d], 0 // e9???????? | $sequence_12 = { 8945fc 8b4dfc 833900 0f84ba000000 c745f000000000 817df096000000 0f87a6000000 } // n = 7, score = 100 // 8945fc | mov dword ptr [ebp - 4], eax // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 833900 | cmp dword ptr [ecx], 0 // 0f84ba000000 | je 0xc0 // c745f000000000 | mov dword ptr [ebp - 0x10], 0 // 817df096000000 | cmp dword ptr [ebp - 0x10], 0x96 // 0f87a6000000 | ja 0xac $sequence_13 = { c3 57 8b7810 53 } // n = 4, score = 100 // c3 | ret // 57 | push edi // 8b7810 | mov edi, dword ptr [eax + 0x10] // 53 | push ebx $sequence_14 = { 8b4df8 3b4d0c 7d2e 8d55f0 52 } // n = 5, score = 100 // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 3b4d0c | cmp ecx, dword ptr [ebp + 0xc] // 7d2e | jge 0x30 // 8d55f0 | lea edx, [ebp - 0x10] // 52 | push edx $sequence_15 = { c3 50 ffd6 ff35???????? } // n = 4, score = 100 // c3 | ret // 50 | push eax // ffd6 | call esi // ff35???????? | condition: 7 of them and filesize < 262144 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY