There is no description at this point.
rule win_cycbot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cycbot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 59 59 85c0 7430 ffb730f8ffff ff15???????? } // n = 6, score = 100 // 59 | pop ecx // 59 | pop ecx // 85c0 | test eax, eax // 7430 | je 0x32 // ffb730f8ffff | push dword ptr [edi - 0x7d0] // ff15???????? | $sequence_1 = { 81bd7cf5ffff90010000 742a ffb57cf5ffff 8d8584f5ffff ffb56cf5ffff 68???????? 68???????? } // n = 7, score = 100 // 81bd7cf5ffff90010000 | cmp dword ptr [ebp - 0xa84], 0x190 // 742a | je 0x2c // ffb57cf5ffff | push dword ptr [ebp - 0xa84] // 8d8584f5ffff | lea eax, [ebp - 0xa7c] // ffb56cf5ffff | push dword ptr [ebp - 0xa94] // 68???????? | // 68???????? | $sequence_2 = { 8d4df4 c7450800000000 e8???????? 68???????? 8d4df4 51 c745f4e0634300 } // n = 7, score = 100 // 8d4df4 | lea ecx, [ebp - 0xc] // c7450800000000 | mov dword ptr [ebp + 8], 0 // e8???????? | // 68???????? | // 8d4df4 | lea ecx, [ebp - 0xc] // 51 | push ecx // c745f4e0634300 | mov dword ptr [ebp - 0xc], 0x4363e0 $sequence_3 = { 0f8519020000 39842414010000 0f850c020000 39442420 0f8402020000 8d842420010000 50 } // n = 7, score = 100 // 0f8519020000 | jne 0x21f // 39842414010000 | cmp dword ptr [esp + 0x114], eax // 0f850c020000 | jne 0x212 // 39442420 | cmp dword ptr [esp + 0x20], eax // 0f8402020000 | je 0x208 // 8d842420010000 | lea eax, [esp + 0x120] // 50 | push eax $sequence_4 = { 83c40c 33c9 c705????????f0874800 c705????????e8864800 c705????????e0854800 e8???????? 50 } // n = 7, score = 100 // 83c40c | add esp, 0xc // 33c9 | xor ecx, ecx // c705????????f0874800 | // c705????????e8864800 | // c705????????e0854800 | // e8???????? | // 50 | push eax $sequence_5 = { 8d9568ffffff 52 50 53 ff511c 8bf0 33ff } // n = 7, score = 100 // 8d9568ffffff | lea edx, [ebp - 0x98] // 52 | push edx // 50 | push eax // 53 | push ebx // ff511c | call dword ptr [ecx + 0x1c] // 8bf0 | mov esi, eax // 33ff | xor edi, edi $sequence_6 = { 8908 895804 eb02 33c0 6a08 8945fc e8???????? } // n = 7, score = 100 // 8908 | mov dword ptr [eax], ecx // 895804 | mov dword ptr [eax + 4], ebx // eb02 | jmp 4 // 33c0 | xor eax, eax // 6a08 | push 8 // 8945fc | mov dword ptr [ebp - 4], eax // e8???????? | $sequence_7 = { a5 66a5 a4 8b5d0c 8b4508 be???????? 8d7d94 } // n = 7, score = 100 // a5 | movsd dword ptr es:[edi], dword ptr [esi] // 66a5 | movsw word ptr es:[edi], word ptr [esi] // a4 | movsb byte ptr es:[edi], byte ptr [esi] // 8b5d0c | mov ebx, dword ptr [ebp + 0xc] // 8b4508 | mov eax, dword ptr [ebp + 8] // be???????? | // 8d7d94 | lea edi, [ebp - 0x6c] $sequence_8 = { 8d8518ffffff 50 8d85f0feffff 50 8d8528ffffff 50 8d8508ffffff } // n = 7, score = 100 // 8d8518ffffff | lea eax, [ebp - 0xe8] // 50 | push eax // 8d85f0feffff | lea eax, [ebp - 0x110] // 50 | push eax // 8d8528ffffff | lea eax, [ebp - 0xd8] // 50 | push eax // 8d8508ffffff | lea eax, [ebp - 0xf8] $sequence_9 = { 53 e8???????? 59 e8???????? cc 6a4c } // n = 6, score = 100 // 53 | push ebx // e8???????? | // 59 | pop ecx // e8???????? | // cc | int3 // 6a4c | push 0x4c condition: 7 of them and filesize < 1163264 }
rule win_cycbot_w0 { meta: author = "anonymous" date = "2020-11-06" description = "Captures characteristic strings of CycBot." malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot" malpedia_rule_date = "20201106" malpedia_hash = "" malpedia_version = "20201106" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $net_1 = "t=t&hrs=%d&q=id=1000&ver=%s&s=%d" $net_2 = "&system=%d&id=%s&hwid=%s&search=%s" $net_3 = "http://%s/s.php?c=121&id=%s" $net_4 = "pmv=2&id=%s&hwid=%s" $net_5 = "t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d" $s_1 = "SELECT_RESERV_SRV_%d" $s_2 = "_PRM_NAME_TASK_LOADER_5" $s_3 = "LST_TM_OF_PNG" $mutex_1 = "4A3282FEF482C0F79E1" $mutex_2 = "{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}" $mutex_3 = "{C66E79CE-8935-4ed9-A6B1-4983619CB925}" $mutex_4 = "{35BCA615-C82A-4152-8857-BCC626AE4C8D}" condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and 5 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY