Actor(s): Tick
There is no description at this point.
rule win_daserf_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.daserf." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 2d7458acf0 81eb4087a1c9 81c324977364 2df0c5683d } // n = 4, score = 100 // 2d7458acf0 | sub eax, 0xf0ac5874 // 81eb4087a1c9 | sub ebx, 0xc9a18740 // 81c324977364 | add ebx, 0x64739724 // 2df0c5683d | sub eax, 0x3d68c5f0 $sequence_1 = { 2d3d9dddda 2d122b9e6e 05a176df80 056a8ceb26 81c3091794b7 81c3477483eb } // n = 6, score = 100 // 2d3d9dddda | sub eax, 0xdadd9d3d // 2d122b9e6e | sub eax, 0x6e9e2b12 // 05a176df80 | add eax, 0x80df76a1 // 056a8ceb26 | add eax, 0x26eb8c6a // 81c3091794b7 | add ebx, 0xb7941709 // 81c3477483eb | add ebx, 0xeb837447 $sequence_2 = { f7d2 055764eba6 96 89b42430f4ffff 8bf0 8b842430f4ffff } // n = 6, score = 100 // f7d2 | not edx // 055764eba6 | add eax, 0xa6eb6457 // 96 | xchg eax, esi // 89b42430f4ffff | mov dword ptr [esp - 0xbd0], esi // 8bf0 | mov esi, eax // 8b842430f4ffff | mov eax, dword ptr [esp - 0xbd0] $sequence_3 = { ff75e0 8d1b ff75fc 90 } // n = 4, score = 100 // ff75e0 | push dword ptr [ebp - 0x20] // 8d1b | lea ebx, [ebx] // ff75fc | push dword ptr [ebp - 4] // 90 | nop $sequence_4 = { 0593f8abb9 90 0536f1718f 9b } // n = 4, score = 100 // 0593f8abb9 | add eax, 0xb9abf893 // 90 | nop // 0536f1718f | add eax, 0x8f71f136 // 9b | wait $sequence_5 = { 92 89942410f1ffff 8bd0 8b842410f1ffff } // n = 4, score = 100 // 92 | xchg eax, edx // 89942410f1ffff | mov dword ptr [esp - 0xef0], edx // 8bd0 | mov edx, eax // 8b842410f1ffff | mov eax, dword ptr [esp - 0xef0] $sequence_6 = { 81eb477bafc6 90 81eb1979d9a8 8bdb 05f1ad59f9 } // n = 5, score = 100 // 81eb477bafc6 | sub ebx, 0xc6af7b47 // 90 | nop // 81eb1979d9a8 | sub ebx, 0xa8d97919 // 8bdb | mov ebx, ebx // 05f1ad59f9 | add eax, 0xf959adf1 $sequence_7 = { 8bc0 8b842400f3ffff 81ebee7d857e 7500 2d444a28fe } // n = 5, score = 100 // 8bc0 | mov eax, eax // 8b842400f3ffff | mov eax, dword ptr [esp - 0xd00] // 81ebee7d857e | sub ebx, 0x7e857dee // 7500 | jne 2 // 2d444a28fe | sub eax, 0xfe284a44 $sequence_8 = { 97 89bc2400f1ffff 8bf8 8b842400f1ffff } // n = 4, score = 100 // 97 | xchg eax, edi // 89bc2400f1ffff | mov dword ptr [esp - 0xf00], edi // 8bf8 | mov edi, eax // 8b842400f1ffff | mov eax, dword ptr [esp - 0xf00] $sequence_9 = { 81c3cfcdd8a3 81eb4769227d 05635637f9 05b537d85e 2dd80e91af } // n = 5, score = 100 // 81c3cfcdd8a3 | add ebx, 0xa3d8cdcf // 81eb4769227d | sub ebx, 0x7d226947 // 05635637f9 | add eax, 0xf9375663 // 05b537d85e | add eax, 0x5ed837b5 // 2dd80e91af | sub eax, 0xaf910ed8 $sequence_10 = { 05ddf775a4 0583ee701f 2de339226e 81c368780090 81c3f215efea 81eb33a8c4a5 } // n = 6, score = 100 // 05ddf775a4 | add eax, 0xa475f7dd // 0583ee701f | add eax, 0x1f70ee83 // 2de339226e | sub eax, 0x6e2239e3 // 81c368780090 | add ebx, 0x90007868 // 81c3f215efea | add ebx, 0xeaef15f2 // 81eb33a8c4a5 | sub ebx, 0xa5c4a833 $sequence_11 = { 8b842420f4ffff 53 8bdb 53 } // n = 4, score = 100 // 8b842420f4ffff | mov eax, dword ptr [esp - 0xbe0] // 53 | push ebx // 8bdb | mov ebx, ebx // 53 | push ebx $sequence_12 = { 056213cf4c 2d025bcd54 81eb4f4edeb1 055b9204af 05be0a5f12 058a52e815 } // n = 6, score = 100 // 056213cf4c | add eax, 0x4ccf1362 // 2d025bcd54 | sub eax, 0x54cd5b02 // 81eb4f4edeb1 | sub ebx, 0xb1de4e4f // 055b9204af | add eax, 0xaf04925b // 05be0a5f12 | add eax, 0x125f0abe // 058a52e815 | add eax, 0x15e8528a $sequence_13 = { 81eb8f465a28 05d4ec048f 05ace3258a 2d8c7110f6 } // n = 4, score = 100 // 81eb8f465a28 | sub ebx, 0x285a468f // 05d4ec048f | add eax, 0x8f04ecd4 // 05ace3258a | add eax, 0x8a25e3ac // 2d8c7110f6 | sub eax, 0xf610718c $sequence_14 = { 2dd1ab761c 81eb0752c899 81eb5e2deea0 056e62ed8e } // n = 4, score = 100 // 2dd1ab761c | sub eax, 0x1c76abd1 // 81eb0752c899 | sub ebx, 0x99c85207 // 81eb5e2deea0 | sub ebx, 0xa0ee2d5e // 056e62ed8e | add eax, 0x8eed626e $sequence_15 = { 2d99ba6fa8 2d7df1f9f5 81c32b692a0c 81eb4ce843f8 } // n = 4, score = 100 // 2d99ba6fa8 | sub eax, 0xa86fba99 // 2d7df1f9f5 | sub eax, 0xf5f9f17d // 81c32b692a0c | add ebx, 0xc2a692b // 81eb4ce843f8 | sub ebx, 0xf843e84c condition: 7 of them and filesize < 245760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY