Rust-based infostealer.
rule win_deltastealer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.deltastealer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4885c0 7807 4801c6 720d eb34 4889c1 48f7d9 } // n = 7, score = 200 // 4885c0 | mov dword ptr [esp + 0x20], edx // 7807 | mov byte ptr [esp + 0x90], 2 // 4801c6 | dec eax // 720d | mov dword ptr [esp + 0x98], esi // eb34 | cmp byte ptr [esi + 0x68], 2 // 4889c1 | dec eax // 48f7d9 | test eax, eax $sequence_1 = { c3 31ff eb0c 31ff b301 eb06 b302 } // n = 7, score = 200 // c3 | movzx edi, word ptr [esp + 0x78] // 31ff | movzx ebx, word ptr [esp + 0x7a] // eb0c | inc esp // 31ff | mov esp, dword ptr [esp + 0x7c] // b301 | inc esp // eb06 | mov eax, dword ptr [esp + 0x80] // b302 | shr edx, 9 $sequence_2 = { 4c89f9 ba3a000000 ffd3 84c0 0f850a010000 4c896c2478 4c89b42480000000 } // n = 7, score = 200 // 4c89f9 | mov al, 1 // ba3a000000 | dec eax // ffd3 | test eax, eax // 84c0 | dec esp // 0f850a010000 | mov ecx, edi // 4c896c2478 | dec esp // 4c89b42480000000 | mov edx, esp $sequence_3 = { 488b4c2440 8b3481 48ffc0 49c7467001000000 49894678 eb33 4983661800 } // n = 7, score = 200 // 488b4c2440 | mov dword ptr [esp + 0x38], edx // 8b3481 | dec eax // 48ffc0 | mov dword ptr [ebp - 0x50], edx // 49c7467001000000 | dec eax // 49894678 | mov ecx, dword ptr [esp + 0x40] // eb33 | dec eax // 4983661800 | mov edx, ebx $sequence_4 = { e8???????? 84c0 0f840effffff e9???????? b301 48833f00 7588 } // n = 7, score = 200 // e8???????? | // 84c0 | mov edx, edi // 0f840effffff | and dword ptr [esi + 0xc8], 0 // e9???????? | // b301 | inc ebp // 48833f00 | xor esp, esp // 7588 | xor edi, edi $sequence_5 = { e8???????? 48033e 48897c2428 483b7e08 770e 48893e 4881c480000000 } // n = 7, score = 200 // e8???????? | // 48033e | mov esi, dword ptr [ebp + 0x2a8] // 48897c2428 | inc ecx // 483b7e08 | lea edi, [esi + 1] // 770e | dec eax // 48893e | mov eax, esi // 4881c480000000 | dec eax $sequence_6 = { 785c 4983faff 74e6 4489d7 29c7 83e707 75dc } // n = 7, score = 200 // 785c | sub ecx, edx // 4983faff | dec eax // 74e6 | cmp ecx, 0x81 // 4489d7 | jae 0x2d9 // 29c7 | dec esp // 83e707 | mov dword ptr [esp + 0x28], edx // 75dc | dec esp $sequence_7 = { 4c89e9 4d89e0 e8???????? eb81 48c1ef39 488d43f0 4821c5 } // n = 7, score = 200 // 4c89e9 | dec eax // 4d89e0 | mov edx, esi // e8???????? | // eb81 | dec ecx // 48c1ef39 | mov eax, eax // 488d43f0 | test al, al // 4821c5 | jne 0x63a $sequence_8 = { 83be9000000004 7479 e9???????? 4885c0 0f8588000000 488b8690000000 4883f803 } // n = 7, score = 200 // 83be9000000004 | dec eax // 7479 | mov ecx, dword ptr [esi + 0x28] // e9???????? | // 4885c0 | dec eax // 0f8588000000 | mov edi, eax // 488b8690000000 | dec ecx // 4883f803 | mov esp, edx $sequence_9 = { 5f 5e e9???????? 8a0f 4889f2 4883c428 5f } // n = 7, score = 200 // 5f | xor ecx, ecx // 5e | pop edi // e9???????? | // 8a0f | pop esi // 4889f2 | ret // 4883c428 | dec eax // 5f | add ecx, 0x10 condition: 7 of them and filesize < 3532800 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY