Actor(s): Earth Lusca
There is no description at this point.
rule win_dizzyvoid_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.dizzyvoid." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dizzyvoid" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 41b8bc469d7d 488b15???????? e8???????? 48898388000000 } // n = 4, score = 400 // 41b8bc469d7d | dec ecx // 488b15???????? | // e8???????? | // 48898388000000 | sub ecx, ecx $sequence_1 = { 492bc9 48b865210b59c84216b2 48f7e9 4803d1 48c1fa07 } // n = 5, score = 400 // 492bc9 | dec ecx // 48b865210b59c84216b2 | sub ecx, ecx // 48f7e9 | dec eax // 4803d1 | mov eax, 0x590b2165 // 48c1fa07 | enter 0x1642, -0x4e $sequence_2 = { 488bd9 33d2 488b89d8000000 ff9390000000 } // n = 4, score = 400 // 488bd9 | inc ecx // 33d2 | mov eax, 0xbffc38cc // 488b89d8000000 | dec eax // ff9390000000 | mov dword ptr [ebx + 0x60], eax $sequence_3 = { 48896c2420 448bce 4d8bc6 33d2 } // n = 4, score = 400 // 48896c2420 | dec eax // 448bce | mov ecx, dword ptr [esi] // 4d8bc6 | inc ecx // 33d2 | mov eax, 0x7d9d46bc $sequence_4 = { 488b03 488d0c07 48894b10 4c8bc0 488b5608 488b0e e8???????? } // n = 7, score = 400 // 488b03 | dec eax // 488d0c07 | add edx, ecx // 48894b10 | dec eax // 4c8bc0 | sar edx, 7 // 488b5608 | dec eax // 488b0e | mov eax, edx // e8???????? | $sequence_5 = { 41b8cc38fcbf 488b15???????? e8???????? 48894360 } // n = 4, score = 400 // 41b8cc38fcbf | mov dword ptr [ebx + 0x10], ecx // 488b15???????? | // e8???????? | // 48894360 | dec esp $sequence_6 = { 33d2 33c9 ff15???????? 4c63f8 498bcf e8???????? } // n = 6, score = 400 // 33d2 | xor ecx, ecx // 33c9 | dec eax // ff15???????? | // 4c63f8 | mov dword ptr [esp + 0x20], ebp // 498bcf | inc esp // e8???????? | $sequence_7 = { 4885c9 7403 ff5350 488b8bc8000000 } // n = 4, score = 400 // 4885c9 | dec eax // 7403 | mov eax, edx // ff5350 | dec eax // 488b8bc8000000 | shr eax, 0x3f $sequence_8 = { 8b8d90fcffff 51 e8???????? 83c40c 8bf4 } // n = 5, score = 200 // 8b8d90fcffff | call dword ptr [ebx + 0x50] // 51 | dec eax // e8???????? | // 83c40c | mov ecx, dword ptr [ebx + 0xd0] // 8bf4 | dec eax $sequence_9 = { c705????????2a134100 8935???????? a3???????? ff15???????? a3???????? 83f8ff 0f84c1000000 } // n = 7, score = 200 // c705????????2a134100 | // 8935???????? | // a3???????? | // ff15???????? | // a3???????? | // 83f8ff | call dword ptr [ebx + 0x90] // 0f84c1000000 | nop $sequence_10 = { a1???????? a3???????? a1???????? c705????????2a134100 8935???????? a3???????? } // n = 6, score = 200 // a1???????? | // a3???????? | // a1???????? | // c705????????2a134100 | // 8935???????? | // a3???????? | $sequence_11 = { 83c40c 8bf4 ff9590fcffff 3bf4 e8???????? 33c0 52 } // n = 7, score = 200 // 83c40c | call dword ptr [ebx + 0x50] // 8bf4 | dec eax // ff9590fcffff | mov ecx, dword ptr [ebx + 0xd0] // 3bf4 | dec eax // e8???????? | // 33c0 | test ecx, ecx // 52 | je 0x14 $sequence_12 = { 8bec 81ec34040000 53 56 57 8dbdccfbffff } // n = 6, score = 200 // 8bec | test ecx, ecx // 81ec34040000 | je 0x14 // 53 | call dword ptr [ebx + 0x50] // 56 | dec eax // 57 | mov ebx, ecx // 8dbdccfbffff | xor edx, edx $sequence_13 = { ebc5 8bf4 6a40 6800300000 } // n = 4, score = 200 // ebc5 | test ecx, ecx // 8bf4 | dec eax // 6a40 | test ecx, ecx // 6800300000 | je 5 $sequence_14 = { b90d010000 b8cccccccc f3ab a1???????? 33c5 } // n = 5, score = 200 // b90d010000 | dec eax // b8cccccccc | test ecx, ecx // f3ab | je 5 // a1???????? | // 33c5 | call dword ptr [ebx + 0x50] $sequence_15 = { 33cd e8???????? 81c434040000 3bec e8???????? 8be5 } // n = 6, score = 200 // 33cd | xor edx, edx // e8???????? | // 81c434040000 | dec eax // 3bec | mov ecx, dword ptr [ebx + 0xe0] // e8???????? | // 8be5 | inc ecx $sequence_16 = { 83e71f c1e706 8b049d601c4100 0fbe443804 83e001 } // n = 5, score = 100 // 83e71f | inc ecx // c1e706 | mov eax, 0x7d9d46bc // 8b049d601c4100 | dec eax // 0fbe443804 | mov dword ptr [ebx + 0x88], eax // 83e001 | inc ecx $sequence_17 = { 8d4df0 c745fc???????? e8???????? 68???????? 8d45f0 50 c745f084af4000 } // n = 7, score = 100 // 8d4df0 | mov eax, 0xb8a86f3a // c745fc???????? | // e8???????? | // 68???????? | // 8d45f0 | inc ecx // 50 | mov eax, 0x7d9d46bc // c745f084af4000 | dec eax $sequence_18 = { f3a5 8d8dc4fcffff 51 6a00 } // n = 4, score = 100 // f3a5 | inc ecx // 8d8dc4fcffff | mov eax, 0xb8a86f3a // 51 | dec eax // 6a00 | test ecx, ecx $sequence_19 = { f0300e 40 3d31030000 72eb 6a40 6800100000 6800040000 } // n = 7, score = 100 // f0300e | mov dword ptr [ebx + 0x88], eax // 40 | inc ecx // 3d31030000 | mov eax, 0xb8a86f3a // 72eb | inc ecx // 6a40 | mov eax, 0x7d9d46bc // 6800100000 | dec eax // 6800040000 | mov dword ptr [ebx + 0x88], eax $sequence_20 = { c1e706 8b0485601c4100 83c00c 03c7 50 } // n = 5, score = 100 // c1e706 | mov eax, eax // 8b0485601c4100 | dec eax // 83c00c | mov edx, dword ptr [esi + 8] // 03c7 | dec eax // 50 | mov ecx, dword ptr [esi] $sequence_21 = { 8b04c5d4f04000 5d c3 ff15???????? 33c9 } // n = 5, score = 100 // 8b04c5d4f04000 | inc ecx // 5d | mov eax, 0x7d9d46bc // c3 | dec eax // ff15???????? | // 33c9 | mov dword ptr [ebx + 0x88], eax $sequence_22 = { 51 6af6 ff15???????? 8b04bd601c4100 830c06ff 33c0 } // n = 6, score = 100 // 51 | dec eax // 6af6 | lea ecx, [edi + eax] // ff15???????? | // 8b04bd601c4100 | dec eax // 830c06ff | mov dword ptr [ebx + 0x10], ecx // 33c0 | dec esp $sequence_23 = { 59 83f83c 7635 68???????? e8???????? 8d0c458c024100 } // n = 6, score = 100 // 59 | dec eax // 83f83c | shr eax, 0x3f // 7635 | dec eax // 68???????? | // e8???????? | // 8d0c458c024100 | mov eax, dword ptr [ebx] condition: 7 of them and filesize < 479232 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
