There is no description at this point.
rule win_electric_powder_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.electric_powder." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c1e81f 03c2 8bd6 3daaaaaa0a 0f879b070000 8d0c40 c1e103 } // n = 7, score = 100 // c1e81f | shr eax, 0x1f // 03c2 | add eax, edx // 8bd6 | mov edx, esi // 3daaaaaa0a | cmp eax, 0xaaaaaaa // 0f879b070000 | ja 0x7a1 // 8d0c40 | lea ecx, [eax + eax*2] // c1e103 | shl ecx, 3 $sequence_1 = { 59 59 3bc7 7404 8bc3 eb17 8b461c } // n = 7, score = 100 // 59 | pop ecx // 59 | pop ecx // 3bc7 | cmp eax, edi // 7404 | je 6 // 8bc3 | mov eax, ebx // eb17 | jmp 0x19 // 8b461c | mov eax, dword ptr [esi + 0x1c] $sequence_2 = { 3b4a14 7740 837a1408 8bc2 899548efffff 7208 8b02 } // n = 7, score = 100 // 3b4a14 | cmp ecx, dword ptr [edx + 0x14] // 7740 | ja 0x42 // 837a1408 | cmp dword ptr [edx + 0x14], 8 // 8bc2 | mov eax, edx // 899548efffff | mov dword ptr [ebp - 0x10b8], edx // 7208 | jb 0xa // 8b02 | mov eax, dword ptr [edx] $sequence_3 = { 83bd64faffff08 6a00 0f438550faffff 50 ff15???????? 83bd34fdffff10 } // n = 6, score = 100 // 83bd64faffff08 | cmp dword ptr [ebp - 0x59c], 8 // 6a00 | push 0 // 0f438550faffff | cmovae eax, dword ptr [ebp - 0x5b0] // 50 | push eax // ff15???????? | // 83bd34fdffff10 | cmp dword ptr [ebp - 0x2cc], 0x10 $sequence_4 = { 0f8698000000 8bd6 a81f 0f858e000000 8b49fc 3bc8 0f8383000000 } // n = 7, score = 100 // 0f8698000000 | jbe 0x9e // 8bd6 | mov edx, esi // a81f | test al, 0x1f // 0f858e000000 | jne 0x94 // 8b49fc | mov ecx, dword ptr [ecx - 4] // 3bc8 | cmp ecx, eax // 0f8383000000 | jae 0x89 $sequence_5 = { 2930 8b411c 0130 8b45fc eb30 8b01 } // n = 6, score = 100 // 2930 | sub dword ptr [eax], esi // 8b411c | mov eax, dword ptr [ecx + 0x1c] // 0130 | add dword ptr [eax], esi // 8b45fc | mov eax, dword ptr [ebp - 4] // eb30 | jmp 0x32 // 8b01 | mov eax, dword ptr [ecx] $sequence_6 = { 07 854000 15854000c6 864000 8a8440008a8440 007585 40 } // n = 7, score = 100 // 07 | pop es // 854000 | test dword ptr [eax], eax // 15854000c6 | adc eax, 0xc6004085 // 864000 | xchg byte ptr [eax], al // 8a8440008a8440 | mov al, byte ptr [eax + eax*2 + 0x40848a00] // 007585 | add byte ptr [ebp - 0x7b], dh // 40 | inc eax $sequence_7 = { c7856cfbffff00000000 0f1007 c7857cf9ffff01000000 0f118558fbffff f30f7e4710 660fd68568fbffff c7471000000000 } // n = 7, score = 100 // c7856cfbffff00000000 | mov dword ptr [ebp - 0x494], 0 // 0f1007 | movups xmm0, xmmword ptr [edi] // c7857cf9ffff01000000 | mov dword ptr [ebp - 0x684], 1 // 0f118558fbffff | movups xmmword ptr [ebp - 0x4a8], xmm0 // f30f7e4710 | movq xmm0, qword ptr [edi + 0x10] // 660fd68568fbffff | movq qword ptr [ebp - 0x498], xmm0 // c7471000000000 | mov dword ptr [edi + 0x10], 0 $sequence_8 = { 8bc8 85c9 0f88bffeffff 8b4708 3945fc } // n = 5, score = 100 // 8bc8 | mov ecx, eax // 85c9 | test ecx, ecx // 0f88bffeffff | js 0xfffffec5 // 8b4708 | mov eax, dword ptr [edi + 8] // 3945fc | cmp dword ptr [ebp - 4], eax $sequence_9 = { 8d8d98efffff e8???????? 83bdacefffff08 8d8598efffff 8bb53cefffff 0f438598efffff 6800000001 } // n = 7, score = 100 // 8d8d98efffff | lea ecx, [ebp - 0x1068] // e8???????? | // 83bdacefffff08 | cmp dword ptr [ebp - 0x1054], 8 // 8d8598efffff | lea eax, [ebp - 0x1068] // 8bb53cefffff | mov esi, dword ptr [ebp - 0x10c4] // 0f438598efffff | cmovae eax, dword ptr [ebp - 0x1068] // 6800000001 | push 0x1000000 condition: 7 of them and filesize < 565248 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY