According to Trend Micro, this is a downloader, dedicated to stage execution of a second stage malware called Enigma Stealer.
rule win_enigma_loader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.enigma_loader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.enigma_loader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488d8a40000000 e9???????? 488d8a40010000 e9???????? 488d8a20010000 e9???????? } // n = 6, score = 100 // 488d8a40000000 | mov ecx, dword ptr [ecx - 8] // e9???????? | // 488d8a40010000 | dec eax // e9???????? | // 488d8a20010000 | sub eax, ecx // e9???????? | $sequence_1 = { 0f1005???????? 0f114597 0f100d???????? 0f114da7 8a05???????? 8845b7 448bc3 } // n = 7, score = 100 // 0f1005???????? | // 0f114597 | mov ecx, ebx // 0f100d???????? | // 0f114da7 | mov edx, 0x81504714 // 8a05???????? | // 8845b7 | mov ecx, 0xc // 448bc3 | lea edx, [esi + 1] $sequence_2 = { ff15???????? b801000000 4c8d5c2470 498b5b10 498b6b18 498b7320 } // n = 6, score = 100 // ff15???????? | // b801000000 | dec eax // 4c8d5c2470 | sar eax, 3 // 498b5b10 | mov byte ptr [ebp + 0x48], 5 // 498b6b18 | nop // 498b7320 | dec eax $sequence_3 = { 488d040a 488bf5 483bc5 480f43f0 493bf0 0f8728010000 488bce } // n = 7, score = 100 // 488d040a | dec eax // 488bf5 | test edx, edx // 483bc5 | je 0x264 // 480f43f0 | dec eax // 493bf0 | mov ecx, ebx // 0f8728010000 | dec ecx // 488bce | sub edi, ecx $sequence_4 = { 488bd9 4c8d0d48530100 33c9 4c8d0537530100 488d1538530100 e8???????? } // n = 6, score = 100 // 488bd9 | dec eax // 4c8d0d48530100 | add esp, 0x20 // 33c9 | inc ecx // 4c8d0537530100 | pop edi // 488d1538530100 | inc ecx // e8???????? | $sequence_5 = { e8???????? cc e8???????? cc e8???????? 90 498bd6 } // n = 7, score = 100 // e8???????? | // cc | shr eax, cl // e8???????? | // cc | dec ebp // e8???????? | // 90 | mov dword ptr [edi + 8], eax // 498bd6 | inc ecx $sequence_6 = { 488bcb ffd0 418bc7 e9???????? ba3eefbb12 e8???????? 488bcb } // n = 7, score = 100 // 488bcb | mov eax, ecx // ffd0 | dec eax // 418bc7 | cmp edx, 0x1000 // e9???????? | // ba3eefbb12 | dec eax // e8???????? | // 488bcb | mov edx, dword ptr [ebp - 0x28] $sequence_7 = { 488bcb ffd0 e9???????? ba175bc35c 418bdf 8bcb e8???????? } // n = 7, score = 100 // 488bcb | dec eax // ffd0 | inc edx // e9???????? | // ba175bc35c | dec eax // 418bdf | mov ecx, dword ptr [ebp - 0x20] // 8bcb | dec eax // e8???????? | $sequence_8 = { 488d055e6afeff 0fb68cb8a2b10200 0fb6b4b8a3b10200 8bd9 48c1e302 4c8bc3 8d040e } // n = 7, score = 100 // 488d055e6afeff | dec eax // 0fb68cb8a2b10200 | mov eax, dword ptr [ebx + 0x28] // 0fb6b4b8a3b10200 | inc eax // 8bd9 | mov byte ptr [ebx + 0x18], bh // 48c1e302 | dec eax // 4c8bc3 | mov ecx, ebx // 8d040e | cmp eax, 0x5c $sequence_9 = { 773b 498bc8 e8???????? 488b6c2458 4a8d0ce3 48891f 498bc6 } // n = 7, score = 100 // 773b | mov al, byte ptr [ebp - 0x20] // 498bc8 | dec esp // e8???????? | // 488b6c2458 | mov eax, dword ptr [ebp - 0x18] // 4a8d0ce3 | mov byte ptr [ebp - 0x20], 0 // 48891f | dec eax // 498bc6 | and dword ptr [ebp - 0x18], 0 condition: 7 of them and filesize < 798720 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY