SYMBOLCOMMON_NAMEaka. SYNONYMS
win.expiro (Back to overview)

Expiro

aka: Xpiro
VTCollection    

Expiro malware has been around for more than a decade, and the malware authors sill continue their work and update it with more features. Also the infection routine was changed in samples fround in 2017 (described by McAfee).
Expiro "infiltrates" executables on 32- and 64bit Windows OS versions.
It has capabilities to install browser extensions, change security behaviour/settings on the infected system, and steal information (e.g. account credentials).
There is a newly described EPO file infector source code called m0yv in 2022, which is wrongly identified as expiro by some AVs.

References
2023-08-30Medium walmartglobaltechJason Reaves
Gazavat / Expiro DMSniff connection and DGA analysis
DMSniff Expiro Gazavat
2023-03-31Youtube (ThreatCatch)ThreatCat.ch
Sinkholing the Domain Generation Algorithm of m0yv
Expiro m0yv
2019-10-09Github (GiacomoFerro)Francesco Gobbi, Giacomo Ferro, Riccardo Astolfi
Corso di Codice Malevolo: Relazione sull’analisi del malware sample2.exe
Expiro
2017-10-31McAfeeXiaobing Lin
Expiro Malware Is Back and Even Harder to Remove
Expiro
2013-07-30ESET Researchwelivesecurity
Versatile and infectious: Win64/Expiro is a cross‑platform file infector
Expiro
2011-05-19MicrosoftMicrosoft Security Intelligence
Win32/Expiro
Expiro
Yara Rules
[TLP:WHITE] win_expiro_auto (20260504 | Detects win.expiro.)
rule win_expiro_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.expiro."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7373 7373 7373 735d 07 16 0b07 }
            // n = 7, score = 100
            //   7373                 | jae                 0x75
            //   7373                 | jae                 0x75
            //   7373                 | jae                 0x75
            //   735d                 | jae                 0x5f
            //   07                   | pop                 es
            //   16                   | push                ss
            //   0b07                 | or                  eax, dword ptr [edi]

        $sequence_1 = { e9???????? 8b542408 8d82f4f6ffff 8b8af0f6ffff }
            // n = 4, score = 100
            //   e9????????           |                     
            //   8b542408             | mov                 edx, dword ptr [esp + 8]
            //   8d82f4f6ffff         | lea                 eax, [edx - 0x90c]
            //   8b8af0f6ffff         | mov                 ecx, dword ptr [edx - 0x910]

        $sequence_2 = { 33c4 50 8d442448 64a300000000 837f0c00 0f84d8000000 33c0 }
            // n = 7, score = 100
            //   33c4                 | xor                 eax, esp
            //   50                   | push                eax
            //   8d442448             | lea                 eax, [esp + 0x48]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   837f0c00             | cmp                 dword ptr [edi + 0xc], 0
            //   0f84d8000000         | je                  0xde
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { eb02 8bc6 3bd8 7244 83f908 7204 }
            // n = 6, score = 100
            //   eb02                 | jmp                 4
            //   8bc6                 | mov                 eax, esi
            //   3bd8                 | cmp                 ebx, eax
            //   7244                 | jb                  0x46
            //   83f908               | cmp                 ecx, 8
            //   7204                 | jb                  6

        $sequence_4 = { 85ff 746d 837e1408 722e 8b06 eb2c 85ff }
            // n = 7, score = 100
            //   85ff                 | test                edi, edi
            //   746d                 | je                  0x6f
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8
            //   722e                 | jb                  0x30
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   eb2c                 | jmp                 0x2e
            //   85ff                 | test                edi, edi

        $sequence_5 = { 56 e8???????? 8bc6 c1f805 8b0485409d4100 }
            // n = 5, score = 100
            //   56                   | push                esi
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi
            //   c1f805               | sar                 eax, 5
            //   8b0485409d4100       | mov                 eax, dword ptr [eax*4 + 0x419d40]

        $sequence_6 = { 83c404 33c0 6689442430 6a07 b8???????? 8d742434 c744244807000000 }
            // n = 7, score = 100
            //   83c404               | add                 esp, 4
            //   33c0                 | xor                 eax, eax
            //   6689442430           | mov                 word ptr [esp + 0x30], ax
            //   6a07                 | push                7
            //   b8????????           |                     
            //   8d742434             | lea                 esi, [esp + 0x34]
            //   c744244807000000     | mov                 dword ptr [esp + 0x48], 7

        $sequence_7 = { 7373 7373 7373 137373 b35d 0116 }
            // n = 6, score = 100
            //   7373                 | jae                 0x75
            //   7373                 | jae                 0x75
            //   7373                 | jae                 0x75
            //   137373               | adc                 esi, dword ptr [ebx + 0x73]
            //   b35d                 | mov                 bl, 0x5d
            //   0116                 | add                 dword ptr [esi], edx

        $sequence_8 = { 5d 59 c20800 5b 8bc6 33d2 5f }
            // n = 7, score = 100
            //   5d                   | pop                 ebp
            //   59                   | pop                 ecx
            //   c20800               | ret                 8
            //   5b                   | pop                 ebx
            //   8bc6                 | mov                 eax, esi
            //   33d2                 | xor                 edx, edx
            //   5f                   | pop                 edi

        $sequence_9 = { 85c0 0f84d3000000 33c0 6689842464020000 }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   0f84d3000000         | je                  0xd9
            //   33c0                 | xor                 eax, eax
            //   6689842464020000     | mov                 word ptr [esp + 0x264], ax

    condition:
        7 of them and filesize < 3776512
}
Download all Yara Rules