SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fk_undead (Back to overview)

FK_Undead

aka: Undead
VTCollection    

This malware family is mainly spread through various private server clients in bundles, and mainly tamper with user system network data packets through technical means such as TDI filtering, DNS hijacking, HTTP(s) injection, and HOSTS redirection, hijacking normal web page access to designated private server websites, and using security software cloud detection and killing data packet shielding, shutdown callback rewriting and other means to achieve counter-detection.

References
Yara Rules
[TLP:WHITE] win_fk_undead_auto (20260504 | Detects win.fk_undead.)
rule win_fk_undead_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.fk_undead."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fk_undead"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c002 6685c9 75f5 2bc2 d1f8 83f816 7607 }
            // n = 7, score = 100
            //   83c002               | add                 eax, 2
            //   6685c9               | test                cx, cx
            //   75f5                 | jne                 0xfffffff7
            //   2bc2                 | sub                 eax, edx
            //   d1f8                 | sar                 eax, 1
            //   83f816               | cmp                 eax, 0x16
            //   7607                 | jbe                 9

        $sequence_1 = { 52 53 53 50 57 68c0300800 56 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   50                   | push                eax
            //   57                   | push                edi
            //   68c0300800           | push                0x830c0
            //   56                   | push                esi

        $sequence_2 = { 7416 8b450c 854160 740e b901000000 33c0 85c9 }
            // n = 7, score = 100
            //   7416                 | je                  0x18
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   854160               | test                dword ptr [ecx + 0x60], eax
            //   740e                 | je                  0x10
            //   b901000000           | mov                 ecx, 1
            //   33c0                 | xor                 eax, eax
            //   85c9                 | test                ecx, ecx

        $sequence_3 = { 52 e8???????? 8bf8 83c404 897c2410 85ff 0f84ad000000 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   897c2410             | mov                 dword ptr [esp + 0x10], edi
            //   85ff                 | test                edi, edi
            //   0f84ad000000         | je                  0xb3

        $sequence_4 = { 83fa03 750e 8b0c85e0650a10 8a06 46 88441926 2bf2 }
            // n = 7, score = 100
            //   83fa03               | cmp                 edx, 3
            //   750e                 | jne                 0x10
            //   8b0c85e0650a10       | mov                 ecx, dword ptr [eax*4 + 0x100a65e0]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   46                   | inc                 esi
            //   88441926             | mov                 byte ptr [ecx + ebx + 0x26], al
            //   2bf2                 | sub                 esi, edx

        $sequence_5 = { 7407 50 ff15???????? 57 ff15???????? 8b442410 }
            // n = 6, score = 100
            //   7407                 | je                  9
            //   50                   | push                eax
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]

        $sequence_6 = { 0fb74d1c 894c2420 8b4d24 89542424 8b5520 894c2454 0fb64d0a }
            // n = 7, score = 100
            //   0fb74d1c             | movzx               ecx, word ptr [ebp + 0x1c]
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx
            //   8b4d24               | mov                 ecx, dword ptr [ebp + 0x24]
            //   89542424             | mov                 dword ptr [esp + 0x24], edx
            //   8b5520               | mov                 edx, dword ptr [ebp + 0x20]
            //   894c2454             | mov                 dword ptr [esp + 0x54], ecx
            //   0fb64d0a             | movzx               ecx, byte ptr [ebp + 0xa]

        $sequence_7 = { 52 e8???????? 83c410 89442438 3bc6 0f8430010000 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   89442438             | mov                 dword ptr [esp + 0x38], eax
            //   3bc6                 | cmp                 eax, esi
            //   0f8430010000         | je                  0x136

        $sequence_8 = { 0f84a4020000 c7461801000000 e9???????? 803f0a 7533 837e2000 }
            // n = 6, score = 100
            //   0f84a4020000         | je                  0x2aa
            //   c7461801000000       | mov                 dword ptr [esi + 0x18], 1
            //   e9????????           |                     
            //   803f0a               | cmp                 byte ptr [edi], 0xa
            //   7533                 | jne                 0x35
            //   837e2000             | cmp                 dword ptr [esi + 0x20], 0

        $sequence_9 = { 33db 48 ff248d84b40010 8d543e5e 8b443e18 8b5c3e3c 8944244c }
            // n = 7, score = 100
            //   33db                 | xor                 ebx, ebx
            //   48                   | dec                 eax
            //   ff248d84b40010       | jmp                 dword ptr [ecx*4 + 0x1000b484]
            //   8d543e5e             | lea                 edx, [esi + edi + 0x5e]
            //   8b443e18             | mov                 eax, dword ptr [esi + edi + 0x18]
            //   8b5c3e3c             | mov                 ebx, dword ptr [esi + edi + 0x3c]
            //   8944244c             | mov                 dword ptr [esp + 0x4c], eax

    condition:
        7 of them and filesize < 1418240
}
Download all Yara Rules