Actor(s): DragonOK, Samurai Panda
There is no description at this point.
rule win_former_first_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.former_first_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 57 e8???????? 83c404 56 e8???????? 8b8504ffffff 83c404 } // n = 7, score = 200 // 57 | push edi // e8???????? | // 83c404 | add esp, 4 // 56 | push esi // e8???????? | // 8b8504ffffff | mov eax, dword ptr [ebp - 0xfc] // 83c404 | add esp, 4 $sequence_1 = { 75f8 8d85b4feffff 68???????? b90d000000 be???????? 50 } // n = 6, score = 200 // 75f8 | jne 0xfffffffa // 8d85b4feffff | lea eax, [ebp - 0x14c] // 68???????? | // b90d000000 | mov ecx, 0xd // be???????? | // 50 | push eax $sequence_2 = { b93c000000 03ce 83c40c c74424241c000000 81f900100000 7e5a } // n = 6, score = 200 // b93c000000 | mov ecx, 0x3c // 03ce | add ecx, esi // 83c40c | add esp, 0xc // c74424241c000000 | mov dword ptr [esp + 0x24], 0x1c // 81f900100000 | cmp ecx, 0x1000 // 7e5a | jle 0x5c $sequence_3 = { 81c208020000 f3a5 3b44240c 75e4 } // n = 4, score = 200 // 81c208020000 | add edx, 0x208 // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 3b44240c | cmp eax, dword ptr [esp + 0xc] // 75e4 | jne 0xffffffe6 $sequence_4 = { 2bf1 b87fe0077e f7ee c1fa08 8bf2 } // n = 5, score = 200 // 2bf1 | sub esi, ecx // b87fe0077e | mov eax, 0x7e07e07f // f7ee | imul esi // c1fa08 | sar edx, 8 // 8bf2 | mov esi, edx $sequence_5 = { 740a c705????????05000000 6a59 ffd6 } // n = 4, score = 200 // 740a | je 0xc // c705????????05000000 | // 6a59 | push 0x59 // ffd6 | call esi $sequence_6 = { 8d8de0feffff 51 bb08000000 e8???????? 8b9df8feffff 57 e8???????? } // n = 7, score = 200 // 8d8de0feffff | lea ecx, [ebp - 0x120] // 51 | push ecx // bb08000000 | mov ebx, 8 // e8???????? | // 8b9df8feffff | mov ebx, dword ptr [ebp - 0x108] // 57 | push edi // e8???????? | $sequence_7 = { 6a00 50 c645b400 e8???????? 33c0 } // n = 5, score = 200 // 6a00 | push 0 // 50 | push eax // c645b400 | mov byte ptr [ebp - 0x4c], 0 // e8???????? | // 33c0 | xor eax, eax $sequence_8 = { 488d4c2438 e8???????? 488bd0 488d8c24f0000000 } // n = 4, score = 100 // 488d4c2438 | dec ebp // e8???????? | // 488bd0 | arpl word ptr [eax + 4], cx // 488d8c24f0000000 | dec ebp $sequence_9 = { 4889040a 488b01 48637004 4803f1 } // n = 4, score = 100 // 4889040a | dec eax // 488b01 | and dword ptr [esp + 0x98], 0 // 48637004 | mov byte ptr [esp + 0x88], 0 // 4803f1 | cmp byte ptr [esp + 0x128], 0 $sequence_10 = { 4d634804 4d8b6c3928 4d85ed 7e0a } // n = 4, score = 100 // 4d634804 | dec esp // 4d8b6c3928 | mov dword ptr [esp + 0x148], edi // 4d85ed | dec esp // 7e0a | mov dword ptr [esp + 0x150], edi $sequence_11 = { 4883f8ff 0f851e010000 488d158de00100 488bcf 498bf6 } // n = 5, score = 100 // 4883f8ff | dec ecx // 0f851e010000 | mov ecx, dword ptr [ecx] // 488d158de00100 | jmp 8 // 488bcf | dec eax // 498bf6 | mov dword ptr [esp + 0xa0], 0xf $sequence_12 = { 4883792008 7205 498b09 eb03 } // n = 4, score = 100 // 4883792008 | mov ebp, dword ptr [ecx + edi + 0x28] // 7205 | dec ebp // 498b09 | test ebp, ebp // eb03 | jle 0xf $sequence_13 = { 498bc7 4889842430010000 4c89bc2448010000 4c89bc2450010000 } // n = 4, score = 100 // 498bc7 | dec ecx // 4889842430010000 | mov eax, edi // 4c89bc2448010000 | dec eax // 4c89bc2450010000 | mov dword ptr [esp + 0x130], eax $sequence_14 = { 48c78424a00000000f000000 4883a4249800000000 c684248800000000 80bc242801000000 743a } // n = 5, score = 100 // 48c78424a00000000f000000 | dec eax // 4883a4249800000000 | lea ecx, [esp + 0x38] // c684248800000000 | dec eax // 80bc242801000000 | mov edx, eax // 743a | dec eax $sequence_15 = { 4c8da1f4010000 41383c24 7440 33d2 } // n = 4, score = 100 // 4c8da1f4010000 | lea ecx, [esp + 0xf0] // 41383c24 | dec eax // 7440 | cmp dword ptr [ecx + 0x20], 8 // 33d2 | jb 0xc condition: 7 of them and filesize < 626688 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
