According to Check Point Research, a ransomware written in Rust that was likely developed using the aid of an LLM to produce code snippets.
rule win_funksec_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.funksec." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funksec" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { eb32 410fb6411c 450fb64101 410fb65102 410f104103 0f2985c0050000 450fb6511b } // n = 7, score = 100 // eb32 | dec eax // 410fb6411c | mov ecx, dword ptr [ebp + 0xa8] // 450fb64101 | cmp dword ptr [ebp + 0x3c8], 3 // 410fb65102 | je 0x3cf // 410f104103 | mov byte ptr [ebp + 0x3ef], 0 // 0f2985c0050000 | jmp 0x3f4 // 450fb6511b | dec eax $sequence_1 = { eb3f c6858f00000000 c6858e00000000 4c8d05cf7a2300 4c89f1 e8???????? eb20 } // n = 7, score = 100 // eb3f | mov dword ptr [esp + 0x44], eax // c6858f00000000 | dec ecx // c6858e00000000 | add ebp, 0x14 // 4c8d05cf7a2300 | jmp 0x1ba // 4c89f1 | mov ecx, 8 // e8???????? | // eb20 | mov edx, 0x10d8 $sequence_2 = { e9???????? 48c1e808 488b7de8 4939f6 0f8288feffff 4c8d054bf31000 4c89f1 } // n = 7, score = 100 // e9???????? | // 48c1e808 | lea eax, [0x13f5f] // 488b7de8 | dec eax // 4939f6 | mov dword ptr [esp + 0x90], eax // 0f8288feffff | dec eax // 4c8d054bf31000 | lea eax, [0x2021e8] // 4c89f1 | dec eax $sequence_3 = { f3410f6f4c0d10 660fefd2 660ff8d0 660fdad0 660fefc0 660ff8c1 660fdac1 } // n = 7, score = 100 // f3410f6f4c0d10 | movdqu xmmword ptr [eax + 0x210], xmm1 // 660fefd2 | movdqu xmmword ptr [eax + 0x200], xmm0 // 660ff8d0 | movdqu xmmword ptr [eax + 0x2f0], xmm7 // 660fdad0 | movdqu xmmword ptr [eax + 0x2e0], xmm6 // 660fefc0 | movdqu xmmword ptr [eax + 0x2d0], xmm5 // 660ff8c1 | movdqu xmmword ptr [eax + 0x330], xmm3 // 660fdac1 | movdqu xmmword ptr [eax + 0x320], xmm2 $sequence_4 = { f04c0fb137 0f8428020000 4183fd06 b806000000 410f42c5 b901000000 4585ed } // n = 7, score = 100 // f04c0fb137 | mov ecx, 1 // 0f8428020000 | inc ebp // 4183fd06 | test edi, edi // b806000000 | // 410f42c5 | mov eax, 6 // b901000000 | inc ecx // 4585ed | cmovb eax, ebp $sequence_5 = { e8???????? 4889c3 4885c0 7453 0f1005???????? 0f1103 c6431072 } // n = 7, score = 100 // e8???????? | // 4889c3 | mov ecx, eax // 4885c0 | dec eax // 7453 | or ecx, edx // 0f1005???????? | // 0f1103 | jne 0x42b // c6431072 | cmp dword ptr [ebx + 0x100], 4 $sequence_6 = { f3420f6f0433 66440fd7d0 4983c310 4585d2 74e6 f3450fbcd2 4d01f2 } // n = 7, score = 100 // f3420f6f0433 | dec esp // 66440fd7d0 | mov eax, edi // 4983c310 | dec esp // 4585d2 | sub eax, edx // 74e6 | dec eax // f3450fbcd2 | mov edi, esi // 4d01f2 | dec esp $sequence_7 = { eb4d 4983c403 c1e10c 09ca 4189d5 4181fd00010000 7338 } // n = 7, score = 100 // eb4d | test edx, edx // 4983c403 | je 0xb8 // c1e10c | dec eax // 09ca | mov ecx, dword ptr [esi + 0x30] // 4189d5 | dec eax // 4181fd00010000 | shl edx, 5 // 7338 | inc ecx $sequence_8 = { e8???????? c7451000000000 488b5dd0 4c8b65d8 41bd04000000 4c8d7510 488b75e0 } // n = 7, score = 100 // e8???????? | // c7451000000000 | pop ebx // 488b5dd0 | pop edi // 4c8b65d8 | pop esi // 41bd04000000 | inc ecx // 4c8d7510 | pop esp // 488b75e0 | mov byte ptr [ebp + 0x15f], 0 $sequence_9 = { ff5018 488b45f0 488b8010020000 4885c0 7416 f048ff08 7510 } // n = 7, score = 100 // ff5018 | dec eax // 488b45f0 | mov ecx, dword ptr [ecx + 0x90] // 488b8010020000 | xor edx, edx // 4885c0 | dec eax // 7416 | test eax, eax // f048ff08 | dec ebp // 7510 | test esp, esp condition: 7 of them and filesize < 10986496 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY