Actor(s): TA505
There is no description at this point.
rule win_get2_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.get2." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 897de8 33c0 895dd4 668945d8 51 } // n = 5, score = 1000 // 897de8 | mov dword ptr [ebp - 0x18], edi // 33c0 | xor eax, eax // 895dd4 | mov dword ptr [ebp - 0x2c], ebx // 668945d8 | mov word ptr [ebp - 0x28], ax // 51 | push ecx $sequence_1 = { 50 8bce e8???????? 6a00 6a01 8d4dc0 } // n = 6, score = 1000 // 50 | push eax // 8bce | mov ecx, esi // e8???????? | // 6a00 | push 0 // 6a01 | push 1 // 8d4dc0 | lea ecx, [ebp - 0x40] $sequence_2 = { 897dd4 893e 897e04 897e08 } // n = 4, score = 1000 // 897dd4 | mov dword ptr [ebp - 0x2c], edi // 893e | mov dword ptr [esi], edi // 897e04 | mov dword ptr [esi + 4], edi // 897e08 | mov dword ptr [esi + 8], edi $sequence_3 = { 8bec 8b9188000000 32c0 85d2 744e 8b898c000000 85c9 } // n = 7, score = 1000 // 8bec | mov ebp, esp // 8b9188000000 | mov edx, dword ptr [ecx + 0x88] // 32c0 | xor al, al // 85d2 | test edx, edx // 744e | je 0x50 // 8b898c000000 | mov ecx, dword ptr [ecx + 0x8c] // 85c9 | test ecx, ecx $sequence_4 = { ff7510 8d4dc0 ff750c e8???????? 83c420 83781410 } // n = 6, score = 1000 // ff7510 | push dword ptr [ebp + 0x10] // 8d4dc0 | lea ecx, [ebp - 0x40] // ff750c | push dword ptr [ebp + 0xc] // e8???????? | // 83c420 | add esp, 0x20 // 83781410 | cmp dword ptr [eax + 0x14], 0x10 $sequence_5 = { 83e017 89410c 8b4910 23c8 0f849e000000 807d0c00 0f859a000000 } // n = 7, score = 1000 // 83e017 | and eax, 0x17 // 89410c | mov dword ptr [ecx + 0xc], eax // 8b4910 | mov ecx, dword ptr [ecx + 0x10] // 23c8 | and ecx, eax // 0f849e000000 | je 0xa4 // 807d0c00 | cmp byte ptr [ebp + 0xc], 0 // 0f859a000000 | jne 0xa0 $sequence_6 = { 8b01 8b4004 f644080c06 74d5 8d4d84 e8???????? 8d4584 } // n = 7, score = 1000 // 8b01 | mov eax, dword ptr [ecx] // 8b4004 | mov eax, dword ptr [eax + 4] // f644080c06 | test byte ptr [eax + ecx + 0xc], 6 // 74d5 | je 0xffffffd7 // 8d4d84 | lea ecx, [ebp - 0x7c] // e8???????? | // 8d4584 | lea eax, [ebp - 0x7c] $sequence_7 = { 8bce 50 e8???????? ff7508 8d55d8 } // n = 5, score = 1000 // 8bce | mov ecx, esi // 50 | push eax // e8???????? | // ff7508 | push dword ptr [ebp + 8] // 8d55d8 | lea edx, [ebp - 0x28] $sequence_8 = { 33d2 4889442430 4d8d0c2e 44896c2428 41b800001000 488bcb } // n = 6, score = 100 // 33d2 | dec eax // 4889442430 | add ecx, 8 // 4d8d0c2e | test al, al // 44896c2428 | jne 0xd // 41b800001000 | mov dword ptr [ebx], 1 // 488bcb | xor edx, edx $sequence_9 = { 4d8b44c908 4d2b04d1 4a8b4cf008 4803c9 49d1f8 498b14c9 } // n = 6, score = 100 // 4d8b44c908 | inc ecx // 4d2b04d1 | mov eax, 0x100000 // 4a8b4cf008 | dec eax // 4803c9 | mov ecx, ebx // 49d1f8 | dec eax // 498b14c9 | mov dword ptr [ebp - 0x10], eax $sequence_10 = { 488d05b90b0200 483bc8 7405 e8???????? c70301000000 } // n = 5, score = 100 // 488d05b90b0200 | sar edi, 6 // 483bc8 | dec ebp // 7405 | mov eax, dword ptr [ecx + ecx*8 + 8] // e8???????? | // c70301000000 | dec ebp $sequence_11 = { 4889742448 488bd0 4c896c2420 488bcb ff15???????? 85c0 } // n = 6, score = 100 // 4889742448 | dec eax // 488bd0 | arpl dx, si // 4c896c2420 | dec eax // 488bcb | lea eax, [0x2673e] // ff15???????? | // 85c0 | dec esp $sequence_12 = { 4883c108 e8???????? 84c0 750b c70301000000 e9???????? } // n = 6, score = 100 // 4883c108 | dec eax // e8???????? | // 84c0 | add eax, eax // 750b | dec eax // c70301000000 | lea ecx, [0x1055a] // e9???????? | $sequence_13 = { 488945f0 4863f2 488d053e670200 4c8bfe 458be1 49c1ff06 } // n = 6, score = 100 // 488945f0 | dec eax // 4863f2 | mov dword ptr [esp + 0x30], eax // 488d053e670200 | dec ebp // 4c8bfe | lea ecx, [esi + ebp] // 458be1 | inc esp // 49c1ff06 | mov dword ptr [esp + 0x28], ebp $sequence_14 = { 7430 33d2 48c7411807000000 48895110 } // n = 4, score = 100 // 7430 | mov edi, esi // 33d2 | inc ebp // 48c7411807000000 | mov esp, ecx // 48895110 | dec ecx $sequence_15 = { 4898 483de4000000 730f 4803c0 488d0d5a050100 } // n = 5, score = 100 // 4898 | dec eax // 483de4000000 | cwde // 730f | dec eax // 4803c0 | cmp eax, 0xe4 // 488d0d5a050100 | jae 0x11 condition: 7 of them and filesize < 720896 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
