Actor(s): Kimsuky
There is no description at this point.
rule win_grease_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.grease." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 52 50 683f000f00 50 50 50 } // n = 6, score = 400 // 52 | push edx // 50 | push eax // 683f000f00 | push 0xf003f // 50 | push eax // 50 | push eax // 50 | push eax $sequence_1 = { 488b4c2460 ff15???????? b801000000 488b8c2480020000 4833cc } // n = 5, score = 300 // 488b4c2460 | dec eax // ff15???????? | // b801000000 | mov dword ptr [esp + 0x20], eax // 488b8c2480020000 | test eax, eax // 4833cc | jne 0x39 $sequence_2 = { 85c0 7534 488b4c2450 488d442458 41b904000000 4533c0 488bd3 } // n = 7, score = 300 // 85c0 | test eax, eax // 7534 | jne 0x36 // 488b4c2450 | dec eax // 488d442458 | mov ecx, dword ptr [esp + 0x50] // 41b904000000 | dec eax // 4533c0 | lea eax, [esp + 0x58] // 488bd3 | inc ecx $sequence_3 = { ff15???????? 85c0 0f85e7000000 488b4c2460 } // n = 4, score = 300 // ff15???????? | // 85c0 | inc ebp // 0f85e7000000 | xor eax, eax // 488b4c2460 | mov dword ptr [esp + 0x28], 0xf003f $sequence_4 = { 488b4c2460 48897c2440 488d442450 4889442438 48897c2430 } // n = 5, score = 300 // 488b4c2460 | dec eax // 48897c2440 | mov ecx, dword ptr [esp + 0x280] // 488d442450 | mov dword ptr [esp + 0x20], ebx // 4889442438 | test eax, eax // 48897c2430 | jne 0xef $sequence_5 = { 4533c9 4533c0 4889442420 ff15???????? 85c0 7537 } // n = 6, score = 300 // 4533c9 | mov ecx, 4 // 4533c0 | inc ebp // 4889442420 | xor eax, eax // ff15???????? | // 85c0 | dec eax // 7537 | mov edx, ebx $sequence_6 = { 48897c2440 4889442438 48897c2430 4533c0 c74424283f000f00 897c2420 } // n = 6, score = 300 // 48897c2440 | xor ecx, esp // 4889442438 | jne 0x36 // 48897c2430 | dec eax // 4533c0 | mov ecx, dword ptr [esp + 0x50] // c74424283f000f00 | dec eax // 897c2420 | lea eax, [esp + 0x58] $sequence_7 = { 488bd3 c744242804000000 4889442420 ff15???????? 488b4c2450 ff15???????? } // n = 6, score = 300 // 488bd3 | inc ebp // c744242804000000 | xor ecx, ecx // 4889442420 | inc ebp // ff15???????? | // 488b4c2450 | xor eax, eax // ff15???????? | $sequence_8 = { 4881ec90020000 488b05???????? 4833c4 4889842480020000 488d4c2472 } // n = 5, score = 300 // 4881ec90020000 | dec eax // 488b05???????? | // 4833c4 | lea eax, [esp + 0x58] // 4889842480020000 | inc ecx // 488d4c2472 | mov ecx, 4 $sequence_9 = { 53 ffd5 8d442424 8d5001 8a08 83c001 3acb } // n = 7, score = 200 // 53 | dec eax // ffd5 | mov dword ptr [esp + 0x38], eax // 8d442424 | dec eax // 8d5001 | mov dword ptr [esp + 0x30], edi // 8a08 | inc ebp // 83c001 | xor eax, eax // 3acb | mov dword ptr [esp + 0x28], 0xf003f $sequence_10 = { 56 ff15???????? 8d542424 68???????? 52 } // n = 5, score = 200 // 56 | dec eax // ff15???????? | // 8d542424 | add esp, 0x290 // 68???????? | // 52 | inc ebp $sequence_11 = { c68434180300005e eb26 c68434180300002f eb1c c68434180300003f eb12 c68434180300002e } // n = 7, score = 200 // c68434180300005e | mov byte ptr [esp + esi + 0x318], 0x5e // eb26 | jmp 0x28 // c68434180300002f | mov byte ptr [esp + esi + 0x318], 0x2f // eb1c | jmp 0x1e // c68434180300003f | mov byte ptr [esp + esi + 0x318], 0x3f // eb12 | jmp 0x14 // c68434180300002e | mov byte ptr [esp + esi + 0x318], 0x2e $sequence_12 = { 56 ff15???????? 8d442424 68???????? 50 e8???????? } // n = 6, score = 200 // 56 | mov dword ptr [esp + 0x20], edi // ff15???????? | // 8d442424 | test eax, eax // 68???????? | // 50 | test eax, eax // e8???????? | $sequence_13 = { bb01000000 83feff 0f84f2020000 8b2d???????? } // n = 4, score = 200 // bb01000000 | mov ebx, 1 // 83feff | cmp esi, -1 // 0f84f2020000 | je 0x2f8 // 8b2d???????? | $sequence_14 = { eb67 c644342025 eb60 c64434202a eb59 } // n = 5, score = 200 // eb67 | jmp 0x69 // c644342025 | mov byte ptr [esp + esi + 0x20], 0x25 // eb60 | jmp 0x62 // c64434202a | mov byte ptr [esp + esi + 0x20], 0x2a // eb59 | jmp 0x5b $sequence_15 = { 8d8c2445050000 53 51 889c244c050000 e8???????? 83c418 } // n = 6, score = 200 // 8d8c2445050000 | jne 0x36 // 53 | dec eax // 51 | mov ecx, dword ptr [esp + 0x50] // 889c244c050000 | dec eax // e8???????? | // 83c418 | lea eax, [esp + 0x58] $sequence_16 = { 0f8386000000 8bc7 8bf7 c1f805 83e61f 8d1c8560e44000 c1e603 } // n = 7, score = 200 // 0f8386000000 | jae 0x8c // 8bc7 | mov eax, edi // 8bf7 | mov esi, edi // c1f805 | sar eax, 5 // 83e61f | and esi, 0x1f // 8d1c8560e44000 | lea ebx, [eax*4 + 0x40e460] // c1e603 | shl esi, 3 $sequence_17 = { 52 ff15???????? 8b44240c 50 ffd6 } // n = 5, score = 200 // 52 | xor eax, eax // ff15???????? | // 8b44240c | dec eax // 50 | mov ecx, 0x80000002 // ffd6 | mov dword ptr [esp + 0x28], 0x2001f $sequence_18 = { 8d8c2434010000 51 56 66899c2440010000 66899c2446010000 66c784244a0100000700 } // n = 6, score = 200 // 8d8c2434010000 | mov edx, ebx // 51 | mov dword ptr [esp + 0x28], 4 // 56 | dec eax // 66899c2440010000 | mov dword ptr [esp + 0x20], eax // 66899c2446010000 | dec eax // 66c784244a0100000700 | mov ecx, dword ptr [esp + 0x50] $sequence_19 = { 8a904c5e4000 ff2495785d4000 c64434206d e9???????? c644342071 e9???????? } // n = 6, score = 200 // 8a904c5e4000 | mov dl, byte ptr [eax + 0x405e4c] // ff2495785d4000 | jmp dword ptr [edx*4 + 0x405d78] // c64434206d | mov byte ptr [esp + esi + 0x20], 0x6d // e9???????? | // c644342071 | mov byte ptr [esp + esi + 0x20], 0x71 // e9???????? | $sequence_20 = { c68434340a000067 e9???????? c68434340a000061 e9???????? c68434340a00007a e9???????? } // n = 6, score = 200 // c68434340a000067 | mov byte ptr [esp + esi + 0xa34], 0x67 // e9???????? | // c68434340a000061 | mov byte ptr [esp + esi + 0xa34], 0x61 // e9???????? | // c68434340a00007a | mov byte ptr [esp + esi + 0xa34], 0x7a // e9???????? | $sequence_21 = { 6689842432010000 6689842438010000 b904000000 8d442420 50 } // n = 5, score = 200 // 6689842432010000 | mov eax, 1 // 6689842438010000 | dec eax // b904000000 | mov ecx, dword ptr [esp + 0x280] // 8d442420 | dec eax // 50 | xor ecx, esp $sequence_22 = { e9???????? c6440c0870 e9???????? c6440c0873 e9???????? c6440c0874 } // n = 6, score = 200 // e9???????? | // c6440c0870 | mov byte ptr [esp + ecx + 8], 0x70 // e9???????? | // c6440c0873 | mov byte ptr [esp + ecx + 8], 0x73 // e9???????? | // c6440c0874 | mov byte ptr [esp + ecx + 8], 0x74 condition: 7 of them and filesize < 278528 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY