There is no description at this point.
rule win_gsecdump_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.gsecdump." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8be9 2bef 7510 8bce e8???????? 5f 5d } // n = 7, score = 100 // 8be9 | mov ebp, ecx // 2bef | sub ebp, edi // 7510 | jne 0x12 // 8bce | mov ecx, esi // e8???????? | // 5f | pop edi // 5d | pop ebp $sequence_1 = { 7205 e8???????? 8b4704 8b3cf0 53 be0f000000 68???????? } // n = 7, score = 100 // 7205 | jb 7 // e8???????? | // 8b4704 | mov eax, dword ptr [edi + 4] // 8b3cf0 | mov edi, dword ptr [eax + esi*8] // 53 | push ebx // be0f000000 | mov esi, 0xf // 68???????? | $sequence_2 = { 8bc7 75ee 5f 8b4c2410 8b542414 8b4604 8b00 } // n = 7, score = 100 // 8bc7 | mov eax, edi // 75ee | jne 0xfffffff0 // 5f | pop edi // 8b4c2410 | mov ecx, dword ptr [esp + 0x10] // 8b542414 | mov edx, dword ptr [esp + 0x14] // 8b4604 | mov eax, dword ptr [esi + 4] // 8b00 | mov eax, dword ptr [eax] $sequence_3 = { 33c4 898424a8000000 56 57 ff15???????? 8bf8 } // n = 6, score = 100 // 33c4 | xor eax, esp // 898424a8000000 | mov dword ptr [esp + 0xa8], eax // 56 | push esi // 57 | push edi // ff15???????? | // 8bf8 | mov edi, eax $sequence_4 = { 85d2 8bea 7426 83f910 8bc2 7307 } // n = 6, score = 100 // 85d2 | test edx, edx // 8bea | mov ebp, edx // 7426 | je 0x28 // 83f910 | cmp ecx, 0x10 // 8bc2 | mov eax, edx // 7307 | jae 9 $sequence_5 = { 56 8d4c2418 e8???????? 8b54246c 8d4c2414 51 52 } // n = 7, score = 100 // 56 | push esi // 8d4c2418 | lea ecx, [esp + 0x18] // e8???????? | // 8b54246c | mov edx, dword ptr [esp + 0x6c] // 8d4c2414 | lea ecx, [esp + 0x14] // 51 | push ecx // 52 | push edx $sequence_6 = { 660dffff c3 ff742408 8b01 6aff ff74240c } // n = 6, score = 100 // 660dffff | or ax, 0xffff // c3 | ret // ff742408 | push dword ptr [esp + 8] // 8b01 | mov eax, dword ptr [ecx] // 6aff | push -1 // ff74240c | push dword ptr [esp + 0xc] $sequence_7 = { 3bf0 7605 e8???????? 56 8d842488000000 50 8d44244c } // n = 7, score = 100 // 3bf0 | cmp esi, eax // 7605 | jbe 7 // e8???????? | // 56 | push esi // 8d842488000000 | lea eax, [esp + 0x88] // 50 | push eax // 8d44244c | lea eax, [esp + 0x4c] $sequence_8 = { e8???????? 8344241001 8b7c2420 33db e9???????? 83fe02 0f85a4000000 } // n = 7, score = 100 // e8???????? | // 8344241001 | add dword ptr [esp + 0x10], 1 // 8b7c2420 | mov edi, dword ptr [esp + 0x20] // 33db | xor ebx, ebx // e9???????? | // 83fe02 | cmp esi, 2 // 0f85a4000000 | jne 0xaa $sequence_9 = { 8b4c2424 394e04 751f 807f4000 0f8590fdffff 8b4c2414 } // n = 6, score = 100 // 8b4c2424 | mov ecx, dword ptr [esp + 0x24] // 394e04 | cmp dword ptr [esi + 4], ecx // 751f | jne 0x21 // 807f4000 | cmp byte ptr [edi + 0x40], 0 // 0f8590fdffff | jne 0xfffffd96 // 8b4c2414 | mov ecx, dword ptr [esp + 0x14] condition: 7 of them and filesize < 630784 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY