Actor(s): Silent Chollima
There is no description at this point.
rule win_hazy_load_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.hazy_load." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hazy_load" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 33c0 f04d0fb1bcf130100200 488bd8 740e } // n = 4, score = 200 // 33c0 | lea eax, [ecx - 1] // f04d0fb1bcf130100200 | mov eax, dword ptr [edx + eax*4 + 0x19ef8] // 488bd8 | sub ecx, eax // 740e | je 0x9f $sequence_1 = { 488945f0 488d1594c40000 b805000000 894520 894528 } // n = 5, score = 200 // 488945f0 | js 0x4e3 // 488d1594c40000 | inc ecx // b805000000 | mul esp // 894520 | mov eax, edx // 894528 | dec eax $sequence_2 = { f00fc103 83f801 7516 488d05b5330100 488b4c2430 483bc8 7405 } // n = 7, score = 200 // f00fc103 | test al, al // 83f801 | je 0x41e // 7516 | dec eax // 488d05b5330100 | lea ecx, [0x1b4e4] // 488b4c2430 | dec eax // 483bc8 | lea eax, [0x1ffb8] // 7405 | dec eax $sequence_3 = { 488b442448 4883f8ff 74c8 488bd3 4c8d05ceed0000 83e23f } // n = 6, score = 200 // 488b442448 | xor ebp, ebp // 4883f8ff | dec esp // 74c8 | lea esi, [0x98aa] // 488bd3 | inc esp // 4c8d05ceed0000 | mov edx, ebp // 83e23f | dec eax $sequence_4 = { 488d0d12c9ffff 4933f8 4a87bcf150100200 33c0 488b5c2450 488b6c2458 488b742460 } // n = 7, score = 200 // 488d0d12c9ffff | add ebp, eax // 4933f8 | and dword ptr [ebx], 0 // 4a87bcf150100200 | dec ecx // 33c0 | mov esi, eax // 488b5c2450 | inc ecx // 488b6c2458 | mov edi, ecx // 488b742460 | dec ecx $sequence_5 = { 8d41ff 8b8482f89e0100 85c0 0f8489000000 } // n = 4, score = 200 // 8d41ff | dec eax // 8b8482f89e0100 | lea eax, [0x1177e] // 85c0 | dec eax // 0f8489000000 | cmp dword ptr [edi - 0x10], eax $sequence_6 = { 488d0d5beffeff 48c1e602 0fb784b9609e0100 488d9150950100 } // n = 4, score = 200 // 488d0d5beffeff | dec eax // 48c1e602 | cmovne ecx, edi // 0fb784b9609e0100 | dec eax // 488d9150950100 | dec eax $sequence_7 = { 448bc7 4863c3 488d5504 442bc3 } // n = 4, score = 200 // 448bc7 | mov ebp, eax // 4863c3 | inc ecx // 488d5504 | add eax, 0x61 // 442bc3 | dec eax $sequence_8 = { 442bc3 4803d0 4533c9 488bce ff15???????? 85c0 0f8eacfeffff } // n = 7, score = 200 // 442bc3 | js 0x7d2 // 4803d0 | jae 0x7cc // 4533c9 | dec eax // 488bce | mov ecx, edx // ff15???????? | // 85c0 | dec esp // 0f8eacfeffff | lea eax, [0x1246d] $sequence_9 = { eb75 4c8bf3 488d3513be0100 488d2df4bd0100 } // n = 4, score = 200 // eb75 | dec esp // 4c8bf3 | lea ecx, [0xc4e6] // 488d3513be0100 | push edi // 488d2df4bd0100 | dec eax condition: 7 of them and filesize < 315392 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
