Actor(s): Aurora Panda, Hurricane Panda
There is no description at this point.
rule win_hikit_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.hikit." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 81ec18010000 a1???????? 33c5 894574 6810010000 8d8564ffffff } // n = 6, score = 100 // 81ec18010000 | sub esp, 0x118 // a1???????? | // 33c5 | xor eax, ebp // 894574 | mov dword ptr [ebp + 0x74], eax // 6810010000 | push 0x110 // 8d8564ffffff | lea eax, [ebp - 0x9c] $sequence_1 = { 8b442450 898850100000 48 8b4c2450 48 83c150 45 } // n = 7, score = 100 // 8b442450 | mov eax, dword ptr [esp + 0x50] // 898850100000 | mov dword ptr [eax + 0x1050], ecx // 48 | dec eax // 8b4c2450 | mov ecx, dword ptr [esp + 0x50] // 48 | dec eax // 83c150 | add ecx, 0x50 // 45 | inc ebp $sequence_2 = { 33c0 c705????????01000000 8b8c24c0020000 64890d00000000 59 5f 5e } // n = 7, score = 100 // 33c0 | xor eax, eax // c705????????01000000 | // 8b8c24c0020000 | mov ecx, dword ptr [esp + 0x2c0] // 64890d00000000 | mov dword ptr fs:[0], ecx // 59 | pop ecx // 5f | pop edi // 5e | pop esi $sequence_3 = { bf40700100 8bcf c786e00000000b000140 8986bc000000 8986c0000000 ff15???????? a2???????? } // n = 7, score = 100 // bf40700100 | mov edi, 0x17040 // 8bcf | mov ecx, edi // c786e00000000b000140 | mov dword ptr [esi + 0xe0], 0x4001000b // 8986bc000000 | mov dword ptr [esi + 0xbc], eax // 8986c0000000 | mov dword ptr [esi + 0xc0], eax // ff15???????? | // a2???????? | $sequence_4 = { 8908 8b45fc 8b4df4 894808 8b45fc 88581c 8b45fc } // n = 7, score = 100 // 8908 | mov dword ptr [eax], ecx // 8b45fc | mov eax, dword ptr [ebp - 4] // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 894808 | mov dword ptr [eax + 8], ecx // 8b45fc | mov eax, dword ptr [ebp - 4] // 88581c | mov byte ptr [eax + 0x1c], bl // 8b45fc | mov eax, dword ptr [ebp - 4] $sequence_5 = { e8???????? 83c404 c745e400000000 c745f000000000 c745fcffffffff e9???????? c745d400000000 } // n = 7, score = 100 // e8???????? | // 83c404 | add esp, 4 // c745e400000000 | mov dword ptr [ebp - 0x1c], 0 // c745f000000000 | mov dword ptr [ebp - 0x10], 0 // c745fcffffffff | mov dword ptr [ebp - 4], 0xffffffff // e9???????? | // c745d400000000 | mov dword ptr [ebp - 0x2c], 0 $sequence_6 = { 48 639084000000 48 8b4c2458 48 8b442450 } // n = 6, score = 100 // 48 | dec eax // 639084000000 | arpl word ptr [eax + 0x84], dx // 48 | dec eax // 8b4c2458 | mov ecx, dword ptr [esp + 0x58] // 48 | dec eax // 8b442450 | mov eax, dword ptr [esp + 0x50] $sequence_7 = { 6800200000 50 e8???????? 83c420 03f0 f644244010 7422 } // n = 7, score = 100 // 6800200000 | push 0x2000 // 50 | push eax // e8???????? | // 83c420 | add esp, 0x20 // 03f0 | add esi, eax // f644244010 | test byte ptr [esp + 0x40], 0x10 // 7422 | je 0x24 $sequence_8 = { 7429 8b55fc 8b02 3b4508 7511 8b4dfc 0fb69194000000 } // n = 7, score = 100 // 7429 | je 0x2b // 8b55fc | mov edx, dword ptr [ebp - 4] // 8b02 | mov eax, dword ptr [edx] // 3b4508 | cmp eax, dword ptr [ebp + 8] // 7511 | jne 0x13 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 0fb69194000000 | movzx edx, byte ptr [ecx + 0x94] $sequence_9 = { 66894c4420 8944240c b909000000 ba???????? 8d742420 } // n = 5, score = 100 // 66894c4420 | mov word ptr [esp + eax*2 + 0x20], cx // 8944240c | mov dword ptr [esp + 0xc], eax // b909000000 | mov ecx, 9 // ba???????? | // 8d742420 | lea esi, [esp + 0x20] condition: 7 of them and filesize < 573440 }
rule win_hikit_w0 { meta: author = "31ric" description = "Backdoor.Hikit is a Trojan horse that opens a back door on the compromised computer." source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/hiddenlynxfiles.yar" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit" malpedia_version = "20170517" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $f1 = "w7fw.sys" nocase ascii wide $f2 = "w7fw_m.inf" nocase ascii wide $f3 = "w7fw.inf" nocase ascii wide $f4 = "w7fw.cat" nocase ascii wide condition: 1 of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
