There is no description at this point.
rule win_himera_loader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.himera_loader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a44 6a00 8d858482ffff 50 e8???????? 83c40c 33c9 } // n = 7, score = 200 // 6a44 | push 0x44 // 6a00 | push 0 // 8d858482ffff | lea eax, [ebp - 0x7d7c] // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 33c9 | xor ecx, ecx $sequence_1 = { c645eb42 c645ec2e 64a12c000000 8b08 8b15???????? 3b9104000000 } // n = 6, score = 200 // c645eb42 | mov byte ptr [ebp - 0x15], 0x42 // c645ec2e | mov byte ptr [ebp - 0x14], 0x2e // 64a12c000000 | mov eax, dword ptr fs:[0x2c] // 8b08 | mov ecx, dword ptr [eax] // 8b15???????? | // 3b9104000000 | cmp edx, dword ptr [ecx + 4] $sequence_2 = { c645e841 c645e940 c645ea00 c645eb4b c645ec56 } // n = 5, score = 200 // c645e841 | mov byte ptr [ebp - 0x18], 0x41 // c645e940 | mov byte ptr [ebp - 0x17], 0x40 // c645ea00 | mov byte ptr [ebp - 0x16], 0 // c645eb4b | mov byte ptr [ebp - 0x15], 0x4b // c645ec56 | mov byte ptr [ebp - 0x14], 0x56 $sequence_3 = { 8b4df0 8b048500a14200 807c012800 7d5d 8d45d8 50 } // n = 6, score = 200 // 8b4df0 | mov ecx, dword ptr [ebp - 0x10] // 8b048500a14200 | mov eax, dword ptr [eax*4 + 0x42a100] // 807c012800 | cmp byte ptr [ecx + eax + 0x28], 0 // 7d5d | jge 0x5f // 8d45d8 | lea eax, [ebp - 0x28] // 50 | push eax $sequence_4 = { 3d75e7111a 750e 8b45e8 50 } // n = 4, score = 200 // 3d75e7111a | cmp eax, 0x1a11e775 // 750e | jne 0x10 // 8b45e8 | mov eax, dword ptr [ebp - 0x18] // 50 | push eax $sequence_5 = { 8b048d00a14200 33c9 41 897df0 894de0 8a543828 } // n = 6, score = 200 // 8b048d00a14200 | mov eax, dword ptr [ecx*4 + 0x42a100] // 33c9 | xor ecx, ecx // 41 | inc ecx // 897df0 | mov dword ptr [ebp - 0x10], edi // 894de0 | mov dword ptr [ebp - 0x20], ecx // 8a543828 | mov dl, byte ptr [eax + edi + 0x28] $sequence_6 = { c745e4503f4200 eb10 c745e4583f4200 eb07 c745e4443f4200 8b4508 8bcf } // n = 7, score = 200 // c745e4503f4200 | mov dword ptr [ebp - 0x1c], 0x423f50 // eb10 | jmp 0x12 // c745e4583f4200 | mov dword ptr [ebp - 0x1c], 0x423f58 // eb07 | jmp 9 // c745e4443f4200 | mov dword ptr [ebp - 0x1c], 0x423f44 // 8b4508 | mov eax, dword ptr [ebp + 8] // 8bcf | mov ecx, edi $sequence_7 = { c1e200 8b4508 0fb70c10 51 e8???????? 83c408 8b55fc } // n = 7, score = 200 // c1e200 | shl edx, 0 // 8b4508 | mov eax, dword ptr [ebp + 8] // 0fb70c10 | movzx ecx, word ptr [eax + edx] // 51 | push ecx // e8???????? | // 83c408 | add esp, 8 // 8b55fc | mov edx, dword ptr [ebp - 4] $sequence_8 = { e8???????? 83c410 ebb2 8b953482ffff 52 } // n = 5, score = 200 // e8???????? | // 83c410 | add esp, 0x10 // ebb2 | jmp 0xffffffb4 // 8b953482ffff | mov edx, dword ptr [ebp - 0x7dcc] // 52 | push edx $sequence_9 = { 8d8d6c82ffff e8???????? 8bc8 e8???????? } // n = 4, score = 200 // 8d8d6c82ffff | lea ecx, [ebp - 0x7d94] // e8???????? | // 8bc8 | mov ecx, eax // e8???????? | condition: 7 of them and filesize < 385024 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY