There is no description at this point.
There are currently no references.
rule win_hlux_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.hlux." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83f99c 7429 8955e8 895de8 8d91c966fec6 8975d8 } // n = 6, score = 100 // 83f99c | cmp ecx, -0x64 // 7429 | je 0x2b // 8955e8 | mov dword ptr [ebp - 0x18], edx // 895de8 | mov dword ptr [ebp - 0x18], ebx // 8d91c966fec6 | lea edx, [ecx - 0x39019937] // 8975d8 | mov dword ptr [ebp - 0x28], esi $sequence_1 = { 83f873 0f8580000000 83f8cb 757b ba11d8778b } // n = 5, score = 100 // 83f873 | cmp eax, 0x73 // 0f8580000000 | jne 0x86 // 83f8cb | cmp eax, -0x35 // 757b | jne 0x7d // ba11d8778b | mov edx, 0x8b77d811 $sequence_2 = { 0009 1b4e01 e405 9d } // n = 4, score = 100 // 0009 | add byte ptr [ecx], cl // 1b4e01 | sbb ecx, dword ptr [esi + 1] // e405 | in al, 5 // 9d | popfd $sequence_3 = { 8945d0 8b7d08 33c0 894dd4 8bf7 } // n = 5, score = 100 // 8945d0 | mov dword ptr [ebp - 0x30], eax // 8b7d08 | mov edi, dword ptr [ebp + 8] // 33c0 | xor eax, eax // 894dd4 | mov dword ptr [ebp - 0x2c], ecx // 8bf7 | mov esi, edi $sequence_4 = { 0f8476010000 8d0452 897da0 33f6 } // n = 4, score = 100 // 0f8476010000 | je 0x17c // 8d0452 | lea eax, [edx + edx*2] // 897da0 | mov dword ptr [ebp - 0x60], edi // 33f6 | xor esi, esi $sequence_5 = { 8d08 83f946 7508 83f9ff 7403 } // n = 5, score = 100 // 8d08 | lea ecx, [eax] // 83f946 | cmp ecx, 0x46 // 7508 | jne 0xa // 83f9ff | cmp ecx, -1 // 7403 | je 5 $sequence_6 = { 56 33d2 33f6 8975cc 8955cc 57 bec97b4de2 } // n = 7, score = 100 // 56 | push esi // 33d2 | xor edx, edx // 33f6 | xor esi, esi // 8975cc | mov dword ptr [ebp - 0x34], esi // 8955cc | mov dword ptr [ebp - 0x34], edx // 57 | push edi // bec97b4de2 | mov esi, 0xe24d7bc9 $sequence_7 = { 898d1cffffff 899564ffffff 53 b81da2c0bb } // n = 4, score = 100 // 898d1cffffff | mov dword ptr [ebp - 0xe4], ecx // 899564ffffff | mov dword ptr [ebp - 0x9c], edx // 53 | push ebx // b81da2c0bb | mov eax, 0xbbc0a21d $sequence_8 = { 010f 840f 0000 008365f0fe8b } // n = 4, score = 100 // 010f | add dword ptr [edi], ecx // 840f | test byte ptr [edi], cl // 0000 | add byte ptr [eax], al // 008365f0fe8b | add byte ptr [ebx - 0x74010f9b], al $sequence_9 = { 0101 c9 c3 6a10 } // n = 4, score = 100 // 0101 | add dword ptr [ecx], eax // c9 | leave // c3 | ret // 6a10 | push 0x10 $sequence_10 = { 0088aa4b0023 d18a0688078a 46 018847018a46 } // n = 4, score = 100 // 0088aa4b0023 | add byte ptr [eax + 0x23004baa], cl // d18a0688078a | ror dword ptr [edx - 0x75f877fa], 1 // 46 | inc esi // 018847018a46 | add dword ptr [eax + 0x468a0147], ecx $sequence_11 = { 895de8 85c9 7503 894df0 ff4de4 } // n = 5, score = 100 // 895de8 | mov dword ptr [ebp - 0x18], ebx // 85c9 | test ecx, ecx // 7503 | jne 5 // 894df0 | mov dword ptr [ebp - 0x10], ecx // ff4de4 | dec dword ptr [ebp - 0x1c] $sequence_12 = { 0000 008365f0fe8b 4d 0883c108e918 } // n = 4, score = 100 // 0000 | add byte ptr [eax], al // 008365f0fe8b | add byte ptr [ebx - 0x74010f9b], al // 4d | dec ebp // 0883c108e918 | or byte ptr [ebx + 0x18e908c1], al $sequence_13 = { 0104bb 8d1447 89542418 e9???????? } // n = 4, score = 100 // 0104bb | add dword ptr [ebx + edi*4], eax // 8d1447 | lea edx, [edi + eax*2] // 89542418 | mov dword ptr [esp + 0x18], edx // e9???????? | $sequence_14 = { 0104b9 33c9 83c408 85c0 } // n = 4, score = 100 // 0104b9 | add dword ptr [ecx + edi*4], eax // 33c9 | xor ecx, ecx // 83c408 | add esp, 8 // 85c0 | test eax, eax $sequence_15 = { 0130 8b13 8b08 85d2 } // n = 4, score = 100 // 0130 | add dword ptr [eax], esi // 8b13 | mov edx, dword ptr [ebx] // 8b08 | mov ecx, dword ptr [eax] // 85d2 | test edx, edx condition: 7 of them and filesize < 3147776 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY