Actor(s): Wekby, EMISSARY PANDA
There is no description at this point.
rule win_httpbrowser_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.httpbrowser." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d85fcfdffff 50 68???????? 53 } // n = 4, score = 200 // 8d85fcfdffff | lea eax, [ebp - 0x204] // 50 | push eax // 68???????? | // 53 | push ebx $sequence_1 = { 8d85eefdffff 56 50 e8???????? 8d85ecfdffff 50 } // n = 6, score = 200 // 8d85eefdffff | lea eax, [ebp - 0x212] // 56 | push esi // 50 | push eax // e8???????? | // 8d85ecfdffff | lea eax, [ebp - 0x214] // 50 | push eax $sequence_2 = { 8985f0edffff ffd7 83c41c 89b5f8edffff 39b5f0edffff 0f8eb1000000 } // n = 6, score = 200 // 8985f0edffff | mov dword ptr [ebp - 0x1210], eax // ffd7 | call edi // 83c41c | add esp, 0x1c // 89b5f8edffff | mov dword ptr [ebp - 0x1208], esi // 39b5f0edffff | cmp dword ptr [ebp - 0x1210], esi // 0f8eb1000000 | jle 0xb7 $sequence_3 = { a5 a5 a5 a5 a4 6a07 59 } // n = 7, score = 200 // a5 | movsd dword ptr es:[edi], dword ptr [esi] // a5 | movsd dword ptr es:[edi], dword ptr [esi] // a5 | movsd dword ptr es:[edi], dword ptr [esi] // a5 | movsd dword ptr es:[edi], dword ptr [esi] // a4 | movsb byte ptr es:[edi], byte ptr [esi] // 6a07 | push 7 // 59 | pop ecx $sequence_4 = { be???????? 8dbda8fcffff a5 a5 } // n = 4, score = 200 // be???????? | // 8dbda8fcffff | lea edi, [ebp - 0x358] // a5 | movsd dword ptr es:[edi], dword ptr [esi] // a5 | movsd dword ptr es:[edi], dword ptr [esi] $sequence_5 = { 8945f0 85db 0f8489010000 85c0 0f8481010000 } // n = 5, score = 200 // 8945f0 | mov dword ptr [ebp - 0x10], eax // 85db | test ebx, ebx // 0f8489010000 | je 0x18f // 85c0 | test eax, eax // 0f8481010000 | je 0x187 $sequence_6 = { 757e 6a04 5f ff15???????? } // n = 4, score = 200 // 757e | jne 0x80 // 6a04 | push 4 // 5f | pop edi // ff15???????? | $sequence_7 = { 53 53 ffb5f8fdffff ffd6 85c0 757e } // n = 6, score = 200 // 53 | push ebx // 53 | push ebx // ffb5f8fdffff | push dword ptr [ebp - 0x208] // ffd6 | call esi // 85c0 | test eax, eax // 757e | jne 0x80 $sequence_8 = { c3 50 50 9c b80a000000 51 b932000000 } // n = 7, score = 100 // c3 | ret // 50 | push eax // 50 | push eax // 9c | pushfd // b80a000000 | mov eax, 0xa // 51 | push ecx // b932000000 | mov ecx, 0x32 $sequence_9 = { 6a5c 52 66c7000000 e8???????? 50 } // n = 5, score = 100 // 6a5c | push 0x5c // 52 | push edx // 66c7000000 | mov word ptr [eax], 0 // e8???????? | // 50 | push eax $sequence_10 = { 8b4510 8b55f0 8b4d14 03c2 3bc1 894510 } // n = 6, score = 100 // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 8b55f0 | mov edx, dword ptr [ebp - 0x10] // 8b4d14 | mov ecx, dword ptr [ebp + 0x14] // 03c2 | add eax, edx // 3bc1 | cmp eax, ecx // 894510 | mov dword ptr [ebp + 0x10], eax $sequence_11 = { 9d 58 8b45f8 50 ff15???????? 8b45f4 } // n = 6, score = 100 // 9d | popfd // 58 | pop eax // 8b45f8 | mov eax, dword ptr [ebp - 8] // 50 | push eax // ff15???????? | // 8b45f4 | mov eax, dword ptr [ebp - 0xc] $sequence_12 = { 33c0 8dbda1edffff 8895a0edffff f3ab 66ab } // n = 5, score = 100 // 33c0 | xor eax, eax // 8dbda1edffff | lea edi, [ebp - 0x125f] // 8895a0edffff | mov byte ptr [ebp - 0x1260], dl // f3ab | rep stosd dword ptr es:[edi], eax // 66ab | stosw word ptr es:[edi], ax $sequence_13 = { 81ec04020000 53 56 57 33d2 } // n = 5, score = 100 // 81ec04020000 | sub esp, 0x204 // 53 | push ebx // 56 | push esi // 57 | push edi // 33d2 | xor edx, edx $sequence_14 = { 7422 66891f 83c702 57 } // n = 4, score = 100 // 7422 | je 0x24 // 66891f | mov word ptr [edi], bx // 83c702 | add edi, 2 // 57 | push edi $sequence_15 = { ff15???????? 8b750c 68000000a0 8d9514f5ffff 50 } // n = 5, score = 100 // ff15???????? | // 8b750c | mov esi, dword ptr [ebp + 0xc] // 68000000a0 | push 0xa0000000 // 8d9514f5ffff | lea edx, [ebp - 0xaec] // 50 | push eax condition: 7 of them and filesize < 188416 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY