A ransomware that emerged in April 2022.
rule win_industrial_spy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.industrial_spy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industrial_spy" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 448bcf 4c8d442460 488bd6 488bce 4103dc e8???????? } // n = 6, score = 100 // 448bcf | mov edx, 1 // 4c8d442460 | jbe 0x612 // 488bd6 | mov eax, ebx // 488bce | xor edx, edx // 4103dc | dec eax // e8???????? | $sequence_1 = { 0f8f8dfeffff 4c8bb424a8010000 ff15???????? 488bc8 4d8bc5 33d2 ff15???????? } // n = 7, score = 100 // 0f8f8dfeffff | add eax, ebx // 4c8bb424a8010000 | inc ecx // ff15???????? | // 488bc8 | mov eax, eax // 4d8bc5 | inc ebp // 33d2 | lea edx, [ebx + 0x289b7ec6] // ff15???????? | $sequence_2 = { 0f8408010000 8b4c2448 488d1502dffeff 2b4c244c 41b826000000 894c2448 0f8542fcffff } // n = 7, score = 100 // 0f8408010000 | je 0x41e // 8b4c2448 | xor edx, dword ptr [ebx + 0x90] // 488d1502dffeff | inc esp // 2b4c244c | xor eax, dword ptr [ebx + 0x94] // 41b826000000 | inc esp // 894c2448 | mov dword ptr [ebx + 0x84], eax // 0f8542fcffff | mov dword ptr [ebx + 0x80], edx $sequence_3 = { 0f31 48c1e220 480bc2 833900 e9???????? 83650b00 488d5567 } // n = 7, score = 100 // 0f31 | lea eax, [edi*8] // 48c1e220 | dec edx // 480bc2 | lea edx, [eax + eax] // 833900 | dec eax // e9???????? | // 83650b00 | mov dword ptr [ebp - 0x10], eax // 488d5567 | inc ebp $sequence_4 = { 41c1e608 440bf0 420fb6441201 41c1e608 440bf0 83bb9001000000 7419 } // n = 7, score = 100 // 41c1e608 | dec eax // 440bf0 | mov ebx, ecx // 420fb6441201 | dec ecx // 41c1e608 | mov eax, edx // 440bf0 | inc ebp // 83bb9001000000 | mov esi, ecx // 7419 | dec eax $sequence_5 = { eb18 4885c9 750b 488d0d3df40000 } // n = 4, score = 100 // eb18 | inc edi // 4885c9 | dec esp // 750b | sub ebx, ebx // 488d0d3df40000 | dec esi $sequence_6 = { 85c0 0f840b010000 488d05f6030100 4a8b04e8 42385cf838 } // n = 5, score = 100 // 85c0 | inc ebp // 0f840b010000 | imul edx, eax // 488d05f6030100 | inc ecx // 4a8b04e8 | mov edx, ecx // 42385cf838 | imul edx, eax $sequence_7 = { e8???????? 488d4c2450 ff15???????? 488364242000 4c8d4d88 448bc0 } // n = 6, score = 100 // e8???????? | // 488d4c2450 | inc ecx // ff15???????? | // 488364242000 | rol ecx, 5 // 4c8d4d88 | inc ebp // 448bc0 | add ecx, edx $sequence_8 = { 837c8dc000 7508 ffca 4883e901 } // n = 4, score = 100 // 837c8dc000 | lea ecx, [0xeb3d] // 7508 | dec eax // ffca | mov dword ptr [ecx + eax], 2 // 4883e901 | mov eax, 8 $sequence_9 = { 418be9 48c1f806 488d0de0080100 4183e23f } // n = 4, score = 100 // 418be9 | movzx eax, ax // 48c1f806 | inc ecx // 488d0de0080100 | shr ecx, 0x10 // 4183e23f | inc ebp condition: 7 of them and filesize < 339968 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY