According to Karsten Hahn, a straightforward loader that runs assemblies from images.
rule win_kazyloader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.kazyloader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazyloader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { d2 9c 07 06 8e } // n = 5, score = 100 // d2 | pushfd // 9c | pop es // 07 | push es // 06 | imul esp, dword ptr [edx + 0x196f0511], 0x260a0000 // 8e | add dl, dl $sequence_1 = { 1309 1109 3a3fffffff 02 09 6f2700000a } // n = 6, score = 100 // 1309 | inc ebp // 1109 | add eax, dword ptr [eax] // 3a3fffffff | add byte ptr [eax], al // 02 | inc ebp // 09 | add byte ptr [eax], al // 6f2700000a | add byte ptr [ecx], ch $sequence_2 = { 6f1a00000a 281b00000a 26 00 de00 } // n = 5, score = 100 // 6f1a00000a | or ebp, dword ptr [edi + 0x18] // 281b00000a | add byte ptr [eax], al // 26 | or dl, byte ptr [edi + edx] // 00 | lea eax, [ecx] // de00 | add byte ptr [eax], al $sequence_3 = { 8e 69 58 280100002b } // n = 4, score = 100 // 8e | // 69 | // 58 | outsd dx, dword ptr [esi] // 280100002b | pop ds $sequence_4 = { 00 08 16 06 06 8e 69 } // n = 7, score = 100 // 00 | xchg eax, ecx // 08 | add byte ptr [esi], al // 16 | pop es // 06 | adc dword ptr [esi], eax // 06 | xchg eax, ecx // 8e | outsd dx, dword ptr [esi] // 69 | add byte ptr es:[eax], al $sequence_5 = { 00 1104 02 6f1f00000a 5a 1105 } // n = 6, score = 100 // 00 | add eax, dword ptr [eax] // 1104 | add byte ptr [esi], al // 02 | pop es // 6f1f00000a | add al, 0 // 5a | add ch, byte ptr [edi + 0x1f] // 1105 | add byte ptr [eax], al $sequence_6 = { 6f1400000a 740200001b 0c 1200 06 8e 69 } // n = 7, score = 100 // 6f1400000a | add al, byte ptr [eax] // 740200001b | add byte ptr [esi], al // 0c | pop es // 1200 | jae 0x17 // 06 | add byte ptr [eax], al // 8e | // 69 | outsd dx, dword ptr [esi] $sequence_7 = { 58 91 1308 1108 20fd000000 59 } // n = 6, score = 100 // 58 | sub eax, dword ptr [eax] // 91 | or byte ptr [esi], dl // 1308 | push es // 1108 | pop eax // 20fd000000 | xchg eax, ecx // 59 | adc ecx, dword ptr [eax] $sequence_8 = { 282100000a 00 02 08 19 02 6f2200000a } // n = 7, score = 100 // 282100000a | lea eax, [ecx] // 00 | add byte ptr [eax], al // 02 | add dword ptr [ebx], edx // 08 | sub byte ptr [edx], dl // 19 | add byte ptr [eax], al // 02 | or dh, byte ptr [ebx + 0x13] // 6f2200000a | add byte ptr [eax], al $sequence_9 = { 07 04 2804000006 0b 07 281200000a 6f1800000a } // n = 7, score = 100 // 07 | // 04 | pop es // 2804000006 | // 0b | sub byte ptr [eax + eax], al // 07 | add byte ptr [esi], al // 281200000a | or eax, dword ptr [edi] // 6f1800000a | sub byte ptr [edx], dl condition: 7 of them and filesize < 50176 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY