There is no description at this point.
rule win_kdcsponge_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.kdcsponge." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kdcsponge" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 89442430 0f84b2000000 488d4c2420 e8???????? 85c0 746c 488b858c030000 } // n = 7, score = 100 // 89442430 | lea eax, [edi + 3] // 0f84b2000000 | mov dword ptr [esp + 0x28], 0x8000000 // 488d4c2420 | dec eax // e8???????? | // 85c0 | lea ecx, [0x295c4] // 746c | inc ebp // 488b858c030000 | xor ecx, ecx $sequence_1 = { 440fb693ad040000 4584d2 750c c783ca04000004000000 eb25 4180fa01 } // n = 6, score = 100 // 440fb693ad040000 | mov dword ptr [ecx + 0x36c], eax // 4584d2 | mov dword ptr [ecx + 0x4a0], 0xffffffff // 750c | ret // c783ca04000004000000 | mov dword ptr [ecx + 0x60], 0x150000 // eb25 | mov dword ptr [ecx + 0x2b0], eax // 4180fa01 | mov dword ptr [ecx + 0x1f4], eax $sequence_2 = { 89816c030000 4883c420 5b c3 48897c2430 8bb93c040000 c7813c04000010000000 } // n = 7, score = 100 // 89816c030000 | and dword ptr [edx + 0xa0], 0x20 // 4883c420 | dec eax // 5b | add ecx, edi // c3 | mov edx, esi // 48897c2430 | inc esp // 8bb93c040000 | mov ecx, ebx // c7813c04000010000000 | dec esp $sequence_3 = { 488903 488b0b e8???????? 4898 488907 b801000000 eb4e } // n = 7, score = 100 // 488903 | mov dword ptr [ecx + 0x4a0], 0xffffffff // 488b0b | cmp byte ptr [ecx + 0x4b1], 1 // e8???????? | // 4898 | jne 0xa5e // 488907 | cmp byte ptr [ecx + 0x4b0], 1 // b801000000 | jne 0xa5e // eb4e | mov dword ptr [ecx + 0x8c], eax $sequence_4 = { e8???????? 4881c478040000 5f 5e 5d 5b c3 } // n = 7, score = 100 // e8???????? | // 4881c478040000 | jge 0x1781 // 5f | dec eax // 5e | mov eax, dword ptr [esi] // 5d | dec eax // 5b | lea edx, [esp + 0x30] // c3 | dec esp $sequence_5 = { 498d4202 493bc0 738e 4863824c040000 4c8d052403feff 498bc9 4883c428 } // n = 7, score = 100 // 498d4202 | xor eax, eax // 493bc0 | cmp ecx, 0x20 // 738e | sete al // 4863824c040000 | add eax, 2 // 4c8d052403feff | mov dword ptr [ebx + 0x440], 4 // 498bc9 | jmp 0xf0f // 4883c428 | xor eax, eax $sequence_6 = { 48c781e401000000000200 48c7811402000001000000 48c7811c02000020000000 83f840 751e } // n = 5, score = 100 // 48c781e401000000000200 | dec eax // 48c7811402000001000000 | arpl ax, cx // 48c7811c02000020000000 | dec eax // 83f840 | or eax, 0xffffffff // 751e | dec ebp $sequence_7 = { ba00001400 0f44ca 83c102 80bbb2040000c4 894b60 7513 80bba404000001 } // n = 7, score = 100 // ba00001400 | dec eax // 0f44ca | mov ebx, ecx // 83c102 | jne 0x723 // 80bbb2040000c4 | cmp byte ptr [ecx + 0x4b0], 1 // 894b60 | jne 0x74a // 7513 | mov byte ptr [ecx + 0x4c5], 6 // 80bba404000001 | dec eax $sequence_8 = { 740e 80bbae0400000f 750e 80f901 7518 80bbbc0400000f 740a } // n = 7, score = 100 // 740e | mov ecx, 0x140000 // 80bbae0400000f | mov dword ptr [ebx + 0x4ca], 0x10 // 750e | mov dword ptr [ebx + 0x60], ecx // 80f901 | jmp 0x1cd1 // 7518 | cmp byte ptr [ebx + 0x4c2], 2 // 80bbbc0400000f | jne 0x1ce3 // 740a | mov edx, 0x140000 $sequence_9 = { 0f94c1 83c167 898b40040000 3c01 ba40000000 b920000000 0f44ca } // n = 7, score = 100 // 0f94c1 | mov dword ptr [ebx + 0x1f4], eax // 83c167 | mov dword ptr [ebx + 0x2b0], eax // 898b40040000 | je 0xd39 // 3c01 | xor eax, eax // ba40000000 | mov dword ptr [ebx + 0x4a0], 0xffffffff // b920000000 | mov dword ptr [ebx + 0x138], eax // 0f44ca | mov dword ptr [ebx + 0x1f4], eax condition: 7 of them and filesize < 720896 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY