There is no description at this point.
rule win_kgh_spy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.kgh_spy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488bc1 4c8d8c2458010000 448b44247c 488bd0 } // n = 4, score = 100 // 488bc1 | dec eax // 4c8d8c2458010000 | mov dword ptr [esp + 0x80], eax // 448b44247c | dec eax // 488bd0 | mov dword ptr [esp + 0x48], 0xffffffff $sequence_1 = { ff15???????? 488d154fc70000 488bc8 ff15???????? 488b4c2430 48898108050000 } // n = 6, score = 100 // ff15???????? | // 488d154fc70000 | mov eax, ecx // 488bc8 | cmp eax, dword ptr [esp + 0x60] // ff15???????? | // 488b4c2430 | jbe 0x3eb // 48898108050000 | mov eax, dword ptr [esp + 0x64] $sequence_2 = { 488d0562160100 4889442428 488d0546150100 4889442420 4c8d0d8a2e0100 } // n = 5, score = 100 // 488d0562160100 | cmp dword ptr [eax + 0x1c], 0 // 4889442428 | je 0x58a // 488d0546150100 | dec eax // 4889442420 | cmp dword ptr [esp + 0x28], 0 // 4c8d0d8a2e0100 | jne 0x55f $sequence_3 = { c744244400000000 c684248004000000 488d842481040000 488bf8 33c0 b92f750000 f3aa } // n = 7, score = 100 // c744244400000000 | dec eax // c684248004000000 | add ecx, eax // 488d842481040000 | dec eax // 488bf8 | mov eax, ecx // 33c0 | mov dword ptr [esp + 0x60], eax // b92f750000 | mov dword ptr [esp + 0x20], 0 // f3aa | inc ebp $sequence_4 = { f3aa c784242001000038000000 488d8424b0040000 4889842430010000 488d8424b0040000 4889842400010000 48c7842488000000ffffffff } // n = 7, score = 100 // f3aa | mov eax, dword ptr [esp + 0x70] // c784242001000038000000 | dec eax // 488d8424b0040000 | mov eax, dword ptr [eax] // 4889842430010000 | mov ecx, 8 // 488d8424b0040000 | mov dword ptr [esp + 0x20], 3 // 4889842400010000 | inc ebp // 48c7842488000000ffffffff | xor ecx, ecx $sequence_5 = { ff15???????? 4c8d0df8ed0000 4c8d05813d0100 488d15eeed0000 488d0d833e0100 e8???????? 488d1597400100 } // n = 7, score = 100 // ff15???????? | // 4c8d0df8ed0000 | movzx eax, al // 4c8d05813d0100 | test eax, eax // 488d15eeed0000 | jne 0x14dd // 488d0d833e0100 | jmp 0x1535 // e8???????? | // 488d1597400100 | dec eax $sequence_6 = { 488b8c24e8080000 ff15???????? 48898424a0000000 4883bc24a0000000ff 7507 32c0 e9???????? } // n = 7, score = 100 // 488b8c24e8080000 | add esp, 0x38 // ff15???????? | // 48898424a0000000 | ret // 4883bc24a0000000ff | mov dword ptr [esp + 0x10], edx // 7507 | dec eax // 32c0 | mov dword ptr [esp + 8], ecx // e9???????? | $sequence_7 = { 42888401b0230100 ffc7 ebde 488b0d???????? 83c8ff f00fc101 ffc8 } // n = 7, score = 100 // 42888401b0230100 | lea eax, [0xbb5f] // ffc7 | dec eax // ebde | mov dword ptr [esp + 0x38], eax // 488b0d???????? | // 83c8ff | jmp 0x15c // f00fc101 | je 0x160 // ffc8 | dec eax $sequence_8 = { 41b803000000 ba00000080 488b4c2470 ff15???????? } // n = 4, score = 100 // 41b803000000 | xor eax, eax // ba00000080 | mov ecx, 0x208 // 488b4c2470 | rep stosb byte ptr es:[edi], al // ff15???????? | $sequence_9 = { 48634c2404 488b542420 0fb60c0a 03c1 } // n = 4, score = 100 // 48634c2404 | mov eax, dword ptr [esp + 0x70] // 488b542420 | dec eax // 0fb60c0a | lea edx, [esp + 0x480] // 03c1 | dec eax condition: 7 of them and filesize < 207872 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY