There is no description at this point.
rule win_kivars_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.kivars." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 48c744242000000000 41b918000000 4c8d442430 33d2 488b4c2448 ff15???????? } // n = 6, score = 200 // 48c744242000000000 | dec eax // 41b918000000 | lea edx, [0x3910] // 4c8d442430 | dec eax // 33d2 | mov ecx, dword ptr [esp + 0x310] // 488b4c2448 | mov byte ptr [esp + 0x70], 0x69 // ff15???????? | $sequence_1 = { 41b802000000 488d942470040000 488b8c2478080000 e8???????? 89842480080000 } // n = 5, score = 200 // 41b802000000 | dec eax // 488d942470040000 | mov eax, eax // 488b8c2478080000 | inc ecx // e8???????? | // 89842480080000 | mov eax, 2 $sequence_2 = { 488b8c2410030000 ff15???????? 488d1510390000 488b8c2410030000 } // n = 4, score = 200 // 488b8c2410030000 | mov dword ptr [esp + 0x880], eax // ff15???????? | // 488d1510390000 | mov word ptr [esp + 0x3c], ax // 488b8c2410030000 | movzx eax, word ptr [esp + 0x3c] $sequence_3 = { 668944243c 0fb744243c 488b4c2448 0fb74906 } // n = 4, score = 200 // 668944243c | dec eax // 0fb744243c | lea edx, [esp + 0x470] // 488b4c2448 | dec eax // 0fb74906 | mov ecx, dword ptr [esp + 0x878] $sequence_4 = { 51 6a01 68???????? 68???????? 6801000080 e8???????? 83c414 } // n = 7, score = 200 // 51 | push ecx // 6a01 | push 1 // 68???????? | // 68???????? | // 6801000080 | push 0x80000001 // e8???????? | // 83c414 | add esp, 0x14 $sequence_5 = { 8984241c010000 0f843b010000 56 57 89442414 } // n = 5, score = 200 // 8984241c010000 | mov dword ptr [esp + 0x11c], eax // 0f843b010000 | je 0x141 // 56 | push esi // 57 | push edi // 89442414 | mov dword ptr [esp + 0x14], eax $sequence_6 = { c644247069 c6442471b1 c644247217 c644247363 c6442474bd } // n = 5, score = 200 // c644247069 | dec eax // c6442471b1 | mov ecx, dword ptr [esp + 0x48] // c644247217 | movzx ecx, word ptr [ecx + 6] // c644247363 | dec eax // c6442474bd | mov ecx, dword ptr [esp + 0x310] $sequence_7 = { 52 e8???????? 8b442420 8b4c2428 57 56 50 } // n = 7, score = 200 // 52 | push edx // e8???????? | // 8b442420 | mov eax, dword ptr [esp + 0x20] // 8b4c2428 | mov ecx, dword ptr [esp + 0x28] // 57 | push edi // 56 | push esi // 50 | push eax $sequence_8 = { 8905???????? b001 e9???????? 488d8c2498020000 e8???????? 48c784245802000000000000 } // n = 6, score = 200 // 8905???????? | // b001 | mov al, 1 // e9???????? | // 488d8c2498020000 | dec eax // e8???????? | // 48c784245802000000000000 | lea ecx, [esp + 0x298] $sequence_9 = { 8d55dc 52 681f000200 50 57 56 } // n = 6, score = 200 // 8d55dc | lea edx, [ebp - 0x24] // 52 | push edx // 681f000200 | push 0x2001f // 50 | push eax // 57 | push edi // 56 | push esi $sequence_10 = { 8d8c2420030000 51 50 ff15???????? 85c0 } // n = 5, score = 200 // 8d8c2420030000 | lea ecx, [esp + 0x320] // 51 | push ecx // 50 | push eax // ff15???????? | // 85c0 | test eax, eax $sequence_11 = { ff15???????? 8d9424a4020000 52 ff15???????? 80bc04a30200005c } // n = 5, score = 200 // ff15???????? | // 8d9424a4020000 | lea edx, [esp + 0x2a4] // 52 | push edx // ff15???????? | // 80bc04a30200005c | cmp byte ptr [esp + eax + 0x2a3], 0x5c $sequence_12 = { ff15???????? 85c0 89442410 0f848d000000 8b8c2418020000 } // n = 5, score = 200 // ff15???????? | // 85c0 | test eax, eax // 89442410 | mov dword ptr [esp + 0x10], eax // 0f848d000000 | je 0x93 // 8b8c2418020000 | mov ecx, dword ptr [esp + 0x218] $sequence_13 = { 837c242400 0f8caa040000 8b842440010000 ffc8 8bc0 } // n = 5, score = 200 // 837c242400 | mov ecx, dword ptr [esp + 0x590] // 0f8caa040000 | imul ecx, eax // 8b842440010000 | cmp dword ptr [esp + 0x24], 0 // ffc8 | jl 0x4b5 // 8bc0 | mov eax, dword ptr [esp + 0x140] $sequence_14 = { c684248000000025 c684248100000026 c684248200000027 c684248300000028 c684248400000029 c68424850000002a } // n = 6, score = 200 // c684248000000025 | mov byte ptr [esp + 0x80], 0x25 // c684248100000026 | mov byte ptr [esp + 0x81], 0x26 // c684248200000027 | mov byte ptr [esp + 0x82], 0x27 // c684248300000028 | mov byte ptr [esp + 0x83], 0x28 // c684248400000029 | mov byte ptr [esp + 0x84], 0x29 // c68424850000002a | mov byte ptr [esp + 0x85], 0x2a $sequence_15 = { ff15???????? 89842490050000 ff15???????? 8b8c2490050000 0fafc8 } // n = 5, score = 200 // ff15???????? | // 89842490050000 | dec eax // ff15???????? | // 8b8c2490050000 | mov dword ptr [esp + 0x258], 0 // 0fafc8 | mov dword ptr [esp + 0x590], eax condition: 7 of them and filesize < 196608 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY