There is no description at this point.
rule win_meterpreter_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.meterpreter." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 5e 88c3 90 90 90 90 90 } // n = 7, score = 200 // 5e | pop esi // 88c3 | mov bl, al // 90 | nop // 90 | nop // 90 | nop // 90 | nop // 90 | nop $sequence_1 = { 51 d2d7 838f54ebdaa118 c1400133 d28a168b088a 0451 } // n = 6, score = 200 // 51 | push ecx // d2d7 | rcl bh, cl // 838f54ebdaa118 | or dword ptr [edi - 0x5e2514ac], 0x18 // c1400133 | rol dword ptr [eax + 1], 0x33 // d28a168b088a | ror byte ptr [edx - 0x75f774ea], cl // 0451 | add al, 0x51 $sequence_2 = { 836e0c50 ff15???????? 33e4 f1 } // n = 4, score = 200 // 836e0c50 | sub dword ptr [esi + 0xc], 0x50 // ff15???????? | // 33e4 | xor esp, esp // f1 | int1 $sequence_3 = { 8b35???????? 25d6859b0f 94 41 0100 } // n = 5, score = 200 // 8b35???????? | // 25d6859b0f | and eax, 0xf9b85d6 // 94 | xchg eax, esp // 41 | inc ecx // 0100 | add dword ptr [eax], eax $sequence_4 = { 3ddc4e0000 7d15 8b84fe8b550c51 52 50 a3???????? 83c42d } // n = 7, score = 200 // 3ddc4e0000 | cmp eax, 0x4edc // 7d15 | jge 0x17 // 8b84fe8b550c51 | mov eax, dword ptr [esi + edi*8 + 0x510c558b] // 52 | push edx // 50 | push eax // a3???????? | // 83c42d | add esp, 0x2d $sequence_5 = { 02c0 8bf7 b94c000061 f3ab 8b4573 8b4d0c 8bbdfc89068b } // n = 7, score = 200 // 02c0 | add al, al // 8bf7 | mov esi, edi // b94c000061 | mov ecx, 0x6100004c // f3ab | rep stosd dword ptr es:[edi], eax // 8b4573 | mov eax, dword ptr [ebp + 0x73] // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 8bbdfc89068b | mov edi, dword ptr [ebp - 0x74f97604] $sequence_6 = { c3 8d23 d352e8 d7 } // n = 4, score = 200 // c3 | ret // 8d23 | lea esp, [ebx] // d352e8 | rcl dword ptr [edx - 0x18], cl // d7 | xlatb $sequence_7 = { eb02 33c0 8b4e0c 4e 2a9dc052ff77 } // n = 5, score = 200 // eb02 | jmp 4 // 33c0 | xor eax, eax // 8b4e0c | mov ecx, dword ptr [esi + 0xc] // 4e | dec esi // 2a9dc052ff77 | sub bl, byte ptr [ebp + 0x77ff52c0] $sequence_8 = { c88b2804 0800 001b c285f7 } // n = 4, score = 200 // c88b2804 | enter 0x288b, 4 // 0800 | or byte ptr [eax], al // 001b | add byte ptr [ebx], bl // c285f7 | ret 0xf785 $sequence_9 = { b90e00d000 f3ab 8b666a 00536a 32445014 8e0e 8b5183 } // n = 7, score = 200 // b90e00d000 | mov ecx, 0xd0000e // f3ab | rep stosd dword ptr es:[edi], eax // 8b666a | mov esp, dword ptr [esi + 0x6a] // 00536a | add byte ptr [ebx + 0x6a], dl // 32445014 | xor al, byte ptr [eax + edx*2 + 0x14] // 8e0e | mov cs, word ptr [esi] // 8b5183 | mov edx, dword ptr [ecx - 0x7d] condition: 7 of them and filesize < 188416 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY