Actor(s): Operation Soft Cell
There is no description at this point.
rule win_mim221_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.mim221." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mim221" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488d542450 488d4c2460 41b868000000 e8???????? 413bc6 746a 488b842460010000 } // n = 7, score = 100 // 488d542450 | mov word ptr [esp + 0x188], bx // 488d4c2460 | mov word ptr [esp + 0x18a], bx // 41b868000000 | je 0x7f6 // e8???????? | // 413bc6 | inc ecx // 746a | mov eax, 0x60 // 488b842460010000 | dec eax $sequence_1 = { 7408 8bcb ff15???????? 48897c2448 e8???????? 488d1ddaf10000 488d3dfbf10000 } // n = 7, score = 100 // 7408 | dec eax // 8bcb | lea ecx, [esp + 0x5c4] // ff15???????? | // 48897c2448 | dec ebp // e8???????? | // 488d1ddaf10000 | mov eax, ebp // 488d3dfbf10000 | xor edx, edx $sequence_2 = { 33d2 458d462e 488d8c24ca000000 e8???????? c684249003000044 c68424910300008b c684249203000001 } // n = 7, score = 100 // 33d2 | inc sp // 458d462e | mov dword ptr [esp + 0x116], esp // 488d8c24ca000000 | mov word ptr [esp + 0x118], 0x69 // e8???????? | // c684249003000044 | mov word ptr [esp + 0x11a], 0x6e // c68424910300008b | mov word ptr [esp + 0x11c], 0x63 // c684249203000001 | mov word ptr [esp + 0x112], 0x70 $sequence_3 = { e8???????? 4c8b1d???????? 4c3bdd 760b } // n = 4, score = 100 // e8???????? | // 4c8b1d???????? | // 4c3bdd | dec esp // 760b | lea eax, [esp + 0x150] $sequence_4 = { c784241c07000004000000 e8???????? c784244007000000280000 899c2448070000 488d842490080000 488d8c2470070000 4c8bc6 } // n = 7, score = 100 // c784241c07000004000000 | inc sp // e8???????? | // c784244007000000280000 | mov dword ptr [esp + 0x1e6], edi // 899c2448070000 | inc sp // 488d842490080000 | mov dword ptr [esp + 0x1e8], esp // 488d8c2470070000 | mov word ptr [esp + 0x518], si // 4c8bc6 | inc sp $sequence_5 = { e8???????? 413bc7 7424 48634f30 4c8d4530 488d542450 } // n = 6, score = 100 // e8???????? | // 413bc7 | mov word ptr [esp + 0xaa], cx // 7424 | mov word ptr [esp + 0xac], 0xa // 48634f30 | mov word ptr [esp + 0xae], 9 // 4c8d4530 | inc sp // 488d542450 | mov dword ptr [esp + 0xb0], esp $sequence_6 = { 488b4310 80784900 7513 488bd8 488b00 80784900 74f4 } // n = 7, score = 100 // 488b4310 | mov byte ptr [esp + 0x63], 0x6f // 80784900 | mov byte ptr [esp + 0x64], 0x70 // 7513 | mov byte ptr [esp + 0x65], 0x65 // 488bd8 | mov byte ptr [esp + 0x66], 0x72 // 488b00 | mov byte ptr [esp + 0x61], 0x5f // 80784900 | mov byte ptr [esp + 0x62], 0x53 // 74f4 | mov byte ptr [esp + 0x63], 0x48 $sequence_7 = { 66c74424447300 66c74424464900 66c74424486e00 66c744244a6300 66c744244c7200 66896c244e 66c74424506d00 } // n = 7, score = 100 // 66c74424447300 | mov esi, dword ptr [esp + 0xc0] // 66c74424464900 | dec eax // 66c74424486e00 | test esi, esi // 66c744244a6300 | je 0xf43 // 66c744244c7200 | dec eax // 66896c244e | arpl word ptr [edi + 0x2c], bx // 66c74424506d00 | dec eax $sequence_8 = { 0f8c3fffffff 4585ff 745e 488b442450 c64424600d 488d0df47d0100 488b0cc1 } // n = 7, score = 100 // 0f8c3fffffff | mov word ptr [esp + 0x76], 0x67 // 4585ff | mov word ptr [esp + 0x78], 0x3a // 745e | mov word ptr [esp + 0x7a], 0x6e // 488b442450 | mov word ptr [esp + 0x7c], 0x6f // c64424600d | mov word ptr [esp + 0x7e], ax // 488d0df47d0100 | mov word ptr [esp + 0x80], 0x20 // 488b0cc1 | mov word ptr [esp + 0x76], 0x6c $sequence_9 = { 8b842404010000 4903c4 4889442470 8b8424f8000000 4a8b0c20 48894c2458 4c8b8788000000 } // n = 7, score = 100 // 8b842404010000 | inc cx // 4903c4 | mov eax, 0x44660009 // 4889442470 | mov dword ptr [eax - 0xce], eax // 8b8424f8000000 | inc cx // 4a8b0c20 | mov ebx, 0x8b490020 // 48894c2458 | clc // 4c8b8788000000 | dec eax condition: 7 of them and filesize < 471040 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY