Ransomware, potential rebranding of win.sfile.
rule win_mindware_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.mindware." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 894104 6a28 e8???????? 83c404 8945dc 837ddc00 } // n = 6, score = 100 // 894104 | mov dword ptr [ecx + 4], eax // 6a28 | push 0x28 // e8???????? | // 83c404 | add esp, 4 // 8945dc | mov dword ptr [ebp - 0x24], eax // 837ddc00 | cmp dword ptr [ebp - 0x24], 0 $sequence_1 = { c78520edffffdcd64300 c78524edffffe4d64300 c78528edffffecd64300 c7852cedfffff4d64300 c78530edfffffcd64300 c78534edffff04d74300 } // n = 6, score = 100 // c78520edffffdcd64300 | mov dword ptr [ebp - 0x12e0], 0x43d6dc // c78524edffffe4d64300 | mov dword ptr [ebp - 0x12dc], 0x43d6e4 // c78528edffffecd64300 | mov dword ptr [ebp - 0x12d8], 0x43d6ec // c7852cedfffff4d64300 | mov dword ptr [ebp - 0x12d4], 0x43d6f4 // c78530edfffffcd64300 | mov dword ptr [ebp - 0x12d0], 0x43d6fc // c78534edffff04d74300 | mov dword ptr [ebp - 0x12cc], 0x43d704 $sequence_2 = { 83e03f 330c85603b4400 330c95e03e4400 8b9708010000 33d9 } // n = 5, score = 100 // 83e03f | and eax, 0x3f // 330c85603b4400 | xor ecx, dword ptr [eax*4 + 0x443b60] // 330c95e03e4400 | xor ecx, dword ptr [edx*4 + 0x443ee0] // 8b9708010000 | mov edx, dword ptr [edi + 0x108] // 33d9 | xor ebx, ecx $sequence_3 = { c785b8f2ffffa8e44300 c785bcf2ffffb4e44300 c785c0f2ffffc0e44300 c785c4f2ffffc8e44300 c785c8f2ffffd4e44300 c785ccf2ffffdce44300 c785d0f2ffffe4e44300 } // n = 7, score = 100 // c785b8f2ffffa8e44300 | mov dword ptr [ebp - 0xd48], 0x43e4a8 // c785bcf2ffffb4e44300 | mov dword ptr [ebp - 0xd44], 0x43e4b4 // c785c0f2ffffc0e44300 | mov dword ptr [ebp - 0xd40], 0x43e4c0 // c785c4f2ffffc8e44300 | mov dword ptr [ebp - 0xd3c], 0x43e4c8 // c785c8f2ffffd4e44300 | mov dword ptr [ebp - 0xd38], 0x43e4d4 // c785ccf2ffffdce44300 | mov dword ptr [ebp - 0xd34], 0x43e4dc // c785d0f2ffffe4e44300 | mov dword ptr [ebp - 0xd30], 0x43e4e4 $sequence_4 = { 8d954cffffff 8955fc 8b45fc 83c002 8945e4 8b4dfc 668b11 } // n = 7, score = 100 // 8d954cffffff | lea edx, [ebp - 0xb4] // 8955fc | mov dword ptr [ebp - 4], edx // 8b45fc | mov eax, dword ptr [ebp - 4] // 83c002 | add eax, 2 // 8945e4 | mov dword ptr [ebp - 0x1c], eax // 8b4dfc | mov ecx, dword ptr [ebp - 4] // 668b11 | mov dx, word ptr [ecx] $sequence_5 = { 8955d4 8955d8 8b4508 83c02c 50 ff15???????? } // n = 6, score = 100 // 8955d4 | mov dword ptr [ebp - 0x2c], edx // 8955d8 | mov dword ptr [ebp - 0x28], edx // 8b4508 | mov eax, dword ptr [ebp + 8] // 83c02c | add eax, 0x2c // 50 | push eax // ff15???????? | $sequence_6 = { 330c85603b4400 330c95e03e4400 8b9728010000 33d9 } // n = 4, score = 100 // 330c85603b4400 | xor ecx, dword ptr [eax*4 + 0x443b60] // 330c95e03e4400 | xor ecx, dword ptr [edx*4 + 0x443ee0] // 8b9728010000 | mov edx, dword ptr [edi + 0x128] // 33d9 | xor ebx, ecx $sequence_7 = { c78524f9ffff5cf54300 c78528f9ffff6cf54300 c7852cf9ffff74f54300 c78530f9ffff7cf54300 } // n = 4, score = 100 // c78524f9ffff5cf54300 | mov dword ptr [ebp - 0x6dc], 0x43f55c // c78528f9ffff6cf54300 | mov dword ptr [ebp - 0x6d8], 0x43f56c // c7852cf9ffff74f54300 | mov dword ptr [ebp - 0x6d4], 0x43f574 // c78530f9ffff7cf54300 | mov dword ptr [ebp - 0x6d0], 0x43f57c $sequence_8 = { c78524f3ffffd0e54300 c78528f3ffffd8e54300 c7852cf3ffffece54300 c78530f3fffff8e54300 c78534f3ffff00e64300 c78538f3ffff08e64300 c7853cf3ffff10e64300 } // n = 7, score = 100 // c78524f3ffffd0e54300 | mov dword ptr [ebp - 0xcdc], 0x43e5d0 // c78528f3ffffd8e54300 | mov dword ptr [ebp - 0xcd8], 0x43e5d8 // c7852cf3ffffece54300 | mov dword ptr [ebp - 0xcd4], 0x43e5ec // c78530f3fffff8e54300 | mov dword ptr [ebp - 0xcd0], 0x43e5f8 // c78534f3ffff00e64300 | mov dword ptr [ebp - 0xccc], 0x43e600 // c78538f3ffff08e64300 | mov dword ptr [ebp - 0xcc8], 0x43e608 // c7853cf3ffff10e64300 | mov dword ptr [ebp - 0xcc4], 0x43e610 $sequence_9 = { c785e8f7ffff90f24300 c785ecf7ffff98f24300 c785f0f7ffffa0f24300 c785f4f7ffffa8f24300 c785f8f7ffffc0f24300 c785fcf7ffffccf24300 c78500f8ffffd4f24300 } // n = 7, score = 100 // c785e8f7ffff90f24300 | mov dword ptr [ebp - 0x818], 0x43f290 // c785ecf7ffff98f24300 | mov dword ptr [ebp - 0x814], 0x43f298 // c785f0f7ffffa0f24300 | mov dword ptr [ebp - 0x810], 0x43f2a0 // c785f4f7ffffa8f24300 | mov dword ptr [ebp - 0x80c], 0x43f2a8 // c785f8f7ffffc0f24300 | mov dword ptr [ebp - 0x808], 0x43f2c0 // c785fcf7ffffccf24300 | mov dword ptr [ebp - 0x804], 0x43f2cc // c78500f8ffffd4f24300 | mov dword ptr [ebp - 0x800], 0x43f2d4 condition: 7 of them and filesize < 661504 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY