There is no description at this point.
rule win_minibrowse_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.minibrowse." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibrowse" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488b4010 488b0c24 488b09 48ba519faa8c11c54d25 4801d0 4829c8 48b9519faa8c11c54d25 } // n = 7, score = 100 // 488b4010 | lea ecx, [0x66080] // 488b0c24 | dec eax // 488b09 | mov dword ptr [ebp + 0x118], ecx // 48ba519faa8c11c54d25 | call eax // 4801d0 | dec esp // 4829c8 | mov eax, dword ptr [ebp + 0x108] // 48b9519faa8c11c54d25 | dec eax $sequence_1 = { 4c63c8 428a140a 88542407 41b91d000000 31d2 41f7f1 8b442410 } // n = 7, score = 100 // 4c63c8 | mov eax, edx // 428a140a | dec esp // 88542407 | arpl ax, ax // 41b91d000000 | inc esi // 31d2 | mov dl, byte ptr [edx + eax] // 41f7f1 | inc ecx // 8b442410 | mov eax, 0x14 $sequence_2 = { 48b8285a895ec1288634 49034338 4c89542420 ffd0 488b4c2478 48bae4ae95c06d509bd8 } // n = 6, score = 100 // 48b8285a895ec1288634 | imul eax, eax // 49034338 | dec eax // 4c89542420 | mov eax, 0xe480241d // ffd0 | mov al, 0x2b // 488b4c2478 | adc byte ptr [esi - 0x75], ah // 48bae4ae95c06d509bd8 | adc byte ptr [ecx + 0x25e8d1d0], cl $sequence_3 = { f7f1 89c1 83e928 48b81ca6e955db0a66e9 480305???????? 8908 48b81ca6e955db0a66e9 } // n = 7, score = 100 // f7f1 | int1 // 89c1 | mov ecx, eax // 83e928 | sub ecx, 8 // 48b81ca6e955db0a66e9 | dec eax // 480305???????? | // 8908 | mov eax, 0x73fbe4fc // 48b81ca6e955db0a66e9 | sub al, 0x47 $sequence_4 = { 48b84933c445a4f5a43d 480305???????? 8b00 8945ac 4189c0 4183e01f 4183c801 } // n = 7, score = 100 // 48b84933c445a4f5a43d | dec eax // 480305???????? | // 8b00 | mov eax, 0x3911d240 // 8945ac | retf 0xe567 // 4189c0 | mov dl, 0x8b // 4183e01f | adc byte ptr [ecx + 0x25e8d1d0], cl // 4183c801 | push ebp $sequence_5 = { 488b842488000000 4889442438 488b4c2460 48ba43826c17761a1b3b 480315???????? 48b8e2603ff4395df8be 48034230 } // n = 7, score = 100 // 488b842488000000 | dec eax // 4889442438 | cmp eax, dword ptr [esp + 0x80] // 488b4c2460 | jge 0x4c1 // 48ba43826c17761a1b3b | dec eax // 480315???????? | // 48b8e2603ff4395df8be | mov eax, 0x743ac3d8 // 48034230 | js 0x132 $sequence_6 = { 488b4c2438 49b887c7de1b22f1b6a7 4c0305???????? 48b8584182a86aca4fb4 490300 ffd0 488b542428 } // n = 7, score = 100 // 488b4c2438 | add cl, byte ptr [eax - 0x73] // 49b887c7de1b22f1b6a7 | push esp // 4c0305???????? | // 48b8584182a86aca4fb4 | and al, 0x40 // 490300 | call eax // ffd0 | dec eax // 488b542428 | mov ecx, dword ptr [esp + 0x38] $sequence_7 = { f7f1 89c1 83e92f 48b894f60aea1b77f0c0 480305???????? 8908 48b894f60aea1b77f0c0 } // n = 7, score = 100 // f7f1 | div ecx // 89c1 | mov ecx, eax // 83e92f | sub ecx, 0x28 // 48b894f60aea1b77f0c0 | dec eax // 480305???????? | // 8908 | mov eax, 0xbc03f5cc // 48b894f60aea1b77f0c0 | inc edx $sequence_8 = { 80e101 0fb6c9 01ca 48b90080d46689848625 48030d???????? 8911 a801 } // n = 7, score = 100 // 80e101 | sub ecx, 1 // 0fb6c9 | or dl, 0x86 // 01ca | inc ecx // 48b90080d46689848625 | xor al, 0xff // 48030d???????? | // 8911 | inc ecx // a801 | and al, dl $sequence_9 = { f7f1 89c1 48b815ac4d524d475ce8 480305???????? 8908 48b815ac4d524d475ce8 480305???????? } // n = 7, score = 100 // f7f1 | mov eax, 0x94f83ece // 89c1 | push 0x8ba9c2b7 // 48b815ac4d524d475ce8 | add dh, dh // 480305???????? | // 8908 | rol dword ptr [ecx], 0x75 // 48b815ac4d524d475ce8 | and al, byte ptr [ecx - 0x75] // 480305???????? | condition: 7 of them and filesize < 1779712 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY