Undocumented information stealer targeting multiple browsers and cryptocurrences. Internal project name appears to be "misha".
rule win_misha_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.misha." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 894df0 8b4d90 83c104 ff75f0 8b45b4 e8???????? 59 } // n = 7, score = 300 // 894df0 | mov dword ptr [ebp - 0x10], ecx // 8b4d90 | mov ecx, dword ptr [ebp - 0x70] // 83c104 | add ecx, 4 // ff75f0 | push dword ptr [ebp - 0x10] // 8b45b4 | mov eax, dword ptr [ebp - 0x4c] // e8???????? | // 59 | pop ecx $sequence_1 = { 59 39551c 7409 ff751c e8???????? 59 5d } // n = 7, score = 300 // 59 | pop ecx // 39551c | cmp dword ptr [ebp + 0x1c], edx // 7409 | je 0xb // ff751c | push dword ptr [ebp + 0x1c] // e8???????? | // 59 | pop ecx // 5d | pop ebp $sequence_2 = { ff7508 ff75cc e8???????? 83c410 8945b0 837d2402 7520 } // n = 7, score = 300 // ff7508 | push dword ptr [ebp + 8] // ff75cc | push dword ptr [ebp - 0x34] // e8???????? | // 83c410 | add esp, 0x10 // 8945b0 | mov dword ptr [ebp - 0x50], eax // 837d2402 | cmp dword ptr [ebp + 0x24], 2 // 7520 | jne 0x22 $sequence_3 = { 8d45f4 50 6a28 e8???????? 59 59 85c0 } // n = 7, score = 300 // 8d45f4 | lea eax, [ebp - 0xc] // 50 | push eax // 6a28 | push 0x28 // e8???????? | // 59 | pop ecx // 59 | pop ecx // 85c0 | test eax, eax $sequence_4 = { 8b45d8 6bc038 8b4b18 8d440120 50 ff7324 8b45e8 } // n = 7, score = 300 // 8b45d8 | mov eax, dword ptr [ebp - 0x28] // 6bc038 | imul eax, eax, 0x38 // 8b4b18 | mov ecx, dword ptr [ebx + 0x18] // 8d440120 | lea eax, [ecx + eax + 0x20] // 50 | push eax // ff7324 | push dword ptr [ebx + 0x24] // 8b45e8 | mov eax, dword ptr [ebp - 0x18] $sequence_5 = { 8b4df8 8908 8b4510 8b4d0c 894808 8b45f8 8b4008 } // n = 7, score = 300 // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 8908 | mov dword ptr [eax], ecx // 8b4510 | mov eax, dword ptr [ebp + 0x10] // 8b4d0c | mov ecx, dword ptr [ebp + 0xc] // 894808 | mov dword ptr [eax + 8], ecx // 8b45f8 | mov eax, dword ptr [ebp - 8] // 8b4008 | mov eax, dword ptr [eax + 8] $sequence_6 = { ff5168 85c0 8b45f8 8b08 50 0f99c3 } // n = 6, score = 300 // ff5168 | call dword ptr [ecx + 0x68] // 85c0 | test eax, eax // 8b45f8 | mov eax, dword ptr [ebp - 8] // 8b08 | mov ecx, dword ptr [eax] // 50 | push eax // 0f99c3 | setns bl $sequence_7 = { c785acfeffff1b1b1b1b c785b0feffff1b1b1b1b c785b4feffff1b1b1b1b 66c785b8feffff1b1b c685bafeffff1c } // n = 5, score = 300 // c785acfeffff1b1b1b1b | mov dword ptr [ebp - 0x154], 0x1b1b1b1b // c785b0feffff1b1b1b1b | mov dword ptr [ebp - 0x150], 0x1b1b1b1b // c785b4feffff1b1b1b1b | mov dword ptr [ebp - 0x14c], 0x1b1b1b1b // 66c785b8feffff1b1b | mov word ptr [ebp - 0x148], 0x1b1b // c685bafeffff1c | mov byte ptr [ebp - 0x146], 0x1c $sequence_8 = { b84d5a0000 663901 755a 8b413c 8d90f8000000 39542404 7c4b } // n = 7, score = 300 // b84d5a0000 | mov eax, 0x5a4d // 663901 | cmp word ptr [ecx], ax // 755a | jne 0x5c // 8b413c | mov eax, dword ptr [ecx + 0x3c] // 8d90f8000000 | lea edx, [eax + 0xf8] // 39542404 | cmp dword ptr [esp + 4], edx // 7c4b | jl 0x4d $sequence_9 = { ff75dc 6a08 59 e8???????? 83c420 0fb6c0 85c0 } // n = 7, score = 300 // ff75dc | push dword ptr [ebp - 0x24] // 6a08 | push 8 // 59 | pop ecx // e8???????? | // 83c420 | add esp, 0x20 // 0fb6c0 | movzx eax, al // 85c0 | test eax, eax condition: 7 of them and filesize < 710656 }
rule win_misha_w0 { meta: author = "Daniel Plohmann" description = "Detect the unpacked payload for win.misha." date = "20211109" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha" malpedia_rule_date = "20211009" malpedia_hash = "" malpedia_version = "20211009" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* @0x4252d7 - creating a heap buffer for the config 8D 44 24 0C lea eax, [esp+10h+var_4] 68 CE 11 01 00 push 111CEh 50 push eax BF 40 9F 01 00 mov edi, 19F40h B9 58 D8 42 00 mov ecx, offset inner_buffer 8B C6 mov eax, esi 89 7C 24 14 mov [esp+18h+var_4], edi E8 1C D4 FF FF call sub_422712 59 pop ecx 59 pop ecx 85 C0 test eax, eax 0F 85 A1 00 00 00 jnz loc_4253A1 */ $config_heap_0 = {8D4424?? 68???????? 50 BF???????? B9???????? 8BC689?????? E8???????? 59 59 85C0 0F } /* @0x425300 - creating a heap buffer for some x64 code 8D 44 24 0C lea eax, [esp+10h+var_4] 68 91 F3 00 00 push 0F391h 50 push eax 8D 86 40 9F 01 00 lea eax, [esi+19F40h] B9 28 EA 43 00 mov ecx, offset inner_buffer_2 C7 44 24 14 80 03 02 00 mov [esp+18h+var_4], 20380h E8 F0 D3 FF FF call sub_422712 59 pop ecx 59 pop ecx 85 C0 test eax, eax 75 79 jnz short loc_4253A1 */ $config_heap_1 = { 8D4424?? 68???????? 50 8D86???????? B9???????? C74424?????????? E8???????? 59 59 85C0 75 } /* @0x408549 - string decryption 8B 45 F8 mov eax, [ebp+var_8] 33 D2 xor edx, edx F7 75 14 div [ebp+dwKeyLen] 8B 45 10 mov eax, [ebp+szKey] 0F B6 0C 10 movzx ecx, byte ptr [eax+edx] 8B 45 F8 mov eax, [ebp+var_8] 33 D2 xor edx, edx BE 00 01 00 00 mov esi, 100h F7 F6 div esi 33 CA xor ecx, edx 8B 45 FC mov eax, [ebp+var_4] 03 45 F8 add eax, [ebp+var_8] 0F B6 00 movzx eax, byte ptr [eax] 33 C1 xor eax, ecx 8B 4D FC mov ecx, [ebp+var_4] 03 4D F8 add ecx, [ebp+var_8] 88 01 mov [ecx], al EB BF jmp short loc_40853A */ $string_decrypt = { 8B45?? 33D2 F7???? 8B45?? 0FB6???? 8B45?? 33D2 BE00010000 F7F6 33CA 8B45?? 0345?? 0FB6?? 33C1 8B4D?? 034D?? 8801 EB } condition: any of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY