There is no description at this point.
rule win_mulcom_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.mulcom." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mulcom" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83b97004000002 0f8493010000 83cfff 488d2d8b2f0200 897350 89732c e9???????? } // n = 7, score = 100 // 83b97004000002 | dec eax // 0f8493010000 | mov eax, dword ptr [esi] // 83cfff | dec eax // 488d2d8b2f0200 | mov eax, dword ptr [ecx] // 897350 | call dword ptr [eax + 0x18] // 89732c | cmp eax, -1 // e9???????? | $sequence_1 = { 488b8188000000 488d8810020000 83b81807000005 480f45cf 48894dc0 8b1a 4c8b4a08 } // n = 7, score = 100 // 488b8188000000 | movups xmmword ptr [esp + 0x48], xmm0 // 488d8810020000 | mov eax, dword ptr [esi + 0x10] // 83b81807000005 | mov dword ptr [esp + 0x58], eax // 480f45cf | psrldq xmm0, 8 // 48894dc0 | dec ax // 8b1a | movd eax, mm0 // 4c8b4a08 | dec eax $sequence_2 = { 488955b7 48894daf 8a456f 88442430 488b7577 4c8b757f } // n = 6, score = 100 // 488955b7 | mov dword ptr [ecx + 0x10], eax // 48894daf | add dword ptr [ebx], 0x14 // 8a456f | mov ecx, dword ptr [ebx] // 88442430 | inc edx // 488b7577 | lea eax, [ecx + edi] // 4c8b757f | movups xmmword ptr [edx], xmm0 $sequence_3 = { e9???????? 488d8a90000000 e9???????? 488d8a70010000 e9???????? 488b8a70000000 e9???????? } // n = 7, score = 100 // e9???????? | // 488d8a90000000 | lea edx, [0x154be] // e9???????? | // 488d8a70010000 | mov ecx, 0x11 // e9???????? | // 488b8a70000000 | dec esp // e9???????? | $sequence_4 = { 89542430 488d1575e40300 4489542428 44895c2420 e8???????? 488bc3 488b4df0 } // n = 7, score = 100 // 89542430 | inc al // 488d1575e40300 | mov byte ptr [ecx], al // 4489542428 | dec dword ptr [ebx + 0x18] // 44895c2420 | jne 0x368 // e8???????? | // 488bc3 | dec eax // 488b4df0 | mov ecx, dword ptr [ecx + 0x10] $sequence_5 = { 443be5 7c07 453bdd 450f4cc1 488b5c2440 } // n = 5, score = 100 // 443be5 | dec eax // 7c07 | mov esi, dword ptr [ebp - 0x40] // 453bdd | dec eax // 450f4cc1 | mov edi, dword ptr [ebp - 0x58] // 488b5c2440 | movzx ebx, byte ptr [esp + 0x30] $sequence_6 = { ff5030 488d55bf 488d4ddf e8???????? 488b55d7 4883fa10 } // n = 6, score = 100 // ff5030 | dec eax // 488d55bf | test ebx, ebx // 488d4ddf | je 0x1e3e // e8???????? | // 488b55d7 | dec eax // 4883fa10 | cmp ebx, edi $sequence_7 = { 4288bc0592010000 49ffc0 4983c104 4584d2 75ba 4584d2 } // n = 6, score = 100 // 4288bc0592010000 | movdqu xmmword ptr [ebp - 0x68], xmm0 // 49ffc0 | dec eax // 4983c104 | mov dword ptr [ebp + 0x70], ebx // 4584d2 | xorps xmm1, xmm1 // 75ba | mov byte ptr [ebp - 0x41], bl // 4584d2 | mov eax, dword ptr [ebp + 0x63] $sequence_8 = { 448938 488d0586e50400 488907 4c897f68 896f70 498bc6 488b5c2478 } // n = 7, score = 100 // 448938 | jne 0x146b // 488d0586e50400 | je 0x147c // 488907 | dec eax // 4c897f68 | lea edx, [ebp + 0x50] // 896f70 | dec eax // 498bc6 | mov ecx, esi // 488b5c2478 | test al, al $sequence_9 = { 7227 488d4e27 483bce 490f46cc e8???????? 4885c0 0f8415010000 } // n = 7, score = 100 // 7227 | test ecx, ecx // 488d4e27 | je 0x1b15 // 483bce | dec esp // 490f46cc | lea eax, [0x2ce3f] // e8???????? | // 4885c0 | dec eax // 0f8415010000 | test eax, eax condition: 7 of them and filesize < 867328 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY