There is no description at this point.
There are currently no references.
rule win_nabucur_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.nabucur." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 48 894500 85c0 7fee } // n = 4, score = 200 // 48 | dec eax // 894500 | mov dword ptr [ebp], eax // 85c0 | test eax, eax // 7fee | jg 0xfffffff0 $sequence_1 = { 49 23cf 894c241c 3bc3 } // n = 4, score = 200 // 49 | dec ecx // 23cf | and ecx, edi // 894c241c | mov dword ptr [esp + 0x1c], ecx // 3bc3 | cmp eax, ebx $sequence_2 = { 33ff 33f6 4a c744244001000000 89542434 8b6c2438 } // n = 6, score = 200 // 33ff | xor edi, edi // 33f6 | xor esi, esi // 4a | dec edx // c744244001000000 | mov dword ptr [esp + 0x40], 1 // 89542434 | mov dword ptr [esp + 0x34], edx // 8b6c2438 | mov ebp, dword ptr [esp + 0x38] $sequence_3 = { 49 23cb 894d08 5d } // n = 4, score = 200 // 49 | dec ecx // 23cb | and ecx, ebx // 894d08 | mov dword ptr [ebp + 8], ecx // 5d | pop ebp $sequence_4 = { 009eaa030000 0fb686aa030000 57 83f80a 0f876d010000 } // n = 5, score = 200 // 009eaa030000 | add byte ptr [esi + 0x3aa], bl // 0fb686aa030000 | movzx eax, byte ptr [esi + 0x3aa] // 57 | push edi // 83f80a | cmp eax, 0xa // 0f876d010000 | ja 0x173 $sequence_5 = { 49 03d3 40 85c9 } // n = 4, score = 200 // 49 | dec ecx // 03d3 | add edx, ebx // 40 | inc eax // 85c9 | test ecx, ecx $sequence_6 = { 49 23ce 894f18 8bf0 85c0 0f8521040000 } // n = 6, score = 200 // 49 | dec ecx // 23ce | and ecx, esi // 894f18 | mov dword ptr [edi + 0x18], ecx // 8bf0 | mov esi, eax // 85c0 | test eax, eax // 0f8521040000 | jne 0x427 $sequence_7 = { 49 3b442430 891e 8944241c } // n = 4, score = 200 // 49 | dec ecx // 3b442430 | cmp eax, dword ptr [esp + 0x30] // 891e | mov dword ptr [esi], ebx // 8944241c | mov dword ptr [esp + 0x1c], eax $sequence_8 = { bb95c9c7fe e8???????? 81f2cf3a3100 81f3db2737fd } // n = 4, score = 100 // bb95c9c7fe | mov ebx, 0xfec7c995 // e8???????? | // 81f2cf3a3100 | xor edx, 0x313acf // 81f3db2737fd | xor ebx, 0xfd3727db $sequence_9 = { e9???????? 837d0c00 750c ffb5a4fdffff 8f05???????? } // n = 5, score = 100 // e9???????? | // 837d0c00 | cmp dword ptr [ebp + 0xc], 0 // 750c | jne 0xe // ffb5a4fdffff | push dword ptr [ebp - 0x25c] // 8f05???????? | $sequence_10 = { baaf746bf8 81f2d2b424fb e8???????? 81f2e5b3d7f7 bbee904bf8 } // n = 5, score = 100 // baaf746bf8 | mov edx, 0xf86b74af // 81f2d2b424fb | xor edx, 0xfb24b4d2 // e8???????? | // 81f2e5b3d7f7 | xor edx, 0xf7d7b3e5 // bbee904bf8 | mov ebx, 0xf84b90ee $sequence_11 = { 8706 85c0 75f5 61 c3 60 } // n = 6, score = 100 // 8706 | xchg dword ptr [esi], eax // 85c0 | test eax, eax // 75f5 | jne 0xfffffff7 // 61 | popal // c3 | ret // 60 | pushal $sequence_12 = { 2d4c67d056 0e 67389db266 d07d0b 80ab140ee42859 } // n = 5, score = 100 // 2d4c67d056 | sub eax, 0x56d0674c // 0e | push cs // 67389db266 | cmp byte ptr [di + 0x66b2], bl // d07d0b | sar byte ptr [ebp + 0xb], 1 // 80ab140ee42859 | sub byte ptr [ebx + 0x28e40e14], 0x59 $sequence_13 = { bbb76d15f9 e8???????? bb1ddfc5f7 81f2560b5efd ba3be69bfc } // n = 5, score = 100 // bbb76d15f9 | mov ebx, 0xf9156db7 // e8???????? | // bb1ddfc5f7 | mov ebx, 0xf7c5df1d // 81f2560b5efd | xor edx, 0xfd5e0b56 // ba3be69bfc | mov edx, 0xfc9be63b $sequence_14 = { bafa2649fd 83f901 7db6 ba8fb4a3fb ebb8 83e904 } // n = 6, score = 100 // bafa2649fd | mov edx, 0xfd4926fa // 83f901 | cmp ecx, 1 // 7db6 | jge 0xffffffb8 // ba8fb4a3fb | mov edx, 0xfba3b48f // ebb8 | jmp 0xffffffba // 83e904 | sub ecx, 4 $sequence_15 = { a1???????? a6 48 207b98 } // n = 4, score = 100 // a1???????? | // a6 | cmpsb byte ptr [esi], byte ptr es:[edi] // 48 | dec eax // 207b98 | and byte ptr [ebx - 0x68], bh condition: 7 of them and filesize < 1949696 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY