There is no description at this point.
rule win_newbounce_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.newbounce." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83e00f 7e05 2bf0 83c610 } // n = 4, score = 300 // 83e00f | and eax, 0xf // 7e05 | jle 7 // 2bf0 | sub esi, eax // 83c610 | add esi, 0x10 $sequence_1 = { 7cd4 2983d0010000 3bfe 7530 } // n = 4, score = 200 // 7cd4 | mov ecx, dword ptr [esp + 0x30] // 2983d0010000 | dec eax // 3bfe | xor ecx, esp // 7530 | jl 0xffffffcc $sequence_2 = { 7cd6 488d0d527a0200 e8???????? 448b460c } // n = 4, score = 200 // 7cd6 | dec eax // 488d0d527a0200 | mov ecx, dword ptr [ebx + 0x5b8] // e8???????? | // 448b460c | jl 0xffffffd6 $sequence_3 = { 7cba 4863c3 6644893447 eb31 } // n = 4, score = 200 // 7cba | jl 0xffffffbc // 4863c3 | dec eax // 6644893447 | arpl bx, ax // eb31 | inc sp $sequence_4 = { 7cca 488d0d108f0200 448bc6 8bd3 } // n = 4, score = 200 // 7cca | mov ecx, dword ptr [esp + 0x30] // 488d0d108f0200 | jl 0xffffffc6 // 448bc6 | dec eax // 8bd3 | or eax, 0xffffffff $sequence_5 = { 7cd5 81fb401f0000 750d 44392d???????? } // n = 4, score = 200 // 7cd5 | dec eax // 81fb401f0000 | lea ecx, [0x28eef] // 750d | jl 0xffffffcc // 44392d???????? | $sequence_6 = { 7cdd 488b8c2420100000 4833cc e8???????? } // n = 4, score = 200 // 7cdd | jne 0x15 // 488b8c2420100000 | jl 0xffffffd7 // 4833cc | cmp ebx, 0x1f40 // e8???????? | $sequence_7 = { 7cc4 4883c8ff eb03 488bc7 } // n = 4, score = 200 // 7cc4 | dec eax // 4883c8ff | arpl bx, ax // eb03 | inc sp // 488bc7 | mov dword ptr [edi + eax*2], esi $sequence_8 = { 81e7ff000000 3304bd485b6300 895c2458 3304ad48536300 } // n = 4, score = 100 // 81e7ff000000 | lea ecx, [0x27a52] // 3304bd485b6300 | inc esp // 895c2458 | mov eax, dword ptr [esi + 0xc] // 3304ad48536300 | mov ebx, 1 $sequence_9 = { 81e7ff000000 89442444 89bc24c8000000 8bf8 c1e818 8b0485485b6300 } // n = 6, score = 100 // 81e7ff000000 | mov dword ptr [esp + 0x4c], ebp // 89442444 | xor eax, dword ptr [esp + 0x10] // 89bc24c8000000 | xor eax, dword ptr [esp + 0x40] // 8bf8 | and edi, 0xff // c1e818 | xor eax, dword ptr [edi*4 + 0x635f48] // 8b0485485b6300 | xor eax, dword ptr [esp + 0x18] $sequence_10 = { 81e7ff000000 896c2410 8be8 8b04bd48536300 } // n = 4, score = 100 // 81e7ff000000 | xor eax, dword ptr [edi*4 + 0x635f48] // 896c2410 | xor eax, dword ptr [esp + 0x18] // 8be8 | xor eax, dword ptr [esp + 0x10] // 8b04bd48536300 | mov dword ptr [esp + 0x120], eax $sequence_11 = { 81e7ff000000 330cbd48576300 c1e208 330c8548536300 } // n = 4, score = 100 // 81e7ff000000 | push -1 // 330cbd48576300 | lea eax, [ebp + 0x10] // c1e208 | push eax // 330c8548536300 | and edi, 0xff $sequence_12 = { 81e7ff000000 3304bd485f6300 33442418 33442410 } // n = 4, score = 100 // 81e7ff000000 | mov ecx, dword ptr [esp + 0x1020] // 3304bd485f6300 | dec eax // 33442418 | xor ecx, esp // 33442410 | dec eax $sequence_13 = { 81e7???????? e8???????? 6aff 6aff 8d4510 50 ff15???????? } // n = 7, score = 100 // 81e7???????? | // e8???????? | // 6aff | inc esp // 6aff | add edi, ebx // 8d4510 | jl 0xffffffd8 // 50 | dec eax // ff15???????? | $sequence_14 = { 81e7ff000000 8b0cbd48576300 894c241c 8b0c9d48536300 } // n = 4, score = 100 // 81e7ff000000 | xor ecx, dword ptr [edi*4 + 0x635748] // 8b0cbd48576300 | shl edx, 8 // 894c241c | xor ecx, dword ptr [eax*4 + 0x635348] // 8b0c9d48536300 | or edx, dword ptr [esp + 0xbc] condition: 7 of them and filesize < 8637440 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY