Actor(s): Hellsing
There is no description at this point.
rule win_newcore_rat_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.newcore_rat." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 85c0 0f8455ffffff 8b07 50 ff15???????? e8???????? 85c0 } // n = 7, score = 100 // 85c0 | test eax, eax // 0f8455ffffff | je 0xffffff5b // 8b07 | mov eax, dword ptr [edi] // 50 | push eax // ff15???????? | // e8???????? | // 85c0 | test eax, eax $sequence_1 = { 56 c744241c01000000 ffd7 85c0 75a6 6a04 } // n = 6, score = 100 // 56 | push esi // c744241c01000000 | mov dword ptr [esp + 0x1c], 1 // ffd7 | call edi // 85c0 | test eax, eax // 75a6 | jne 0xffffffa8 // 6a04 | push 4 $sequence_2 = { 896c2428 896c242c 896c2430 896c2434 e8???????? 53 } // n = 6, score = 100 // 896c2428 | mov dword ptr [esp + 0x28], ebp // 896c242c | mov dword ptr [esp + 0x2c], ebp // 896c2430 | mov dword ptr [esp + 0x30], ebp // 896c2434 | mov dword ptr [esp + 0x34], ebp // e8???????? | // 53 | push ebx $sequence_3 = { ff15???????? 50 8d542420 6800010000 52 } // n = 5, score = 100 // ff15???????? | // 50 | push eax // 8d542420 | lea edx, [esp + 0x20] // 6800010000 | push 0x100 // 52 | push edx $sequence_4 = { a1???????? 33c4 8984245c080000 8b84246c080000 53 55 } // n = 6, score = 100 // a1???????? | // 33c4 | xor eax, esp // 8984245c080000 | mov dword ptr [esp + 0x85c], eax // 8b84246c080000 | mov eax, dword ptr [esp + 0x86c] // 53 | push ebx // 55 | push ebp $sequence_5 = { 68ff030000 33ff 8d8424bd050000 57 50 c644242300 c68424c405000000 } // n = 7, score = 100 // 68ff030000 | push 0x3ff // 33ff | xor edi, edi // 8d8424bd050000 | lea eax, [esp + 0x5bd] // 57 | push edi // 50 | push eax // c644242300 | mov byte ptr [esp + 0x23], 0 // c68424c405000000 | mov byte ptr [esp + 0x5c4], 0 $sequence_6 = { 8b1d???????? 8d34bd40a60310 833e00 752a 68???????? ffd3 833e00 } // n = 7, score = 100 // 8b1d???????? | // 8d34bd40a60310 | lea esi, [edi*4 + 0x1003a640] // 833e00 | cmp dword ptr [esi], 0 // 752a | jne 0x2c // 68???????? | // ffd3 | call ebx // 833e00 | cmp dword ptr [esi], 0 $sequence_7 = { 33c0 8b8c24bc090000 5f 5e 5d } // n = 5, score = 100 // 33c0 | xor eax, eax // 8b8c24bc090000 | mov ecx, dword ptr [esp + 0x9bc] // 5f | pop edi // 5e | pop esi // 5d | pop ebp $sequence_8 = { ffd6 85c0 74a2 b30d 83f8ff 749b 83ff04 } // n = 7, score = 100 // ffd6 | call esi // 85c0 | test eax, eax // 74a2 | je 0xffffffa4 // b30d | mov bl, 0xd // 83f8ff | cmp eax, -1 // 749b | je 0xffffff9d // 83ff04 | cmp edi, 4 $sequence_9 = { 52 e8???????? 8b44241c 83c0f0 83c40c 8d480c 83caff } // n = 7, score = 100 // 52 | push edx // e8???????? | // 8b44241c | mov eax, dword ptr [esp + 0x1c] // 83c0f0 | add eax, -0x10 // 83c40c | add esp, 0xc // 8d480c | lea ecx, [eax + 0xc] // 83caff | or edx, 0xffffffff condition: 7 of them and filesize < 581632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY