There is no description at this point.
rule win_observer_stealer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.observer_stealer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.observer_stealer" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ab 83662c00 c746300f000000 c6461c00 e8???????? 5f 8bc6 } // n = 7, score = 100 // ab | stosd dword ptr es:[edi], eax // 83662c00 | and dword ptr [esi + 0x2c], 0 // c746300f000000 | mov dword ptr [esi + 0x30], 0xf // c6461c00 | mov byte ptr [esi + 0x1c], 0 // e8???????? | // 5f | pop edi // 8bc6 | mov eax, esi $sequence_1 = { 40 eb3e f7465000000200 7410 6a00 e8???????? } // n = 6, score = 100 // 40 | inc eax // eb3e | jmp 0x40 // f7465000000200 | test dword ptr [esi + 0x50], 0x20000 // 7410 | je 0x12 // 6a00 | push 0 // e8???????? | $sequence_2 = { 8d5508 57 8d4c2424 e8???????? 837c243400 0f8483010000 837c243808 } // n = 7, score = 100 // 8d5508 | lea edx, [ebp + 8] // 57 | push edi // 8d4c2424 | lea ecx, [esp + 0x24] // e8???????? | // 837c243400 | cmp dword ptr [esp + 0x34], 0 // 0f8483010000 | je 0x189 // 837c243808 | cmp dword ptr [esp + 0x38], 8 $sequence_3 = { 7422 83c8ff f00fc14120 7518 8b33 eb10 8bce } // n = 7, score = 100 // 7422 | je 0x24 // 83c8ff | or eax, 0xffffffff // f00fc14120 | lock xadd dword ptr [ecx + 0x20], eax // 7518 | jne 0x1a // 8b33 | mov esi, dword ptr [ebx] // eb10 | jmp 0x12 // 8bce | mov ecx, esi $sequence_4 = { 8b442420 8b38 8bd7 e8???????? 8364241800 2bfe 59 } // n = 7, score = 100 // 8b442420 | mov eax, dword ptr [esp + 0x20] // 8b38 | mov edi, dword ptr [eax] // 8bd7 | mov edx, edi // e8???????? | // 8364241800 | and dword ptr [esp + 0x18], 0 // 2bfe | sub edi, esi // 59 | pop ecx $sequence_5 = { 27 124100 3a12 41 004e12 41 00741241 } // n = 7, score = 100 // 27 | daa // 124100 | adc al, byte ptr [ecx] // 3a12 | cmp dl, byte ptr [edx] // 41 | inc ecx // 004e12 | add byte ptr [esi + 0x12], cl // 41 | inc ecx // 00741241 | add byte ptr [edx + edx + 0x41], dh $sequence_6 = { ffb424f8020000 0f438c24ec020000 51 51 8bc8 e8???????? 50 } // n = 7, score = 100 // ffb424f8020000 | push dword ptr [esp + 0x2f8] // 0f438c24ec020000 | cmovae ecx, dword ptr [esp + 0x2ec] // 51 | push ecx // 51 | push ecx // 8bc8 | mov ecx, eax // e8???????? | // 50 | push eax $sequence_7 = { 8d8c249c000000 51 6a01 50 ffd5 8d4c2478 } // n = 6, score = 100 // 8d8c249c000000 | lea ecx, [esp + 0x9c] // 51 | push ecx // 6a01 | push 1 // 50 | push eax // ffd5 | call ebp // 8d4c2478 | lea ecx, [esp + 0x78] $sequence_8 = { f7f9 8bcf 8bd0 d1ea 2bca 56 3bc1 } // n = 7, score = 100 // f7f9 | idiv ecx // 8bcf | mov ecx, edi // 8bd0 | mov edx, eax // d1ea | shr edx, 1 // 2bca | sub ecx, edx // 56 | push esi // 3bc1 | cmp eax, ecx $sequence_9 = { e8???????? 59 c3 55 8bec 83e4f8 81ecf0000000 } // n = 7, score = 100 // e8???????? | // 59 | pop ecx // c3 | ret // 55 | push ebp // 8bec | mov ebp, esp // 83e4f8 | and esp, 0xfffffff8 // 81ecf0000000 | sub esp, 0xf0 condition: 7 of them and filesize < 614400 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY