Actor(s): Lazarus Group
There is no description at this point.
rule win_op_blockbuster_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.op_blockbuster." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8a08 80f920 7505 83c021 } // n = 4, score = 800 // 8a08 | cmp al, 0x70 // 80f920 | jg 8 // 7505 | add al, 9 // 83c021 | jmp 0xa $sequence_1 = { c701???????? 8b497c 85c9 7407 } // n = 4, score = 800 // c701???????? | // 8b497c | jl 0xc // 85c9 | cmp al, 0x70 // 7407 | jg 8 $sequence_2 = { 57 683c400000 6a40 ff15???????? } // n = 4, score = 800 // 57 | lea ecx, [esp + 0x6c] // 683c400000 | lea ecx, [eax + ebx + 0x17] // 6a40 | mov ecx, dword ptr [ecx + 0x7c] // ff15???????? | $sequence_3 = { e8???????? 6800400000 6a00 ff15???????? } // n = 4, score = 800 // e8???????? | // 6800400000 | push 0x40 // 6a00 | push esi // ff15???????? | $sequence_4 = { f3ab 66ab aa 5f 85f6 5e } // n = 6, score = 800 // f3ab | add al, 9 // 66ab | jmp 0xc // aa | jl 0xa // 5f | cmp al, 0x70 // 85f6 | jg 6 // 5e | add al, 9 $sequence_5 = { e8???????? 85c0 7407 83f802 } // n = 4, score = 800 // e8???????? | // 85c0 | add al, 9 // 7407 | jmp 0xe // 83f802 | cmp al, 0x72 $sequence_6 = { ff15???????? 6808400000 6a40 ff15???????? } // n = 4, score = 800 // ff15???????? | // 6808400000 | push edi // 6a40 | push 0x403c // ff15???????? | $sequence_7 = { 68???????? 56 ff15???????? 68???????? 56 a3???????? e8???????? } // n = 7, score = 700 // 68???????? | // 56 | push eax // ff15???????? | // 68???????? | // 56 | pop ecx // a3???????? | // e8???????? | $sequence_8 = { 56 50 8d45fc 6a04 50 } // n = 5, score = 700 // 56 | push esi // 50 | push 0 // 8d45fc | mov edi, eax // 6a04 | test edi, edi // 50 | jne 0xa $sequence_9 = { 3c69 7c08 3c70 7f04 0409 eb06 3c72 } // n = 7, score = 500 // 3c69 | cmp al, 0x69 // 7c08 | jl 0xa // 3c70 | cmp al, 0x70 // 7f04 | jg 6 // 0409 | add al, 9 // eb06 | jmp 8 // 3c72 | cmp al, 0x72 $sequence_10 = { 488d4590 4c8d8510010000 4889442448 4c89642440 4c89642438 4489642430 } // n = 6, score = 300 // 488d4590 | mov dword ptr [ebp - 0x70], 0x68 // 4c8d8510010000 | mov eax, dword ptr [esp + 0x44] // 4889442448 | jmp 0x12 // 4c89642440 | dec eax // 4c89642438 | mov eax, 0x6e6b6e75 // 4489642430 | outsd dx, dword ptr [esi] $sequence_11 = { ff15???????? 85f6 7404 85c0 } // n = 4, score = 300 // ff15???????? | // 85f6 | jmp 0xfffffffc // 7404 | push ebx // 85c0 | xor ebx, ebx $sequence_12 = { 4533c9 ba7a341200 e9???????? 4053 4883ec20 ff15???????? 8bc8 } // n = 7, score = 300 // 4533c9 | dec eax // ba7a341200 | add esp, 0x6d8 // e9???????? | // 4053 | pop esi // 4883ec20 | dec eax // ff15???????? | // 8bc8 | lea eax, [ebp - 0x70] $sequence_13 = { 5e c3 68???????? ff15???????? 85c0 7412 68???????? } // n = 7, score = 300 // 5e | push eax // c3 | pop ecx // 68???????? | // ff15???????? | // 85c0 | pop ecx // 7412 | ret // 68???????? | $sequence_14 = { 56 6a00 ff15???????? 8bf8 85ff 7504 } // n = 6, score = 300 // 56 | push ebx // 6a00 | xor ebx, ebx // ff15???????? | // 8bf8 | push esi // 85ff | push edi // 7504 | xor eax, eax $sequence_15 = { c3 56 53 6a01 57 e8???????? } // n = 6, score = 300 // c3 | pop esi // 56 | ret // 53 | xor eax, eax // 6a01 | push 0 // 57 | jmp 0xfffffffa // e8???????? | $sequence_16 = { ff15???????? 488d542440 488bcf ff15???????? 4c8be0 4883f8ff 0f840b010000 } // n = 7, score = 300 // ff15???????? | // 488d542440 | ja 0x79 // 488bcf | dec eax // ff15???????? | // 4c8be0 | mov ecx, dword ptr [esp + 0x6c0] // 4883f8ff | dec eax // 0f840b010000 | xor ecx, esp $sequence_17 = { 6a01 57 e8???????? 56 e8???????? 83c414 b801000000 } // n = 7, score = 300 // 6a01 | xor eax, eax // 57 | push 0 // e8???????? | // 56 | cmp dword ptr [esp + 8], eax // e8???????? | // 83c414 | mov eax, esi // b801000000 | pop edi $sequence_18 = { 68???????? 56 e8???????? 56 e8???????? 83c438 } // n = 6, score = 300 // 68???????? | // 56 | test esi, esi // e8???????? | // 56 | je 6 // e8???????? | // 83c438 | test eax, eax $sequence_19 = { 4154 4155 4881ecf0070000 488b05???????? 4833c4 48898424d0070000 } // n = 6, score = 300 // 4154 | inc ecx // 4155 | push esp // 4881ecf0070000 | inc ecx // 488b05???????? | // 4833c4 | push ebp // 48898424d0070000 | dec eax $sequence_20 = { ff15???????? 8b442444 eb10 48b8756e6b6e6f776e00 } // n = 4, score = 300 // ff15???????? | // 8b442444 | inc ebp // eb10 | xor ecx, ecx // 48b8756e6b6e6f776e00 | xor edx, edx $sequence_21 = { 57 ff15???????? 8bc6 5f 5e c3 33c0 } // n = 7, score = 300 // 57 | stosw word ptr es:[edi], ax // ff15???????? | // 8bc6 | stosb byte ptr es:[edi], al // 5f | pop edi // 5e | test esi, esi // c3 | pop esi // 33c0 | push edi $sequence_22 = { c3 33c0 ebf8 53 33db 391d???????? 56 } // n = 7, score = 300 // c3 | mov ecx, dword ptr [ecx + 0x7c] // 33c0 | test ecx, ecx // ebf8 | je 9 // 53 | push ecx // 33db | push 0x4000 // 391d???????? | // 56 | push 0 $sequence_23 = { 4533c9 33d2 4489642428 4c89642478 c7459068000000 } // n = 5, score = 300 // 4533c9 | sub esp, 0x7f0 // 33d2 | dec eax // 4489642428 | xor eax, esp // 4c89642478 | dec eax // c7459068000000 | mov dword ptr [esp + 0x7d0], eax $sequence_24 = { 488b8c24c0060000 4833cc e8???????? 4881c4d8060000 5e } // n = 5, score = 300 // 488b8c24c0060000 | inc esp // 4833cc | mov dword ptr [esp + 0x28], esp // e8???????? | // 4881c4d8060000 | dec esp // 5e | mov dword ptr [esp + 0x78], esp $sequence_25 = { 77c5 ff2485f20c4100 8bce e8???????? eb45 } // n = 5, score = 200 // 77c5 | add esp, 0x14 // ff2485f20c4100 | mov eax, 1 // 8bce | push ebx // e8???????? | // eb45 | push 1 $sequence_26 = { 895de4 8b049dd8974400 8945d4 8955e8 8a5c1029 80fb02 } // n = 6, score = 200 // 895de4 | push 1 // 8b049dd8974400 | push edi // 8945d4 | push esi // 8955e8 | push 0 // 8a5c1029 | mov edi, eax // 80fb02 | test edi, edi $sequence_27 = { c1f906 6bd030 8a45fe 8b0c8dd8974400 88441129 8b0b } // n = 6, score = 200 // c1f906 | push edi // 6bd030 | push esi // 8a45fe | add esp, 0x14 // 8b0c8dd8974400 | ret // 88441129 | push esi // 8b0b | push ebx $sequence_28 = { 83c8ff eb68 ff75fc 8d85e8efffff } // n = 4, score = 100 // 83c8ff | push eax // eb68 | lea eax, [ebp - 4] // ff75fc | push 4 // 8d85e8efffff | push eax $sequence_29 = { 66f7460c0c01 7552 833c85048f400000 53 } // n = 4, score = 100 // 66f7460c0c01 | jne 0xc // 7552 | pop edi // 833c85048f400000 | push edi // 53 | push esi $sequence_30 = { e8???????? 59 8bc6 5e c20400 833d????????ff } // n = 6, score = 100 // e8???????? | // 59 | push esi // 8bc6 | push eax // 5e | lea eax, [ebp - 4] // c20400 | push 4 // 833d????????ff | $sequence_31 = { 85c0 59 0f8495000000 56 } // n = 4, score = 100 // 85c0 | pop ecx // 59 | ret // 0f8495000000 | push esi // 56 | push esi $sequence_32 = { ff15???????? 85c0 7d07 33f6 e9???????? } // n = 5, score = 100 // ff15???????? | // 85c0 | push edi // 7d07 | push eax // 33f6 | pop ecx // e9???????? | condition: 7 of them and filesize < 74309632 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY