Actor(s): Evil Corp
There is no description at this point.
rule win_payloadbin_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.payloadbin." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6641f7c3503b 3bc7 e9???????? 0f8578000000 488b4c2430 660fca 4d0fb7cb } // n = 7, score = 100 // 6641f7c3503b | sal ah, 0x61 // 3bc7 | dec ecx // e9???????? | // 0f8578000000 | movsx eax, bp // 488b4c2430 | dec ecx // 660fca | not ebx // 4d0fb7cb | inc cx $sequence_1 = { 488bb42480000000 81ff41628163 e9???????? 483bf7 0f8408010000 488bee } // n = 6, score = 100 // 488bb42480000000 | dec eax // 81ff41628163 | mov esi, eax // e9???????? | // 483bf7 | inc ebp // 0f8408010000 | test cl, al // 488bee | dec eax $sequence_2 = { 68eb3a8171 55 68396f8656 6819276b5f 682109a155 4c8b6c2438 48c7442438404fa1db } // n = 7, score = 100 // 68eb3a8171 | arpl bx, sp // 55 | inc ecx // 68396f8656 | pop ebp // 6819276b5f | movzx edi, sp // 682109a155 | inc ecx // 4c8b6c2438 | pop esp // 48c7442438404fa1db | dec eax $sequence_3 = { e9???????? bb03000000 4533e4 413bdc e9???????? 0f85a3060000 488b4c2430 } // n = 7, score = 100 // e9???????? | // bb03000000 | mov ecx, dword ptr [esp + 0x28] // 4533e4 | dec eax // 413bdc | neg edx // e9???????? | // 0f85a3060000 | inc esp // 488b4c2430 | adc eax, ecx $sequence_4 = { 4c3be5 e9???????? 0f85acffffff 85f6 e9???????? 0f841e000000 } // n = 6, score = 100 // 4c3be5 | dec eax // e9???????? | // 0f85acffffff | lea eax, [esp + 0x70] // 85f6 | inc esp // e9???????? | // 0f841e000000 | lea ecx, [ebp - 0xb] $sequence_5 = { 4d8b01 66c1e218 66418b10 f9 40fec7 493bc4 4981c106000000 } // n = 7, score = 100 // 4d8b01 | movsx edx, si // 66c1e218 | dec eax // 66418b10 | mov edx, ebx // f9 | dec esp // 40fec7 | mov edx, dword ptr [ecx] // 493bc4 | inc ebp // 4981c106000000 | sub al, bh $sequence_6 = { 80bc24100000003d 4155 488184241000000033139340 4c8bac2418000000 688071f060 66c1b42400000000d9 0f8588950100 } // n = 7, score = 100 // 80bc24100000003d | mov dword ptr [esp + 8], ebx // 4155 | dec eax // 488184241000000033139340 | mov dword ptr [esp + 0x10], ebp // 4c8bac2418000000 | dec eax // 688071f060 | rcl ebx, 0x35 // 66c1b42400000000d9 | and bl, dh // 0f8588950100 | push 0x59507e57 $sequence_7 = { 8d56d4 fa 158935079e 9e 4657 250543b1d9 f661fd } // n = 7, score = 100 // 8d56d4 | sub edx, edx // fa | dec ecx // 158935079e | movzx ecx, sp // 9e | mov ecx, 0xfde9 // 4657 | mov dword ptr [esp + 0x20], ebx // 250543b1d9 | dec eax // f661fd | lea ecx, [esp + 0x30] $sequence_8 = { 440fb7c1 4080fca3 6683f819 e9???????? 0f8703000000 4503c5 0fb703 } // n = 7, score = 100 // 440fb7c1 | clc // 4080fca3 | inc ecx // 6683f819 | and bl, 0x3e // e9???????? | // 0f8703000000 | call dword ptr [edi - 0x64] // 4503c5 | dec eax // 0fb703 | mov edi, 0x5bcb4141 $sequence_9 = { 4881842408000000dbb6ecff 5d c3 8084241000000078 e8???????? 68bc6baf1f } // n = 6, score = 100 // 4881842408000000dbb6ecff | push 0x3a0d44a3 // 5d | xor edx, edx // c3 | dec eax // 8084241000000078 | mov dword ptr [esp + 8], 0x33bc0ab4 // e8???????? | // 68bc6baf1f | pushfd condition: 7 of them and filesize < 3761152 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY