Actor(s): Silent Chollima
There is no description at this point.
rule win_petit_potato_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.petit_potato." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petit_potato" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4889442450 488b442450 4889842400060000 48b8501adcae54c47955 4889442450 } // n = 5, score = 100 // 4889442450 | dec ebp // 488b442450 | test eax, eax // 4889842400060000 | jle 0x15fc // 48b8501adcae54c47955 | dec eax // 4889442450 | sub edi, esi $sequence_1 = { 48898520020000 488bf9 33f6 0f57c0 33c0 0f114540 0f114550 } // n = 7, score = 100 // 48898520020000 | dec eax // 488bf9 | mov dword ptr [esp + 0x50], ecx // 33f6 | dec eax // 0f57c0 | mov eax, dword ptr [esp + 0x50] // 33c0 | dec eax // 0f114540 | mov dword ptr [esp + 0x9b8], eax // 0f114550 | dec eax $sequence_2 = { 48c785080300000f000000 0f1f840000000000 49ffc0 46382400 75f7 488d9510010000 488d8df0020000 } // n = 7, score = 100 // 48c785080300000f000000 | dec edi // 0f1f840000000000 | std // 49ffc0 | hlt // 46382400 | imul ecx, dword ptr [eax - 0x77], 0x48502444 // 75f7 | mov eax, dword ptr [esp + 0x50] // 488d9510010000 | dec eax // 488d8df0020000 | mov dword ptr [esp + 0x558], eax $sequence_3 = { b902000000 488d154e300100 e8???????? 4885c0 7415 488b4c2460 4c8bcb } // n = 7, score = 100 // b902000000 | jbe 0x5a3 // 488d154e300100 | dec eax // e8???????? | // 4885c0 | mov ecx, eax // 7415 | dec eax // 488b4c2460 | mov ecx, eax // 4c8bcb | jb 0x41f $sequence_4 = { 4889442420 e8???????? 488d2d7f400100 4c8d0578410100 498bd5 498bce e8???????? } // n = 7, score = 100 // 4889442420 | dec eax // e8???????? | // 488d2d7f400100 | cmovae eax, dword ptr [esp + 0x898] // 4c8d0578410100 | dec eax // 498bd5 | lea ecx, [esp + 0x870] // 498bce | dec eax // e8???????? | $sequence_5 = { 488b442430 48897c2430 48898598060000 488b442430 4889742430 488985a0060000 488b442430 } // n = 7, score = 100 // 488b442430 | dec eax // 48897c2430 | mov dword ptr [esp + 0x470], eax // 48898598060000 | dec eax // 488b442430 | mov eax, 0x17b517bf // 4889742430 | into // 488985a0060000 | dec esp // 488b442430 | lea eax, [0x15b5a] $sequence_6 = { 660f6f8c24c0000000 660fef8c2470090000 660f7f8c24c0000000 660f6f8424d0000000 660fef842480090000 660f7f8424d0000000 660f6f8c24e0000000 } // n = 7, score = 100 // 660f6f8c24c0000000 | mov dword ptr [esp + 0x20], esp // 660fef8c2470090000 | dec ecx // 660f7f8c24c0000000 | mov ecx, dword ptr [esi + 8] // 660f6f8424d0000000 | dec esp // 660fef842480090000 | lea eax, [0x219bf] // 660f7f8424d0000000 | and edx, 0x3f // 660f6f8c24e0000000 | dec eax $sequence_7 = { 4d85c0 7e2d 482bfe 488d1d25c7fdff 8a0437 } // n = 5, score = 100 // 4d85c0 | mov dword ptr [ebp + 0x3f8], 0xf // 7e2d | nop word ptr [eax + eax] // 482bfe | dec eax // 488d1d25c7fdff | inc ebx // 8a0437 | dec esp $sequence_8 = { 488d4c2420 0f1102 e8???????? 488d05bde80100 488903 488bc3 4883c430 } // n = 7, score = 100 // 488d4c2420 | mov dword ptr [ecx + eax], edx // 0f1102 | dec eax // e8???????? | // 488d05bde80100 | lea ecx, [0x1dd92] // 488903 | dec eax // 488bc3 | add esp, 0x28 // 4883c430 | ret $sequence_9 = { 488d1d96de0200 488d05a7de0200 480f44d8 ba01000000 488d4c2420 e8???????? 4c8bc0 } // n = 7, score = 100 // 488d1d96de0200 | mov edx, 1 // 488d05a7de0200 | dec eax // 480f44d8 | lea ecx, [esp + 0x40] // ba01000000 | dec esp // 488d4c2420 | mov eax, eax // e8???????? | // 4c8bc0 | dec eax condition: 7 of them and filesize < 628736 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY