Actor(s): Winnti Umbrella
There is no description at this point.
rule win_pipemon_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.pipemon." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488bc2 488d0d1d450100 48890b 488d5308 } // n = 4, score = 100 // 488bc2 | dec eax // 488d0d1d450100 | mov ebx, ecx // 48890b | dec eax // 488d5308 | lea edi, [0xfffe700c] $sequence_1 = { c745b038020000 488d55b0 488bc8 ff15???????? 85c0 7440 } // n = 6, score = 100 // c745b038020000 | mov dword ptr [esp + 0x38], 0 // 488d55b0 | inc ecx // 488bc8 | mov ecx, 1 // ff15???????? | // 85c0 | dec eax // 7440 | mov ebx, ecx $sequence_2 = { 4839b938010000 7516 488d05f3370100 4a8b04e8 42387c3039 } // n = 5, score = 100 // 4839b938010000 | dec eax // 7516 | mov edi, dword ptr [esp + 0x70] // 488d05f3370100 | dec eax // 4a8b04e8 | lea ecx, [edi + 0x28] // 42387c3039 | jmp 0x95f $sequence_3 = { 0f1f00 8d4601 25ff000080 7d09 ffc8 0d00ffffff } // n = 6, score = 100 // 0f1f00 | mov dword ptr [ebp + 0x27], 0x6567656c // 8d4601 | movdqu xmmword ptr [ebp + 0x17], xmm0 // 25ff000080 | mov word ptr [ebp + 0x2b], 0x73 // 7d09 | dec eax // ffc8 | lea edx, [ebp + 0x2f] // 0d00ffffff | dec eax $sequence_4 = { 4c8d0d349b0000 f20f5cca f2410f590cc1 660f28d1 660f28c1 4c8d0dfb8a0000 } // n = 6, score = 100 // 4c8d0d349b0000 | inc ecx // f20f5cca | mov edi, dword ptr [ecx] // f2410f590cc1 | inc ecx // 660f28d1 | cmp dword ptr [eax + 0x20], edi // 660f28c1 | jbe 0x4d3 // 4c8d0dfb8a0000 | dec esp $sequence_5 = { 488b18 483bd8 0f84f7010000 448b4320 488d15e4fb0100 } // n = 5, score = 100 // 488b18 | mov ecx, dword ptr [esp + 0x40] // 483bd8 | inc ecx // 0f84f7010000 | lea edx, [esp + 1] // 448b4320 | dec eax // 488d15e4fb0100 | mov ecx, dword ptr [esp + 0x50] $sequence_6 = { 48894310 33c9 e8???????? 48894318 c6432000 b910000000 e8???????? } // n = 7, score = 100 // 48894310 | dec eax // 33c9 | mov edi, dword ptr [ecx + 8] // e8???????? | // 48894318 | dec eax // c6432000 | mov ebx, edi // b910000000 | cmp byte ptr [edi + 0x19], 0 // e8???????? | $sequence_7 = { 4983c302 6685db 0f856cffffff 4c89642428 } // n = 4, score = 100 // 4983c302 | add esp, 0x78 // 6685db | inc ecx // 0f856cffffff | pop esp // 4c89642428 | dec eax $sequence_8 = { 5b c3 4883ec38 488d05f5960000 41b91b000000 4889442420 e8???????? } // n = 7, score = 100 // 5b | mov edx, esi // c3 | dec eax // 4883ec38 | mov ecx, edi // 488d05f5960000 | test eax, eax // 41b91b000000 | jne 0x720 // 4889442420 | dec eax // e8???????? | $sequence_9 = { 4489a500020000 488d442460 488985f8010000 ba01000000 488d4c2460 } // n = 5, score = 100 // 4489a500020000 | mov ebx, dword ptr [ebp - 0x80] // 488d442460 | cmp word ptr [esi], 0 // 488985f8010000 | jne 0x24e // ba01000000 | dec eax // 488d4c2460 | mov ebx, dword ptr [ebp - 0x78] condition: 7 of them and filesize < 389120 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY