Actor(s): APT37
There is no description at this point.
rule win_poohmilk_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.poohmilk." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8d85ecfdffff 50 ffd7 8d8dc8fbffff 51 8d95ecfdffff } // n = 6, score = 200 // 8d85ecfdffff | lea eax, [ebp - 0x214] // 50 | push eax // ffd7 | call edi // 8d8dc8fbffff | lea ecx, [ebp - 0x438] // 51 | push ecx // 8d95ecfdffff | lea edx, [ebp - 0x214] $sequence_1 = { 8b5738 8b4230 6a00 51 56 50 } // n = 6, score = 200 // 8b5738 | mov edx, dword ptr [edi + 0x38] // 8b4230 | mov eax, dword ptr [edx + 0x30] // 6a00 | push 0 // 51 | push ecx // 56 | push esi // 50 | push eax $sequence_2 = { ff15???????? 85c0 0f84b9000000 8b542410 8d442414 50 } // n = 6, score = 200 // ff15???????? | // 85c0 | test eax, eax // 0f84b9000000 | je 0xbf // 8b542410 | mov edx, dword ptr [esp + 0x10] // 8d442414 | lea eax, [esp + 0x14] // 50 | push eax $sequence_3 = { 0f838d000000 0fbe8818344100 3bf1 7346 8b9564ffffff } // n = 5, score = 200 // 0f838d000000 | jae 0x93 // 0fbe8818344100 | movsx ecx, byte ptr [eax + 0x413418] // 3bf1 | cmp esi, ecx // 7346 | jae 0x48 // 8b9564ffffff | mov edx, dword ptr [ebp - 0x9c] $sequence_4 = { e8???????? 8be5 5d c3 8bbd98fbffff 8d8decfdffff } // n = 6, score = 200 // e8???????? | // 8be5 | mov esp, ebp // 5d | pop ebp // c3 | ret // 8bbd98fbffff | mov edi, dword ptr [ebp - 0x468] // 8d8decfdffff | lea ecx, [ebp - 0x214] $sequence_5 = { 6880000000 6a03 6a00 6a07 6800000080 56 ff15???????? } // n = 7, score = 200 // 6880000000 | push 0x80 // 6a03 | push 3 // 6a00 | push 0 // 6a07 | push 7 // 6800000080 | push 0x80000000 // 56 | push esi // ff15???????? | $sequence_6 = { bb90010000 f7fb 85d2 740d 8bc6 c1e002 8bb0b0724100 } // n = 7, score = 200 // bb90010000 | mov ebx, 0x190 // f7fb | idiv ebx // 85d2 | test edx, edx // 740d | je 0xf // 8bc6 | mov eax, esi // c1e002 | shl eax, 2 // 8bb0b0724100 | mov esi, dword ptr [eax + 0x4172b0] $sequence_7 = { 3304bdb8314100 c1e904 8bf8 83e70f } // n = 4, score = 200 // 3304bdb8314100 | xor eax, dword ptr [edi*4 + 0x4131b8] // c1e904 | shr ecx, 4 // 8bf8 | mov edi, eax // 83e70f | and edi, 0xf $sequence_8 = { 0fb63e 0fb6c0 eb12 8b45e0 8a80fc7b4100 08443b1d } // n = 6, score = 200 // 0fb63e | movzx edi, byte ptr [esi] // 0fb6c0 | movzx eax, al // eb12 | jmp 0x14 // 8b45e0 | mov eax, dword ptr [ebp - 0x20] // 8a80fc7b4100 | mov al, byte ptr [eax + 0x417bfc] // 08443b1d | or byte ptr [ebx + edi + 0x1d], al $sequence_9 = { 3bcf 0f85f9000000 03de 11bd68d2ffff 29b594d2ffff 8b8594d2ffff } // n = 6, score = 200 // 3bcf | cmp ecx, edi // 0f85f9000000 | jne 0xff // 03de | add ebx, esi // 11bd68d2ffff | adc dword ptr [ebp - 0x2d98], edi // 29b594d2ffff | sub dword ptr [ebp - 0x2d6c], esi // 8b8594d2ffff | mov eax, dword ptr [ebp - 0x2d6c] condition: 7 of them and filesize < 245760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY