According to X-Force, this is a loader module written in .NET languages for which ahead-of-time (AOT) compilation is used.
rule win_quirkyloader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.quirkyloader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quirkyloader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c783a000000002000000 b801000000 eb1d c783a000000003000000 eb05 83fe05 7422 } // n = 7, score = 100 // c783a000000002000000 | dec eax // b801000000 | mov ecx, ebx // eb1d | dec eax // c783a000000003000000 | lea edx, [ebp - 0x68] // eb05 | mov byte ptr [ebx + 8], 1 // 83fe05 | dec esp // 7422 | mov edi, dword ptr [ebp + 0x20] $sequence_1 = { e8???????? 488bd8 488bcb e8???????? 488d0dbd6e0400 488379f800 751a } // n = 7, score = 100 // e8???????? | // 488bd8 | inc ecx // 488bcb | mov ecx, 2 // e8???????? | // 488d0dbd6e0400 | dec eax // 488379f800 | mov ecx, ebx // 751a | dec eax $sequence_2 = { f0440fb102 448b45ec 4533d2 413bc0 410f94c2 448955f0 7411 } // n = 7, score = 100 // f0440fb102 | mov esi, dword ptr [ebx + 0x28] // 448b45ec | dec eax // 4533d2 | test esi, esi // 413bc0 | jmp 0xba // 410f94c2 | dec ecx // 448955f0 | mov eax, esi // 7411 | dec eax $sequence_3 = { eb82 488b4590 034580 0f28b424d0000000 0f28bc24c0000000 4881c4e8000000 5b } // n = 7, score = 100 // eb82 | cmp dword ptr [eax - 8], 0 // 488b4590 | jne 0x10b // 034580 | dec eax // 0f28b424d0000000 | mov eax, dword ptr [eax + 8] // 0f28bc24c0000000 | jmp 0xbc // 4881c4e8000000 | jmp 0xdd // 5b | inc ebp $sequence_4 = { e9???????? 483bda 776a 448b13 458d8a207f7fff 41f7c1f0c0c000 0f8463feffff } // n = 7, score = 100 // e9???????? | // 483bda | jl 0xfe2 // 776a | jmp 0xeb9 // 448b13 | inc eax // 458d8a207f7fff | test dh, 1 // 41f7c1f0c0c000 | jne 0xe66 // 0f8463feffff | dec eax $sequence_5 = { f7da ffca f00fb111 3b44242c 75e0 83faff 751f } // n = 7, score = 100 // f7da | test eax, eax // ffca | mov eax, ecx // f00fb111 | inc ecx // 3b44242c | cmovne eax, ebx // 75e0 | dec eax // 83faff | add esp, 0x20 // 751f | pop ebx $sequence_6 = { e8???????? 4c8bf0 488b5308 498bce e8???????? 488d4b10 498bd6 } // n = 7, score = 100 // e8???????? | // 4c8bf0 | dec eax // 488b5308 | lea edx, [0x3841c] // 498bce | dec eax // e8???????? | // 488d4b10 | mov ecx, ebp // 498bd6 | dec esp $sequence_7 = { e8???????? 488bc8 3909 e8???????? b8e7b5ec1f ebab 4881c4c8000000 } // n = 7, score = 100 // e8???????? | // 488bc8 | mov esi, dword ptr [eax + 8] // 3909 | inc ebp // e8???????? | // b8e7b5ec1f | add esi, esi // ebab | js 0x578 // 4881c4c8000000 | inc ecx $sequence_8 = { eb0d 4c8b442430 498bc9 e8???????? 48897c2420 4c8bcf 4489742428 } // n = 7, score = 100 // eb0d | pop ebx // 4c8b442430 | pop esi // 498bc9 | pop edi // e8???????? | // 48897c2420 | ret // 4c8bcf | jmp 0x878 // 4489742428 | xor edx, edx $sequence_9 = { e8???????? 33c9 8b5008 85d2 7e49 90 448bc1 } // n = 7, score = 100 // e8???????? | // 33c9 | dec eax // 8b5008 | lea ecx, [0x6b022] // 85d2 | int3 // 7e49 | inc ecx // 90 | mov ecx, eax // 448bc1 | dec eax condition: 7 of them and filesize < 4722688 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY