There is no description at this point.
rule win_redcurl_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.redcurl." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redcurl" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ff15???????? 8bd0 c7461000000000 8bca c746140f000000 c60600 8d7901 } // n = 7, score = 400 // ff15???????? | // 8bd0 | mov edx, eax // c7461000000000 | mov dword ptr [esi + 0x10], 0 // 8bca | mov ecx, edx // c746140f000000 | mov dword ptr [esi + 0x14], 0xf // c60600 | mov byte ptr [esi], 0 // 8d7901 | lea edi, [ecx + 1] $sequence_1 = { 2bc6 48 50 56 } // n = 4, score = 400 // 2bc6 | sub eax, esi // 48 | dec eax // 50 | push eax // 56 | push esi $sequence_2 = { f7f9 80c261 88143e 47 } // n = 4, score = 400 // f7f9 | idiv ecx // 80c261 | add dl, 0x61 // 88143e | mov byte ptr [esi + edi], dl // 47 | inc edi $sequence_3 = { 6a00 6a00 6aff 8bf8 6a00 57 ff15???????? } // n = 7, score = 300 // 6a00 | push 0 // 6a00 | push 0 // 6aff | push -1 // 8bf8 | mov edi, eax // 6a00 | push 0 // 57 | push edi // ff15???????? | $sequence_4 = { c745f001000000 e8???????? c745e800000000 c745ec0f000000 } // n = 4, score = 300 // c745f001000000 | mov dword ptr [ebp - 0x10], 1 // e8???????? | // c745e800000000 | mov dword ptr [ebp - 0x18], 0 // c745ec0f000000 | mov dword ptr [ebp - 0x14], 0xf $sequence_5 = { c645d800 8d5001 8b4610 3bc2 } // n = 4, score = 300 // c645d800 | mov byte ptr [ebp - 0x28], 0 // 8d5001 | lea edx, [eax + 1] // 8b4610 | mov eax, dword ptr [esi + 0x10] // 3bc2 | cmp eax, edx $sequence_6 = { 8b4610 3bc2 726f 2bc2 83c9ff 83f8ff 0f42c8 } // n = 7, score = 300 // 8b4610 | mov eax, dword ptr [esi + 0x10] // 3bc2 | cmp eax, edx // 726f | jb 0x71 // 2bc2 | sub eax, edx // 83c9ff | or ecx, 0xffffffff // 83f8ff | cmp eax, -1 // 0f42c8 | cmovb ecx, eax $sequence_7 = { e8???????? 8d45d8 8bce 50 e8???????? 8b55ec 83fa10 } // n = 7, score = 300 // e8???????? | // 8d45d8 | lea eax, [ebp - 0x28] // 8bce | mov ecx, esi // 50 | push eax // e8???????? | // 8b55ec | mov edx, dword ptr [ebp - 0x14] // 83fa10 | cmp edx, 0x10 $sequence_8 = { 0f57c0 c745e800000000 68???????? ba???????? 660fd645e0 e8???????? } // n = 6, score = 300 // 0f57c0 | xorps xmm0, xmm0 // c745e800000000 | mov dword ptr [ebp - 0x18], 0 // 68???????? | // ba???????? | // 660fd645e0 | movq qword ptr [ebp - 0x20], xmm0 // e8???????? | $sequence_9 = { 837d1c10 8d4d08 6a00 0f434d08 8bf0 6a00 } // n = 6, score = 300 // 837d1c10 | cmp dword ptr [ebp + 0x1c], 0x10 // 8d4d08 | lea ecx, [ebp + 8] // 6a00 | push 0 // 0f434d08 | cmovae ecx, dword ptr [ebp + 8] // 8bf0 | mov esi, eax // 6a00 | push 0 $sequence_10 = { 750f d93c24 668b0424 6683e07f 6683f87f 8d642408 0f85e90b0000 } // n = 7, score = 300 // 750f | jne 0x11 // d93c24 | fnstcw word ptr [esp] // 668b0424 | mov ax, word ptr [esp] // 6683e07f | and ax, 0x7f // 6683f87f | cmp ax, 0x7f // 8d642408 | lea esp, [esp + 8] // 0f85e90b0000 | jne 0xbef $sequence_11 = { c20000 55 8bec 83ec0c 8d4df4 e8???????? } // n = 6, score = 300 // c20000 | ret 0 // 55 | push ebp // 8bec | mov ebp, esp // 83ec0c | sub esp, 0xc // 8d4df4 | lea ecx, [ebp - 0xc] // e8???????? | $sequence_12 = { 6a00 50 53 ff15???????? 6a00 } // n = 5, score = 300 // 6a00 | push 0 // 50 | push eax // 53 | push ebx // ff15???????? | // 6a00 | push 0 $sequence_13 = { 83c10f 83e1f0 85d2 0f8546ffffff } // n = 4, score = 200 // 83c10f | add ecx, 0xf // 83e1f0 | and ecx, 0xfffffff0 // 85d2 | test edx, edx // 0f8546ffffff | jne 0xffffff4c $sequence_14 = { 3c30 0f84b6100000 3c31 0f85aed3ffff } // n = 4, score = 200 // 3c30 | cmp al, 0x30 // 0f84b6100000 | je 0x10bc // 3c31 | cmp al, 0x31 // 0f85aed3ffff | jne 0xffffd3b4 $sequence_15 = { e8???????? 8b8520fdffff 8d9d28fdffff 39d8 7408 890424 } // n = 6, score = 200 // e8???????? | // 8b8520fdffff | mov eax, dword ptr [ebp - 0x2e0] // 8d9d28fdffff | lea ebx, [ebp - 0x2d8] // 39d8 | cmp eax, ebx // 7408 | je 0xa // 890424 | mov dword ptr [esp], eax $sequence_16 = { 85f6 741a 0fb613 8810 f7c602000000 740d } // n = 6, score = 200 // 85f6 | test esi, esi // 741a | je 0x1c // 0fb613 | movzx edx, byte ptr [ebx] // 8810 | mov byte ptr [eax], dl // f7c602000000 | test esi, 2 // 740d | je 0xf $sequence_17 = { e8???????? 89c7 8945d0 83f80f 0f8755060000 } // n = 5, score = 200 // e8???????? | // 89c7 | mov edi, eax // 8945d0 | mov dword ptr [ebp - 0x30], eax // 83f80f | cmp eax, 0xf // 0f8755060000 | ja 0x65b $sequence_18 = { 01d8 7408 85f6 0f8471170000 899d7cfdffff 83fb0f } // n = 6, score = 200 // 01d8 | add eax, ebx // 7408 | je 0xa // 85f6 | test esi, esi // 0f8471170000 | je 0x1777 // 899d7cfdffff | mov dword ptr [ebp - 0x284], ebx // 83fb0f | cmp ebx, 0xf $sequence_19 = { 89c6 8b03 8d7e0c 85c0 } // n = 4, score = 200 // 89c6 | mov esi, eax // 8b03 | mov eax, dword ptr [ebx] // 8d7e0c | lea edi, [esi + 0xc] // 85c0 | test eax, eax $sequence_20 = { 8985e8fdffff 8d8568feffff 83ec08 898560feffff } // n = 4, score = 200 // 8985e8fdffff | mov dword ptr [ebp - 0x218], eax // 8d8568feffff | lea eax, [ebp - 0x198] // 83ec08 | sub esp, 8 // 898560feffff | mov dword ptr [ebp - 0x1a0], eax condition: 7 of them and filesize < 487424 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY