Created from the codebase of Gozi/ISFB.
rule win_rm3_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.rm3." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 23d0 8b460c 03c2 394508 } // n = 4, score = 2300 // 23d0 | lea ecx, [eax + 0xf] // 8b460c | jmp 0xffffff8e // 03c2 | mov ebx, eax // 394508 | dec eax $sequence_1 = { 8b4138 8b5608 8d5410ff 48 f7d0 23d0 } // n = 6, score = 2300 // 8b4138 | mov eax, dword ptr [ebp + 8] // 8b5608 | cmp eax, dword ptr [esi + 0xc] // 8d5410ff | jb 0x4c // 48 | jne 7 // f7d0 | cmp dword ptr [ebp - 4], eax // 23d0 | jne 0xffffffa1 $sequence_2 = { 8d5418ff eb0a 8b4138 8b5608 } // n = 4, score = 2300 // 8d5418ff | mov eax, dword ptr [ebp + 8] // eb0a | cmp eax, dword ptr [esi + 0xc] // 8b4138 | jb 0x4f // 8b5608 | mov edi, dword ptr [ecx + 0x38] $sequence_3 = { 8b00 51 03c2 50 e8???????? 83c40c } // n = 6, score = 2300 // 8b00 | dec eax // 51 | cmp eax, ebx // 03c2 | dec eax // 50 | mov edi, eax // e8???????? | // 83c40c | je 0x1b $sequence_4 = { 03c8 0fb74106 8365f800 53 } // n = 4, score = 2300 // 03c8 | pop edi // 0fb74106 | pop esi // 8365f800 | push esi // 53 | push edi $sequence_5 = { 23fa 3bf8 7609 8b413c } // n = 4, score = 2300 // 23fa | test edi, edi // 3bf8 | je 0x19 // 7609 | dec esp // 8b413c | mov eax, edi $sequence_6 = { 8d740818 8b4508 3b460c 7247 } // n = 4, score = 2300 // 8d740818 | dec eax // 8b4508 | mov dword ptr [edx + 0x170], ebp // 3b460c | xor ebx, ebx // 7247 | dec eax $sequence_7 = { 7505 3945fc 759f 5f 5e } // n = 5, score = 2300 // 7505 | mov dword ptr [edx + 0x168], eax // 3945fc | dec eax // 759f | mov ecx, eax // 5f | jmp 0x12 // 5e | xor edx, edx $sequence_8 = { 8db5f0feffff 8bce 8d041b 51 8945f8 e8???????? 57 } // n = 7, score = 1800 // 8db5f0feffff | lea eax, [eax + edi - 1] // 8bce | dec edi // 8d041b | jbe 0xb // 51 | mov eax, dword ptr [ecx + 0x3c] // 8945f8 | lea edx, [eax + ebx - 1] // e8???????? | // 57 | jmp 0x13 $sequence_9 = { 41 ff4508 ff4d0c 885405fc 40 83f803 7ce4 } // n = 7, score = 1800 // 41 | mov edx, dword ptr [ecx + 0x3c] // ff4508 | mov ebx, dword ptr [esi + 0x10] // ff4d0c | jb 0x49 // 885405fc | mov edi, dword ptr [ecx + 0x38] // 40 | mov eax, dword ptr [esi + 8] // 83f803 | mov edx, dword ptr [ecx + 0x3c] // 7ce4 | mov ebx, dword ptr [esi + 0x10] $sequence_10 = { 83c704 83c604 837dfc00 75de 8d85f0feffff 50 } // n = 6, score = 1800 // 83c704 | lea esi, [eax + ecx + 0x18] // 83c604 | mov eax, dword ptr [ebp + 8] // 837dfc00 | mov edx, dword ptr [ecx + 0x3c] // 75de | mov ebx, dword ptr [esi + 0x10] // 8d85f0feffff | lea eax, [eax + edi - 1] // 50 | dec edi $sequence_11 = { 50 8db4b558feffff 894510 56 8bc3 } // n = 5, score = 1800 // 50 | add esi, 4 // 8db4b558feffff | cmp dword ptr [ebp - 4], 0 // 894510 | jne 0xffffffe4 // 56 | lea eax, [ebp - 0x110] // 8bc3 | push eax $sequence_12 = { 56 ff7510 8d8df4feffff 51 } // n = 4, score = 1800 // 56 | lea esi, [ebp - 0x110] // ff7510 | mov ecx, esi // 8d8df4feffff | lea eax, [ebx + ebx] // 51 | push ecx $sequence_13 = { 57 8bc3 8d8d58feffff e8???????? } // n = 4, score = 1800 // 57 | push ebx // 8bc3 | push esi // 8d8d58feffff | push edi // e8???????? | $sequence_14 = { 8bcb 8d9568ffffff 8bc6 e8???????? ebd2 } // n = 5, score = 1800 // 8bcb | not edi // 8d9568ffffff | jb 0x49 // 8bc6 | mov edi, dword ptr [ecx + 0x38] // e8???????? | // ebd2 | mov eax, dword ptr [esi + 8] $sequence_15 = { 50 e8???????? ff7518 8d85f0feffff ff750c 8d8d6cfeffff } // n = 6, score = 1800 // 50 | dec dword ptr [ebp + 0xc] // e8???????? | // ff7518 | mov byte ptr [ebp + eax - 4], dl // 8d85f0feffff | inc eax // ff750c | cmp eax, 3 // 8d8d6cfeffff | jl 0xfffffff1 $sequence_16 = { e8???????? 483bc3 488bf8 7416 } // n = 4, score = 300 // e8???????? | // 483bc3 | je 0x78 // 488bf8 | dec esp // 7416 | lea ebp, [esi + 0x78] $sequence_17 = { eb8c ff15???????? 8bd8 4885ff 7412 488b0d???????? 4c8bc7 } // n = 7, score = 300 // eb8c | and dword ptr [esp + 0x28], 0 // ff15???????? | // 8bd8 | dec esp // 4885ff | add dword ptr [esp + 0x50], ebx // 7412 | inc esp // 488b0d???????? | // 4c8bc7 | mov esp, eax $sequence_18 = { 8803 4883c601 4883c301 4883ef01 75a0 } // n = 5, score = 300 // 8803 | add eax, 1 // 4883c601 | dec eax // 4883c301 | add ecx, 4 // 4883ef01 | mov byte ptr [ebx], al // 75a0 | dec eax $sequence_19 = { 754f 8d5001 8d480f e8???????? } // n = 4, score = 300 // 754f | mov ebx, eax // 8d5001 | dec esp // 8d480f | mov ebx, dword ptr [ebx] // e8???????? | $sequence_20 = { 448be0 7476 4c8d6e78 498bcd e8???????? 488b4c2460 488b6e20 } // n = 7, score = 300 // 448be0 | xor edx, edx // 7476 | dec eax // 4c8d6e78 | mov edi, ecx // 498bcd | dec eax // e8???????? | // 488b4c2460 | lea ecx, [esp + 0x50] // 488b6e20 | dec ecx $sequence_21 = { 83e802 85c0 7e20 488d4c243c 8b01 4183c001 4883c104 } // n = 7, score = 300 // 83e802 | sub eax, 2 // 85c0 | test eax, eax // 7e20 | jle 0x22 // 488d4c243c | dec eax // 8b01 | lea ecx, [esp + 0x3c] // 4183c001 | mov eax, dword ptr [ecx] // 4883c104 | inc ecx $sequence_22 = { 488bf9 488d4c2450 498bd8 ff15???????? 4c8b1b 8364242800 4c015c2450 } // n = 7, score = 300 // 488bf9 | sub edi, 1 // 488d4c2450 | jne 0xffffffaa // 498bd8 | not eax // ff15???????? | // 4c8b1b | xor dword ptr [edi + 0xc], eax // 8364242800 | dec esp // 4c015c2450 | mov eax, ebx $sequence_23 = { e8???????? f7d0 31470c 488b0d???????? 4c8bc3 33d2 ff15???????? } // n = 7, score = 300 // e8???????? | // f7d0 | add esi, 1 // 31470c | dec eax // 488b0d???????? | // 4c8bc3 | add ebx, 1 // 33d2 | dec eax // ff15???????? | $sequence_24 = { 01ce 83f900 0f44f2 8b0e 83f900 } // n = 5, score = 100 // 01ce | not eax // 83f900 | and edx, eax // 0f44f2 | mov eax, dword ptr [esi + 0xc] // 8b0e | add eax, edx // 83f900 | cmp dword ptr [ebp + 8], eax $sequence_25 = { 894dec 8955e8 8975e4 8945e0 0f84f2000000 8b45f0 } // n = 6, score = 100 // 894dec | mov eax, dword ptr [esi + 8] // 8955e8 | mov edx, dword ptr [ecx + 0x3c] // 8975e4 | mov ebx, dword ptr [esi + 0x10] // 8945e0 | lea eax, [eax + edi - 1] // 0f84f2000000 | dec edi // 8b45f0 | not edi $sequence_26 = { 56 8985d0fbffff 8995ccfbffff 898dc8fbffff ffd7 83f800 } // n = 6, score = 100 // 56 | add esi, 0x28 // 8985d0fbffff | push edi // 8995ccfbffff | lea esi, [eax + ecx + 0x18] // 898dc8fbffff | mov eax, dword ptr [ebp + 8] // ffd7 | cmp eax, dword ptr [esi + 0xc] // 83f800 | jb 0x53 $sequence_27 = { a1???????? 8b8de0fbffff 51 ffd0 8b0d???????? 8b95e4fbffff } // n = 6, score = 100 // a1???????? | // 8b8de0fbffff | lea edx, [ebp - 0x294] // 51 | mov dword ptr [esp], edx // ffd0 | mov dword ptr [esp + 4], 0xd // 8b0d???????? | // 8b95e4fbffff | mov dword ptr [esp + 8], 1 $sequence_28 = { 89c7 01f7 83c6c0 81fec00f0000 8945f4 894df0 } // n = 6, score = 100 // 89c7 | mov ebx, dword ptr [esi + 0x10] // 01f7 | lea eax, [eax + edi - 1] // 83c6c0 | dec edi // 81fec00f0000 | add esi, ecx // 8945f4 | cmp ecx, 0 // 894df0 | cmove esi, edx $sequence_29 = { 8b8d60ffffff 83c101 8b954cffffff 83c228 8b75ac } // n = 5, score = 100 // 8b8d60ffffff | mov edx, dword ptr [ecx + 0x3c] // 83c101 | mov ebx, dword ptr [esi + 0x10] // 8b954cffffff | lea eax, [eax + edi - 1] // 83c228 | dec edi // 8b75ac | mov edx, dword ptr [ecx + 0x3c] $sequence_30 = { 89b504ffffff e8???????? 8b854cffffff 890424 } // n = 4, score = 100 // 89b504ffffff | mov ecx, dword ptr [esi] // e8???????? | // 8b854cffffff | cmp ecx, 0 // 890424 | cmp dl, 0 $sequence_31 = { c7424418180000 c7424800a00100 8b7de4 c787cc00000000000000 c787c800000000000000 } // n = 5, score = 100 // c7424418180000 | add esi, 0x28 // c7424800a00100 | dec dword ptr [ebp - 4] // 8b7de4 | test eax, eax // c787cc00000000000000 | jne 0x12 // c787c800000000000000 | mov ecx, 1 $sequence_32 = { e8???????? 8d0db2318702 890424 894c2404 } // n = 4, score = 100 // e8???????? | // 8d0db2318702 | mov edx, dword ptr [esi + 8] // 890424 | mov ecx, dword ptr [eax + 0x3c] // 894c2404 | add ecx, eax $sequence_33 = { 89442404 e8???????? 83c408 c785ecfbffff00000000 8d8decfbffff 8b15???????? } // n = 6, score = 100 // 89442404 | movzx eax, word ptr [ecx + 6] // e8???????? | // 83c408 | and dword ptr [ebp - 8], 0 // c785ecfbffff00000000 | mov dword ptr [ebp - 8], esi // 8d8decfbffff | mov eax, dword ptr [ebp - 8] // 8b15???????? | $sequence_34 = { 891c24 89442404 c744240800000000 8954240c 8b4590 894d80 } // n = 6, score = 100 // 891c24 | mov ecx, dword ptr [ebp - 0x10] // 89442404 | mov dword ptr [ebp - 0x14], eax // c744240800000000 | mov dword ptr [ebp - 0x14], ecx // 8954240c | mov dword ptr [ebp - 0x18], edx // 8b4590 | mov dword ptr [ebp - 0x1c], esi // 894d80 | mov dword ptr [ebp - 0x20], eax $sequence_35 = { 80fa00 8945f4 894df0 742f 8b45f4 8b4df0 8945ec } // n = 7, score = 100 // 80fa00 | mov edx, dword ptr [esi + 8] // 8945f4 | lea edx, [eax + edx - 1] // 894df0 | dec eax // 742f | not eax // 8b45f4 | and edx, eax // 8b4df0 | mov eax, dword ptr [esi + 0xc] // 8945ec | add eax, edx $sequence_36 = { 894da4 8945a0 0f855affffff b801000000 8b4db0 8b11 } // n = 6, score = 100 // 894da4 | je 0xfe // 8945a0 | mov eax, dword ptr [ebp - 0x10] // 0f855affffff | mov ecx, dword ptr [ebp - 0xa0] // b801000000 | add ecx, 1 // 8b4db0 | mov edx, dword ptr [ebp - 0xb4] // 8b11 | add edx, 0x28 $sequence_37 = { 6a50 68???????? 50 8985e8fbffff ffd1 8b0d???????? } // n = 6, score = 100 // 6a50 | mov edi, dword ptr [ecx + 0x38] // 68???????? | // 50 | lea edx, [eax + ebx - 1] // 8985e8fbffff | jmp 0xc // ffd1 | mov eax, dword ptr [ecx + 0x38] // 8b0d???????? | $sequence_38 = { 8b8d6cffffff 894c2404 898558ffffff e8???????? 83c408 b901000000 } // n = 6, score = 100 // 8b8d6cffffff | cmp eax, 0 // 894c2404 | push 0x50 // 898558ffffff | push eax // e8???????? | // 83c408 | mov dword ptr [ebp - 0x418], eax // b901000000 | call ecx $sequence_39 = { b901000000 8d956cfdffff 891424 c74424040d000000 c744240801000000 } // n = 5, score = 100 // b901000000 | add eax, edx // 8d956cfdffff | cmp dword ptr [ebp + 8], eax // 891424 | jae 0xa // c74424040d000000 | mov dword ptr [ebp - 8], esi // c744240801000000 | mov eax, dword ptr [ebp - 8] condition: 7 of them and filesize < 221184 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY