There is no description at this point.
rule win_rorschach_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.rorschach." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rorschach" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 488d8424b8000000 482bc3 4c89b42428010000 4889442430 4c8db4249c000000 4c89bc2420010000 488d8424bc000000 } // n = 7, score = 100 // 488d8424b8000000 | mov edx, eax // 482bc3 | dec eax // 4c89b42428010000 | lea ecx, [ebp + 0x8f8] // 4889442430 | nop // 4c8db4249c000000 | dec ebp // 4c89bc2420010000 | mov eax, esp // 488d8424bc000000 | dec eax $sequence_1 = { 888571010000 33d2 488d8d60010000 e8???????? 888572010000 b272 488d8d60010000 } // n = 7, score = 100 // 888571010000 | dec eax // 33d2 | lea ecx, [ebp - 0x10] // 488d8d60010000 | nop // e8???????? | // 888572010000 | mov byte ptr [esp + 0x30], 0x50 // b272 | mov byte ptr [esp + 0x40], bl // 488d8d60010000 | inc sp $sequence_2 = { 488d8d70050000 e8???????? 888501060000 33d2 488d8d70050000 e8???????? 888502060000 } // n = 7, score = 100 // 488d8d70050000 | lea ecx, [ebp + 0x230] // e8???????? | // 888501060000 | mov byte ptr [ebp + 0x255], al // 33d2 | dec eax // 488d8d70050000 | lea ecx, [ebp + 0x230] // e8???????? | // 888502060000 | mov byte ptr [ebp + 0x255], al $sequence_3 = { 33d2 488d8d300b0000 e8???????? 8885580d0000 b23c 488d8d300b0000 e8???????? } // n = 7, score = 100 // 33d2 | xor edx, edx // 488d8d300b0000 | dec eax // e8???????? | // 8885580d0000 | lea ecx, [ebp + 0x570] // b23c | mov byte ptr [ebp + 0x6b4], al // 488d8d300b0000 | mov byte ptr [ebp + 0x7b3], al // e8???????? | $sequence_4 = { 90 4d8bc4 488bd0 498bcf e8???????? 488d85d8080000 488985b80c0000 } // n = 7, score = 100 // 90 | xor edx, edx // 4d8bc4 | dec eax // 488bd0 | lea ecx, [ebp + 0x8e0] // 498bcf | mov byte ptr [ebp + 0x9ae], al // e8???????? | // 488d85d8080000 | mov dl, 0x53 // 488985b80c0000 | dec eax $sequence_5 = { 488d8da8010000 e8???????? 8885ab010000 33d2 488d8da8010000 e8???????? 8885ac010000 } // n = 7, score = 100 // 488d8da8010000 | xor edx, edx // e8???????? | // 8885ab010000 | dec eax // 33d2 | lea ecx, [ebp + 0xb30] // 488d8da8010000 | mov byte ptr [ebp + 0xbce], al // e8???????? | // 8885ac010000 | dec eax $sequence_6 = { f781c8100000e0ffffff 762c 660f1f840000000000 428b0482 42898481a4100000 41ffc0 8b81c8100000 } // n = 7, score = 100 // f781c8100000e0ffffff | xor eax, eax // 762c | mov byte ptr [ebp + 0x26], al // 660f1f840000000000 | xor eax, eax // 428b0482 | mov word ptr [ebp + 0x27], ax // 42898481a4100000 | dec esp // 41ffc0 | mov edi, ebx // 8b81c8100000 | dec ecx $sequence_7 = { 488d8d300b0000 e8???????? 8885950c0000 33d2 488d8d300b0000 e8???????? 8885960c0000 } // n = 7, score = 100 // 488d8d300b0000 | dec eax // e8???????? | // 8885950c0000 | lea eax, [ebp + 0x300] // 33d2 | dec eax // 488d8d300b0000 | cmp dword ptr [ebp + 0x318], 8 // e8???????? | // 8885960c0000 | dec eax $sequence_8 = { e9???????? 488d8a58040000 e9???????? 488d8af8030000 e9???????? 488d8a38050000 e9???????? } // n = 7, score = 100 // e9???????? | // 488d8a58040000 | dec eax // e9???????? | // 488d8af8030000 | lea ecx, [esp + 0x78] // e9???????? | // 488d8a38050000 | dec eax // e9???????? | $sequence_9 = { 90 498d542420 4903d7 488d8dc0000000 e8???????? 90 4c8d85e0000000 } // n = 7, score = 100 // 90 | lea ecx, [ebp + 0x8e0] // 498d542420 | mov byte ptr [ebp + 0x9ab], al // 4903d7 | xor edx, edx // 488d8dc0000000 | dec eax // e8???????? | // 90 | lea ecx, [ebp + 0x8e0] // 4c8d85e0000000 | mov byte ptr [ebp + 0xaaa], al condition: 7 of them and filesize < 3921930 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
