Based on the leaked Conti source code.
rule win_scarecrow_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.scarecrow." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarecrow" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f7fe 85d2 7521 b905000000 8b45f4 99 f7f9 } // n = 7, score = 100 // f7fe | idiv esi // 85d2 | test edx, edx // 7521 | jne 0x23 // b905000000 | mov ecx, 5 // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 99 | cdq // f7f9 | idiv ecx $sequence_1 = { 889435d5f9ffff 46 83fe0c 72d3 8d85d5f9ffff 8985e0f6ffff c685f8faffff00 } // n = 7, score = 100 // 889435d5f9ffff | mov byte ptr [ebp + esi - 0x62b], dl // 46 | inc esi // 83fe0c | cmp esi, 0xc // 72d3 | jb 0xffffffd5 // 8d85d5f9ffff | lea eax, [ebp - 0x62b] // 8985e0f6ffff | mov dword ptr [ebp - 0x920], eax // c685f8faffff00 | mov byte ptr [ebp - 0x508], 0 $sequence_2 = { c6458a37 c6458b0e c6458c69 c6458d01 c6458e28 8a854dffffff e8???????? } // n = 7, score = 100 // c6458a37 | mov byte ptr [ebp - 0x76], 0x37 // c6458b0e | mov byte ptr [ebp - 0x75], 0xe // c6458c69 | mov byte ptr [ebp - 0x74], 0x69 // c6458d01 | mov byte ptr [ebp - 0x73], 1 // c6458e28 | mov byte ptr [ebp - 0x72], 0x28 // 8a854dffffff | mov al, byte ptr [ebp - 0xb3] // e8???????? | $sequence_3 = { f7fb 8b45f0 c1e602 8975ec 85d2 743f } // n = 6, score = 100 // f7fb | idiv ebx // 8b45f0 | mov eax, dword ptr [ebp - 0x10] // c1e602 | shl esi, 2 // 8975ec | mov dword ptr [ebp - 0x14], esi // 85d2 | test edx, edx // 743f | je 0x41 $sequence_4 = { 40 74dd a1???????? 8b4df8 5f 893401 8bc6 } // n = 7, score = 100 // 40 | inc eax // 74dd | je 0xffffffdf // a1???????? | // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 5f | pop edi // 893401 | mov dword ptr [ecx + eax], esi // 8bc6 | mov eax, esi $sequence_5 = { c6458f0d 89852cffffff c6459044 8a4585 e8???????? c645e800 c645e900 } // n = 7, score = 100 // c6458f0d | mov byte ptr [ebp - 0x71], 0xd // 89852cffffff | mov dword ptr [ebp - 0xd4], eax // c6459044 | mov byte ptr [ebp - 0x70], 0x44 // 8a4585 | mov al, byte ptr [ebp - 0x7b] // e8???????? | // c645e800 | mov byte ptr [ebp - 0x18], 0 // c645e900 | mov byte ptr [ebp - 0x17], 0 $sequence_6 = { f7fb 8d427f 99 f7fb 889435a5faffff 46 } // n = 6, score = 100 // f7fb | idiv ebx // 8d427f | lea eax, [edx + 0x7f] // 99 | cdq // f7fb | idiv ebx // 889435a5faffff | mov byte ptr [ebp + esi - 0x55b], dl // 46 | inc esi $sequence_7 = { c685c0fdffff25 c685c1fdffff7c c685c2fdffff25 c685c3fdffff36 c685c4fdffff25 c685c5fdffff25 } // n = 6, score = 100 // c685c0fdffff25 | mov byte ptr [ebp - 0x240], 0x25 // c685c1fdffff7c | mov byte ptr [ebp - 0x23f], 0x7c // c685c2fdffff25 | mov byte ptr [ebp - 0x23e], 0x25 // c685c3fdffff36 | mov byte ptr [ebp - 0x23d], 0x36 // c685c4fdffff25 | mov byte ptr [ebp - 0x23c], 0x25 // c685c5fdffff25 | mov byte ptr [ebp - 0x23b], 0x25 $sequence_8 = { 83c8fe 40 7579 b905000000 0f1f440000 8b45f4 99 } // n = 7, score = 100 // 83c8fe | or eax, 0xfffffffe // 40 | inc eax // 7579 | jne 0x7b // b905000000 | mov ecx, 5 // 0f1f440000 | nop dword ptr [eax + eax] // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 99 | cdq $sequence_9 = { 6685c0 75f5 2bce d1f9 51 8d45c9 8bca } // n = 7, score = 100 // 6685c0 | test ax, ax // 75f5 | jne 0xfffffff7 // 2bce | sub ecx, esi // d1f9 | sar ecx, 1 // 51 | push ecx // 8d45c9 | lea eax, [ebp - 0x37] // 8bca | mov ecx, edx condition: 7 of them and filesize < 501760 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY