Ransomware.
rule win_sepsys_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.sepsys." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { eb43 488b442430 488b4c2470 488908 488b442430 8b4c2478 894808 } // n = 7, score = 400 // eb43 | dec eax // 488b442430 | sub esp, 0x118 // 488b4c2470 | dec eax // 488908 | mov dword ptr [esp + 0x40], edx // 488b442430 | inc esp // 8b4c2478 | movzx esp, word ptr [ecx] // 894808 | inc esp $sequence_1 = { c744244000000800 eb23 837c244001 7d0a c744244000400000 eb12 817c244000040000 } // n = 7, score = 400 // c744244000000800 | mov byte ptr [ebp + 0x4e7], 0 // eb23 | dec eax // 837c244001 | mov eax, dword ptr [ebp + 0x3d0] // 7d0a | dec eax // c744244000400000 | mov dword ptr [ebp + 0x450], eax // eb12 | movups xmm0, xmmword ptr [ebp + 0x3c0] // 817c244000040000 | dec eax $sequence_2 = { c645f701 488b4110 488945e0 0f1001 0f2945d0 488b4dc8 e8???????? } // n = 7, score = 400 // c645f701 | lea ecx, [ebp + 0x938] // 488b4110 | dec eax // 488945e0 | lea ecx, [ebp + 0xde8] // 0f1001 | dec eax // 0f2945d0 | lea ecx, [ebp + 0xe00] // 488b4dc8 | jmp 0xb22 // e8???????? | $sequence_3 = { e8???????? 89442420 837c242000 7406 8b442420 eb0c eb08 } // n = 7, score = 400 // e8???????? | // 89442420 | dec eax // 837c242000 | mov eax, dword ptr [esp + 0x60] // 7406 | dec eax // 8b442420 | add eax, 0x15f0 // eb0c | dec eax // eb08 | mov dword ptr [esp + 0x38], eax $sequence_4 = { eb00 e8???????? 8845e0 eb00 488b45f8 8a4def 8808 } // n = 7, score = 400 // eb00 | mov ecx, edx // e8???????? | // 8845e0 | dec esp // eb00 | mov edx, eax // 488b45f8 | dec eax // 8a4def | mov dword ptr [ebp + 0x3e8], eax // 8808 | dec eax $sequence_5 = { e8???????? 4889942418010000 4889842410010000 488b842410010000 4885c0 0f95c1 0fb6d1 } // n = 7, score = 400 // e8???????? | // 4889942418010000 | dec eax // 4889842410010000 | mov dword ptr [esp + 0xb0], 0 // 488b842410010000 | mov dword ptr [esp + 0x90], 0 // 4885c0 | inc ecx // 0f95c1 | mov eax, 2 // 0fb6d1 | xor edx, edx $sequence_6 = { e8???????? eb54 48837c246000 7421 488b442460 488b8c2488000000 48894828 } // n = 7, score = 400 // e8???????? | // eb54 | mov ecx, esi // 48837c246000 | inc ebp // 7421 | xor ebx, ebx // 488b442460 | dec ebp // 488b8c2488000000 | test ecx, ecx // 48894828 | inc ecx $sequence_7 = { e8???????? 488945b8 eb00 488b4db8 e8???????? 488945b0 eb00 } // n = 7, score = 400 // e8???????? | // 488945b8 | dec eax // eb00 | mov dword ptr [eax + 0xf30], 0 // 488b4db8 | xor eax, eax // e8???????? | // 488945b0 | test eax, eax // eb00 | jne 0xf84 $sequence_8 = { 8b442420 25ff000000 8bc8 e8???????? b901000000 486bc902 488b542460 } // n = 7, score = 400 // 8b442420 | jne 0x1512 // 25ff000000 | mov eax, 8 // 8bc8 | dec eax // e8???????? | // b901000000 | imul eax, eax, 0 // 486bc902 | dec eax // 488b542460 | lea ecx, [0x80a12] $sequence_9 = { eb08 c744246401000000 0fb6442464 88442420 0fb6442420 85c0 7415 } // n = 7, score = 400 // eb08 | dec esp // c744246401000000 | lea eax, [0xa8f0] // 0fb6442464 | dec esp // 88442420 | add eax, edx // 0fb6442420 | dec ecx // 85c0 | mov edx, eax // 7415 | inc esp condition: 7 of them and filesize < 4538368 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY