There is no description at this point.
rule win_shady_hammock_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.shady_hammock." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shady_hammock" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 48895f30 8b87d0000000 85c0 740c 488d0c03 488bd3 } // n = 6, score = 200 // 48895f30 | dec eax // 8b87d0000000 | mov dword ptr [ebp + 0x3f], eax // 85c0 | mov dword ptr [ebp + 0x1f], 0xfc1419d3 // 740c | xor ebx, ebx // 488d0c03 | mov dword ptr [ebp + 0x1f], 0xfc1419d3 // 488bd3 | xor ebx, ebx $sequence_1 = { 488bc8 488bf8 e8???????? 488b0d???????? 4533c9 } // n = 5, score = 200 // 488bc8 | inc ecx // 488bf8 | movsx eax, al // e8???????? | // 488b0d???????? | // 4533c9 | inc ecx $sequence_2 = { eb2c 498bcf 488bc3 48d1e9 482bc1 } // n = 5, score = 200 // eb2c | cmp esi, edi // 498bcf | dec esp // 488bc3 | sub ebx, eax // 48d1e9 | dec ecx // 482bc1 | mov eax, ebx $sequence_3 = { 4a8b0c2b 4885c9 75cc ffc5 488d0cad00000000 4803cd } // n = 6, score = 200 // 4a8b0c2b | dec ebp // 4885c9 | mov esp, dword ptr [ebx + 0x38] // 75cc | dec eax // ffc5 | add eax, ebx // 488d0cad00000000 | dec esp // 4803cd | lea ebx, [esp + 0xc0] $sequence_4 = { 4a8d0439 488bda 483bd0 480f42d8 488d4b01 4881f900100000 720a } // n = 7, score = 200 // 4a8d0439 | lea edx, [esp + 0x20] // 488bda | vmovups ymmword ptr [esp + 0x20], ymm0 // 483bd0 | dec eax // 480f42d8 | lea ecx, [esp + 0x50] // 488d4b01 | vzeroupper // 4881f900100000 | jne 0x7f1 // 720a | mov eax, dword ptr [edi + 0xc] $sequence_5 = { 48896f10 498d2c36 48895f18 4d8bc6 488bce 4983ff10 724d } // n = 7, score = 200 // 48896f10 | jne 0x93 // 498d2c36 | test ecx, ecx // 48895f18 | jne 0xc1 // 4d8bc6 | jne 0xb6 // 488bce | dec esp // 4983ff10 | cmp dword ptr [ecx + 0x58], esi // 724d | mov al, 1 $sequence_6 = { 4863413c 33db 4c8bea 488bf1 8bbc0888000000 } // n = 5, score = 200 // 4863413c | dec eax // 33db | lea ebp, [esp - 0x190] // 4c8bea | int 0x29 // 488bf1 | dec eax // 8bbc0888000000 | lea ecx, [0x39106] $sequence_7 = { 418b88b4000000 4803d0 418b80b0000000 4903c1 } // n = 4, score = 200 // 418b88b4000000 | inc eax // 4803d0 | sete dh // 418b80b0000000 | dec eax // 4903c1 | cmp edx, 0x10 $sequence_8 = { eb09 488bcb 4883fa0f 743b 803d????????00 7432 4883c208 } // n = 7, score = 200 // eb09 | call dword ptr [eax + 0x48] // 488bcb | dec ecx // 4883fa0f | cmp eax, edi // 743b | jne 0x1b69 // 803d????????00 | // 7432 | dec eax // 4883c208 | test esi, esi $sequence_9 = { 0fb74c4420 6643890c46 49ffc0 4983f81d } // n = 4, score = 200 // 0fb74c4420 | xor edx, edx // 6643890c46 | jne 0x259 // 49ffc0 | dec ebp // 4983f81d | mov esi, dword ptr [esi + esi*8 + 0x346b0] condition: 7 of them and filesize < 635904 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY