Actor(s): Hellsing
There is no description at this point.
rule win_sisfader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.sisfader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 85c0 b91d000000 0f44d9 } // n = 4, score = 300 // e8???????? | // 85c0 | test eax, eax // b91d000000 | mov ecx, 0x1d // 0f44d9 | cmove ebx, ecx $sequence_1 = { 85c9 741f 33c0 85c9 } // n = 4, score = 300 // 85c9 | test ecx, ecx // 741f | je 0x21 // 33c0 | xor eax, eax // 85c9 | test ecx, ecx $sequence_2 = { 8955f0 8b45f8 8b4838 894dcc } // n = 4, score = 200 // 8955f0 | mov dword ptr [ebp - 0x10], edx // 8b45f8 | mov eax, dword ptr [ebp - 8] // 8b4838 | mov ecx, dword ptr [eax + 0x38] // 894dcc | mov dword ptr [ebp - 0x34], ecx $sequence_3 = { 33c9 e8???????? 85c0 7502 eb7c } // n = 5, score = 200 // 33c9 | xor ecx, ecx // e8???????? | // 85c0 | test eax, eax // 7502 | jne 4 // eb7c | jmp 0x7e $sequence_4 = { ff15???????? a3???????? 833d????????00 7510 6a00 } // n = 5, score = 200 // ff15???????? | // a3???????? | // 833d????????00 | // 7510 | jne 0x12 // 6a00 | push 0 $sequence_5 = { 85c0 754b 8b4f04 83c124 } // n = 4, score = 200 // 85c0 | test eax, eax // 754b | jne 0x4d // 8b4f04 | mov ecx, dword ptr [edi + 4] // 83c124 | add ecx, 0x24 $sequence_6 = { c705????????07000000 8b442438 8905???????? c705????????00000000 } // n = 4, score = 200 // c705????????07000000 | // 8b442438 | mov eax, dword ptr [esp + 0x38] // 8905???????? | // c705????????00000000 | $sequence_7 = { 8b442440 89442420 837c242001 7425 } // n = 4, score = 200 // 8b442440 | mov eax, dword ptr [esp + 0x40] // 89442420 | mov dword ptr [esp + 0x20], eax // 837c242001 | cmp dword ptr [esp + 0x20], 1 // 7425 | je 0x27 $sequence_8 = { ff15???????? 89442450 837c245000 7402 } // n = 4, score = 200 // ff15???????? | // 89442450 | mov dword ptr [esp + 0x50], eax // 837c245000 | cmp dword ptr [esp + 0x50], 0 // 7402 | je 4 $sequence_9 = { 7568 8d43dc 8906 83f824 } // n = 4, score = 200 // 7568 | jne 0x6a // 8d43dc | lea eax, [ebx - 0x24] // 8906 | mov dword ptr [esi], eax // 83f824 | cmp eax, 0x24 $sequence_10 = { 6bc800 8b550c 8b040a 50 ff15???????? } // n = 5, score = 200 // 6bc800 | imul ecx, eax, 0 // 8b550c | mov edx, dword ptr [ebp + 0xc] // 8b040a | mov eax, dword ptr [edx + ecx] // 50 | push eax // ff15???????? | $sequence_11 = { 33c0 e9???????? e9???????? ff15???????? } // n = 4, score = 200 // 33c0 | xor eax, eax // e9???????? | // e9???????? | // ff15???????? | $sequence_12 = { 75f5 c70665632985 663939 8b3d???????? 7407 } // n = 5, score = 200 // 75f5 | jne 0xfffffff7 // c70665632985 | mov dword ptr [esi], 0x85296365 // 663939 | cmp word ptr [ecx], di // 8b3d???????? | // 7407 | je 9 $sequence_13 = { 0f84cd010000 6683f92e 750f 6683bc248000000000 0f84b8010000 ffc5 } // n = 6, score = 200 // 0f84cd010000 | je 0x1d3 // 6683f92e | cmp cx, 0x2e // 750f | jne 0x11 // 6683bc248000000000 | cmp word ptr [esp + 0x80], 0 // 0f84b8010000 | je 0x1be // ffc5 | inc ebp $sequence_14 = { 7424 85c9 7420 8bc3 660f1f440000 8bc8 } // n = 6, score = 200 // 7424 | je 0x26 // 85c9 | test ecx, ecx // 7420 | je 0x22 // 8bc3 | mov eax, ebx // 660f1f440000 | nop word ptr [eax + eax] // 8bc8 | mov ecx, eax $sequence_15 = { 8bda 8bf9 ff15???????? 85c0 0f8584000000 6a06 6a01 } // n = 7, score = 200 // 8bda | mov ebx, edx // 8bf9 | mov edi, ecx // ff15???????? | // 85c0 | test eax, eax // 0f8584000000 | jne 0x8a // 6a06 | push 6 // 6a01 | push 1 $sequence_16 = { eb2e 8b4dfc c7411001000000 eb11 8b55fc 8b02 8b4df4 } // n = 7, score = 200 // eb2e | jmp 0x30 // 8b4dfc | mov ecx, dword ptr [ebp - 4] // c7411001000000 | mov dword ptr [ecx + 0x10], 1 // eb11 | jmp 0x13 // 8b55fc | mov edx, dword ptr [ebp - 4] // 8b02 | mov eax, dword ptr [edx] // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] $sequence_17 = { 8b3d???????? 81c600010000 c745dcaaeeddff c745e4e1f00000 } // n = 4, score = 200 // 8b3d???????? | // 81c600010000 | add esi, 0x100 // c745dcaaeeddff | mov dword ptr [ebp - 0x24], 0xffddeeaa // c745e4e1f00000 | mov dword ptr [ebp - 0x1c], 0xf0e1 $sequence_18 = { 83c418 85c0 7502 eb67 8b4dfc } // n = 5, score = 200 // 83c418 | add esp, 0x18 // 85c0 | test eax, eax // 7502 | jne 4 // eb67 | jmp 0x69 // 8b4dfc | mov ecx, dword ptr [ebp - 4] $sequence_19 = { 85c0 741d 8bd3 0f1f440000 8bc2 ffc2 } // n = 6, score = 200 // 85c0 | test eax, eax // 741d | je 0x1f // 8bd3 | mov edx, ebx // 0f1f440000 | nop dword ptr [eax + eax] // 8bc2 | mov eax, edx // ffc2 | inc edx $sequence_20 = { 6685c0 0f8496010000 6683f82e 750b } // n = 4, score = 200 // 6685c0 | test ax, ax // 0f8496010000 | je 0x19c // 6683f82e | cmp ax, 0x2e // 750b | jne 0xd $sequence_21 = { 83ec60 c745fc00000000 c745e000000000 6a40 8b450c } // n = 5, score = 200 // 83ec60 | sub esp, 0x60 // c745fc00000000 | mov dword ptr [ebp - 4], 0 // c745e000000000 | mov dword ptr [ebp - 0x20], 0 // 6a40 | push 0x40 // 8b450c | mov eax, dword ptr [ebp + 0xc] $sequence_22 = { 837c242002 7441 837c242003 745d 837c242004 7479 837c242005 } // n = 7, score = 200 // 837c242002 | cmp dword ptr [esp + 0x20], 2 // 7441 | je 0x43 // 837c242003 | cmp dword ptr [esp + 0x20], 3 // 745d | je 0x5f // 837c242004 | cmp dword ptr [esp + 0x20], 4 // 7479 | je 0x7b // 837c242005 | cmp dword ptr [esp + 0x20], 5 $sequence_23 = { 7405 e9???????? 83bc248000000000 7539 } // n = 4, score = 200 // 7405 | je 7 // e9???????? | // 83bc248000000000 | cmp dword ptr [esp + 0x80], 0 // 7539 | jne 0x3b $sequence_24 = { 33c9 85c0 7415 0f1f00 8bc1 } // n = 5, score = 200 // 33c9 | xor ecx, ecx // 85c0 | test eax, eax // 7415 | je 0x17 // 0f1f00 | nop dword ptr [eax] // 8bc1 | mov eax, ecx $sequence_25 = { 6a00 6a00 6a01 e8???????? 83c40c eb38 6a00 } // n = 7, score = 200 // 6a00 | push 0 // 6a00 | push 0 // 6a01 | push 1 // e8???????? | // 83c40c | add esp, 0xc // eb38 | jmp 0x3a // 6a00 | push 0 $sequence_26 = { 56 57 8b7d10 8b7720 c706aaeeddff 8b420c 89460c } // n = 7, score = 200 // 56 | push esi // 57 | push edi // 8b7d10 | mov edi, dword ptr [ebp + 0x10] // 8b7720 | mov esi, dword ptr [edi + 0x20] // c706aaeeddff | mov dword ptr [esi], 0xffddeeaa // 8b420c | mov eax, dword ptr [edx + 0xc] // 89460c | mov dword ptr [esi + 0xc], eax $sequence_27 = { 8b4204 8bcf 83c024 50 e8???????? } // n = 5, score = 200 // 8b4204 | mov eax, dword ptr [edx + 4] // 8bcf | mov ecx, edi // 83c024 | add eax, 0x24 // 50 | push eax // e8???????? | $sequence_28 = { 6bc800 8b5510 0fb7440a40 85c0 } // n = 4, score = 200 // 6bc800 | imul ecx, eax, 0 // 8b5510 | mov edx, dword ptr [ebp + 0x10] // 0fb7440a40 | movzx eax, word ptr [edx + ecx + 0x40] // 85c0 | test eax, eax $sequence_29 = { e8???????? 33c0 83f801 7425 baffffffff } // n = 5, score = 200 // e8???????? | // 33c0 | xor eax, eax // 83f801 | cmp eax, 1 // 7425 | je 0x27 // baffffffff | mov edx, 0xffffffff condition: 7 of them and filesize < 417792 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY