Actor(s): APT41
A Microsoft SQL Server backdoor
rule win_skip20_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.skip20." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { b808000000 668944bb24 66834b1820 ff4d18 0f8854fcffff 488b4510 480fbe08 } // n = 7, score = 200 // b808000000 | mov eax, ebp // 668944bb24 | dec eax // 66834b1820 | mov edx, ebx // ff4d18 | dec ecx // 0f8854fcffff | mov ecx, esp // 488b4510 | mov dword ptr [esp + 0x28], 3 // 480fbe08 | mov dword ptr [esp + 0x20], eax $sequence_1 = { 488bdf 4c8bef 49c1fd05 4c8d350cff0400 } // n = 4, score = 200 // 488bdf | je 0x9c6 // 4c8bef | inc ebp // 49c1fd05 | test ecx, ecx // 4c8d350cff0400 | jne 0x9cf $sequence_2 = { 807a2201 7406 807a2601 7520 440fb74220 4181f86c030000 7f40 } // n = 7, score = 200 // 807a2201 | jg 0x1d69 // 7406 | inc ecx // 807a2601 | cmp ecx, 2 // 7520 | inc ecx // 440fb74220 | or byte ptr [ecx + 0x33], 0x44 // 4181f86c030000 | jmp 0x1d46 // 7f40 | cmp eax, 0x800 $sequence_3 = { 488b4110 480fbf08 48894e08 4883471002 e9???????? 4c8d05f1a2ffff 83fa04 } // n = 7, score = 200 // 488b4110 | mov edx, dword ptr [ebp - 0x39] // 480fbf08 | dec esp // 48894e08 | mov dword ptr [ebx + 0x10], esp // 4883471002 | inc ecx // e9???????? | // 4c8d05f1a2ffff | cmp ebx, 3 // 83fa04 | jne 0x12f0 $sequence_4 = { 4183f902 7505 4183483804 f6c104 7405 4183483810 4983c202 } // n = 7, score = 200 // 4183f902 | mov eax, edx // 7505 | jae 0x1df5 // 4183483804 | test dword ptr [edi], 0x2000 // f6c104 | je 0x1df5 // 7405 | or dword ptr [edi + 4], 0x2000 // 4183483810 | mov ecx, esi // 4983c202 | and ecx, 0x20000000 $sequence_5 = { 0f8440010000 b900010000 e9???????? 8b842498000000 4585e4 754a 83f805 } // n = 7, score = 200 // 0f8440010000 | mov dword ptr [esp + 0x28], ecx // b900010000 | dec esp // e9???????? | // 8b842498000000 | mov dword ptr [esp + 0x30], esi // 4585e4 | cmp esi, 0xf // 754a | je 0xe2d // 83f805 | dec esp $sequence_6 = { 418bb482a08a0100 eb07 4c8d15b4b2ffff 8bd6 81e200004000 747e 41ff4c2418 } // n = 7, score = 200 // 418bb482a08a0100 | movzx eax, byte ptr [esp + eax + 0x4784] // eb07 | inc ecx // 4c8d15b4b2ffff | mov ecx, dword ptr [esp + eax*4 + 0x4774] // 8bd6 | dec ecx // 81e200004000 | add ecx, esp // 747e | jmp ecx // 41ff4c2418 | ja 0x95 $sequence_7 = { 56 57 4154 4155 4156 4883ec38 418bf1 } // n = 7, score = 200 // 56 | dec eax // 57 | mov dword ptr [esp + 0x50], ebx // 4154 | dec eax // 4155 | test ebx, ebx // 4156 | je 0x2f6 // 4883ec38 | dec eax // 418bf1 | lea edx, [0xffffe37a] $sequence_8 = { 0f8492000000 4889442450 488d153ef0ffff 488bc8 e8???????? } // n = 5, score = 200 // 0f8492000000 | dec eax // 4889442450 | lea edi, [0x15998] // 488d153ef0ffff | jne 0x1b0c // 488bc8 | xor edx, edx // e8???????? | $sequence_9 = { 488bcb e8???????? 4885c0 0f847affffff 8b15???????? 488d0c52 } // n = 6, score = 200 // 488bcb | test eax, eax // e8???????? | // 4885c0 | mov dword ptr [ebx + edi*4 + 0x22], 0x83101 // 0f847affffff | dec eax // 8b15???????? | // 488d0c52 | mov eax, dword ptr [ebp + 0x10] condition: 7 of them and filesize < 794624 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY