Actor(s): Turla
There is no description at this point.
rule win_skipper_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.skipper." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a00 6a00 6a03 68???????? 68???????? 6a50 } // n = 6, score = 600 // 6a00 | push 0 // 6a00 | push 0 // 6a03 | push 3 // 68???????? | // 68???????? | // 6a50 | push 0x50 $sequence_1 = { ff15???????? 6a00 6a00 6a00 6a00 68???????? 68???????? } // n = 7, score = 500 // ff15???????? | // 6a00 | inc esp // 6a00 | mov eax, ecx // 6a00 | inc esp // 6a00 | mov ecx, ecx // 68???????? | // 68???????? | $sequence_2 = { 6804010000 e8???????? 6804010000 8bf8 6a00 } // n = 5, score = 500 // 6804010000 | dec eax // e8???????? | // 6804010000 | lea ebx, [esp] // 8bf8 | dec esp // 6a00 | lea eax, [esp] $sequence_3 = { 6800803801 6a00 ff37 e8???????? } // n = 4, score = 400 // 6800803801 | push 0 // 6a00 | push edi // ff37 | push 0x104 // e8???????? | $sequence_4 = { b9???????? e8???????? 83c428 53 } // n = 4, score = 400 // b9???????? | // e8???????? | // 83c428 | dec eax // 53 | xor eax, esp $sequence_5 = { e8???????? 6804010000 6a00 50 89442430 e8???????? 6804010000 } // n = 7, score = 400 // e8???????? | // 6804010000 | inc eax // 6a00 | dec eax // 50 | lea edx, [edx + 1] // 89442430 | cmp eax, 0x100 // e8???????? | // 6804010000 | jl 8 $sequence_6 = { b9???????? e8???????? 57 53 56 } // n = 5, score = 400 // b9???????? | // e8???????? | // 57 | mov byte ptr [ebx - 1], dl // 53 | dec eax // 56 | dec ebx $sequence_7 = { e8???????? 53 6a11 68???????? b9???????? e8???????? 6a04 } // n = 7, score = 400 // e8???????? | // 53 | inc edx // 6a11 | xor dl, byte ptr [edi + ebx - 1] // 68???????? | // b9???????? | // e8???????? | // 6a04 | inc ecx $sequence_8 = { 83c404 6a00 6a64 52 50 } // n = 5, score = 300 // 83c404 | add esp, 4 // 6a00 | push 0 // 6a64 | push 0x64 // 52 | push edx // 50 | push eax $sequence_9 = { ffc0 488d5201 3d00010000 7cf1 448bc1 448bc9 488d1c24 } // n = 7, score = 200 // ffc0 | sub esp, 0x28 // 488d5201 | dec eax // 3d00010000 | mov ecx, dword ptr [edx + 8] // 7cf1 | test eax, eax // 448bc1 | je 0xf // 448bc9 | inc eax // 488d1c24 | mov byte ptr [edx], dh $sequence_10 = { 408832 4181f900010000 7c9a 488bdd 85ed } // n = 5, score = 200 // 408832 | dec eax // 4181f900010000 | lea edx, [0xda9e] // 7c9a | inc esp // 488bdd | lea eax, [eax + 0x15] // 85ed | dec eax $sequence_11 = { 8a95e4feffff 88940df0feffff ebd0 c785e8feffff00000000 } // n = 4, score = 200 // 8a95e4feffff | mov dl, byte ptr [ebp - 0x11c] // 88940df0feffff | mov byte ptr [ebp + ecx - 0x110], dl // ebd0 | jmp 0xffffffd2 // c785e8feffff00000000 | mov dword ptr [ebp - 0x118], 0 $sequence_12 = { 48897c2420 4156 4881ec10010000 488b05???????? 4833c4 } // n = 5, score = 200 // 48897c2420 | movzx eax, byte ptr [edx] // 4156 | dec eax // 4881ec10010000 | xor eax, esp // 488b05???????? | // 4833c4 | dec eax $sequence_13 = { 888c05f0feffff 0fb695e8feffff 8a85effeffff 888415f0feffff } // n = 4, score = 200 // 888c05f0feffff | mov byte ptr [ebp + eax - 0x110], cl // 0fb695e8feffff | movzx edx, byte ptr [ebp - 0x118] // 8a85effeffff | mov al, byte ptr [ebp - 0x111] // 888415f0feffff | mov byte ptr [ebp + edx - 0x110], al $sequence_14 = { eb0f 8b85e0feffff 83c001 8985e0feffff 81bde0feffff00010000 0f8d84000000 8b8de0feffff } // n = 7, score = 200 // eb0f | push 0 // 8b85e0feffff | push eax // 83c001 | mov dword ptr [ebp - 0x20], eax // 8985e0feffff | push 4 // 81bde0feffff00010000 | mov edi, eax // 0f8d84000000 | push edi // 8b8de0feffff | mov edi, eax $sequence_15 = { 488d1424 448bd1 8bc1 0f1f840000000000 8802 ffc0 488d5201 } // n = 7, score = 200 // 488d1424 | add eax, eax // 448bd1 | inc ecx // 8bc1 | movzx eax, dl // 0f1f840000000000 | inc ebp // 8802 | movzx ecx, byte ptr [eax] // ffc0 | dec eax // 488d5201 | add edx, eax $sequence_16 = { 55 8bec 81ec24010000 a1???????? 33c5 8945f4 } // n = 6, score = 200 // 55 | push 0 // 8bec | push edi // 81ec24010000 | push edi // a1???????? | // 33c5 | push 8 // 8945f4 | xor eax, eax $sequence_17 = { 4c03c0 410fb6c2 450fb608 4803d0 0fb602 } // n = 5, score = 200 // 4c03c0 | mov ecx, ebx // 410fb6c2 | inc ecx // 450fb608 | mov ecx, 0x3000 // 4803d0 | inc ecx // 0fb602 | mov eax, 0x104 $sequence_18 = { 8a85effeffff 888415f0feffff e9???????? c785dcfeffff00000000 } // n = 4, score = 200 // 8a85effeffff | mov al, byte ptr [ebp - 0x111] // 888415f0feffff | mov byte ptr [ebp + edx - 0x110], al // e9???????? | // c785dcfeffff00000000 | mov dword ptr [ebp - 0x124], 0 $sequence_19 = { 0fb6940df0feffff 0fb645fc 0fb68c05f0feffff 03d1 } // n = 4, score = 200 // 0fb6940df0feffff | movzx edx, byte ptr [ebp + ecx - 0x110] // 0fb645fc | movzx eax, byte ptr [ebp - 4] // 0fb68c05f0feffff | movzx ecx, byte ptr [ebp + eax - 0x110] // 03d1 | add edx, ecx $sequence_20 = { 410fb6c0 488d1424 41ffc1 4803d0 } // n = 4, score = 200 // 410fb6c0 | mov edi, eax // 488d1424 | dec esp // 41ffc1 | lea eax, [esp + 0xf0] // 4803d0 | dec eax $sequence_21 = { 81bde0feffff00010000 0f8d84000000 8b8de0feffff 0fb68c0df0feffff 038de8feffff 8b85e0feffff } // n = 6, score = 200 // 81bde0feffff00010000 | cmp dword ptr [ebp - 0x120], 0x100 // 0f8d84000000 | jge 0x8a // 8b8de0feffff | mov ecx, dword ptr [ebp - 0x120] // 0fb68c0df0feffff | movzx ecx, byte ptr [ebp + ecx - 0x110] // 038de8feffff | add ecx, dword ptr [ebp - 0x118] // 8b85e0feffff | mov eax, dword ptr [ebp - 0x120] $sequence_22 = { 41ffc1 4803d0 48ffc3 0fb602 } // n = 4, score = 200 // 41ffc1 | lea edx, [0x58c9] // 4803d0 | dec eax // 48ffc3 | mov ecx, ebx // 0fb602 | dec eax $sequence_23 = { 4833c4 4889842400010000 4c8b9c2440010000 33c9 } // n = 4, score = 200 // 4833c4 | dec eax // 4889842400010000 | mov ecx, eax // 4c8b9c2440010000 | mov dword ptr [esp + 0x20], 4 // 33c9 | dec eax $sequence_24 = { 8b4df8 0fb6940df0feffff 0355fc 81e2ff000080 } // n = 4, score = 200 // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 0fb6940df0feffff | movzx edx, byte ptr [ebp + ecx - 0x110] // 0355fc | add edx, dword ptr [ebp - 4] // 81e2ff000080 | and edx, 0x800000ff $sequence_25 = { 41b900300000 41b804010000 488bc8 c744242004000000 488bf8 ff15???????? 4c8d8424f0000000 } // n = 7, score = 100 // 41b900300000 | lea ecx, [0x9aa3] // 41b804010000 | dec eax // 488bc8 | mov dword ptr [ebx + eax], ecx // c744242004000000 | dec eax // 488bf8 | lea eax, [0x9f7d] // ff15???????? | // 4c8d8424f0000000 | je 0x11 $sequence_26 = { 6a0d 58 5d c3 8b04cdaca72300 5d c3 } // n = 7, score = 100 // 6a0d | push 0x104 // 58 | mov edi, eax // 5d | push 0 // c3 | push edi // 8b04cdaca72300 | push 0 // 5d | push 0 // c3 | push 0 $sequence_27 = { ff15???????? 488d15c9580000 488bcb 488905???????? ff15???????? } // n = 5, score = 100 // ff15???????? | // 488d15c9580000 | cmp dword ptr [eax], ecx // 488bcb | je 0x14 // 488905???????? | // ff15???????? | $sequence_28 = { 68???????? ff15???????? 8b3d???????? 85c0 0f84e4000000 6a39 } // n = 6, score = 100 // 68???????? | // ff15???????? | // 8b3d???????? | // 85c0 | push 0x50 // 0f84e4000000 | push 3 // 6a39 | push 0x50 $sequence_29 = { 8b8dd4feffff 51 ff15???????? 8985e4feffff 6a04 6800300000 6804010000 } // n = 7, score = 100 // 8b8dd4feffff | push 0 // 51 | push eax // ff15???????? | // 8985e4feffff | push 0x104 // 6a04 | push 0x104 // 6800300000 | mov edi, eax // 6804010000 | push 0 $sequence_30 = { 8b45e0 8b0485606d4100 f644180401 7428 57 e8???????? } // n = 6, score = 100 // 8b45e0 | push ebp // 8b0485606d4100 | mov ebp, esp // f644180401 | push 0 // 7428 | push 0 // 57 | push 3 // e8???????? | $sequence_31 = { 8d95e0feffff 52 6a00 8b85d8feffff 50 } // n = 5, score = 100 // 8d95e0feffff | push ebx // 52 | push 0x104 // 6a00 | push 0 // 8b85d8feffff | push eax // 50 | mov dword ptr [esp + 0x30], eax $sequence_32 = { bf???????? 833cf574a0230001 751e 8d04f570a02300 8938 } // n = 5, score = 100 // bf???????? | // 833cf574a0230001 | push 0x104 // 751e | push ebx // 8d04f570a02300 | push 0x11 // 8938 | push 4 $sequence_33 = { 4885c0 7507 b81a000000 eb23 488d0da39a0000 48890c03 } // n = 6, score = 100 // 4885c0 | test eax, eax // 7507 | inc esp // b81a000000 | mov esi, eax // eb23 | jne 0xf9 // 488d0da39a0000 | dec eax // 48890c03 | lea ecx, [0x5920] $sequence_34 = { 72ed 48833d????????00 741f 488d0d4a140100 e8???????? 85c0 } // n = 6, score = 100 // 72ed | lea eax, [ecx + 0x28] // 48833d????????00 | // 741f | inc ecx // 488d0d4a140100 | mov eax, 6 // e8???????? | // 85c0 | dec eax $sequence_35 = { 488d057d9f0000 740f 3908 740e 4883c010 4883780800 } // n = 6, score = 100 // 488d057d9f0000 | xor edx, edx // 740f | inc ecx // 3908 | mov eax, 0x800 // 740e | dec eax // 4883c010 | test eax, eax // 4883780800 | jne 9 $sequence_36 = { 488d159eda0000 448d4015 488bcb e8???????? } // n = 4, score = 100 // 488d159eda0000 | mov eax, 0x1a // 448d4015 | jmp 0x25 // 488bcb | dec eax // e8???????? | $sequence_37 = { e8???????? 48393d???????? 448bf0 0f85f3000000 488d0d20590000 33d2 41b800080000 } // n = 7, score = 100 // e8???????? | // 48393d???????? | // 448bf0 | lea edx, [0xae8c] // 0f85f3000000 | jb 0xffffffef // 488d0d20590000 | je 0x21 // 33d2 | dec eax // 41b800080000 | lea ecx, [0x1144a] $sequence_38 = { 8d8ddcfeffff 8d5101 8a01 41 } // n = 4, score = 100 // 8d8ddcfeffff | push 0 // 8d5101 | push edi // 8a01 | push 0x104 // 41 | mov byte ptr [esp + 0x13], 0 $sequence_39 = { c745e4a06c4100 a1???????? 33db 43 895de0 } // n = 5, score = 100 // c745e4a06c4100 | push 0x104 // a1???????? | // 33db | push 0 // 43 | push eax // 895de0 | ret $sequence_40 = { 8bbdccfeffff 8b0d???????? 890f 8b15???????? 895704 66a1???????? } // n = 6, score = 100 // 8bbdccfeffff | push edi // 8b0d???????? | // 890f | push 0x104 // 8b15???????? | // 895704 | push 0x104 // 66a1???????? | $sequence_41 = { 8b7508 c7465cd8812300 33ff 47 897e14 85c0 7424 } // n = 7, score = 100 // 8b7508 | push 0 // c7465cd8812300 | push 0 // 33ff | push 0x104 // 47 | push 0x104 // 897e14 | mov edi, eax // 85c0 | push 0 // 7424 | push 0x104 $sequence_42 = { 8810 33ff 8d5001 8b048d606d4100 47 4e 807d1300 } // n = 7, score = 100 // 8810 | push 0x104 // 33ff | push 0x104 // 8d5001 | mov edi, eax // 8b048d606d4100 | push 0 // 47 | push 0 // 4e | push 0 // 807d1300 | push 0 $sequence_43 = { 6804010000 8b85d8feffff 50 8b8de4feffff 51 ff15???????? 5f } // n = 7, score = 100 // 6804010000 | push 3 // 8b85d8feffff | push 0x50 // 50 | push 3 // 8b8de4feffff | push 0x50 // 51 | push 0 // ff15???????? | // 5f | push 0 $sequence_44 = { 488b81f8000000 4885c0 7403 f0ff00 488d4128 41b806000000 488d158cae0000 } // n = 7, score = 100 // 488b81f8000000 | dec eax // 4885c0 | mov eax, dword ptr [ecx + 0xf8] // 7403 | dec eax // f0ff00 | test eax, eax // 488d4128 | je 5 // 41b806000000 | lock inc dword ptr [eax] // 488d158cae0000 | dec eax $sequence_45 = { 33c0 39b8b8a62300 0f8491000000 ff45e4 83c030 } // n = 5, score = 100 // 33c0 | push 0 // 39b8b8a62300 | push 0 // 0f8491000000 | push 3 // ff45e4 | push 0x50 // 83c030 | push 0 condition: 7 of them and filesize < 262144 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
