Information stealer, written in Rust.
rule win_snowflake_stealer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.snowflake_stealer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snowflake_stealer" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 83c40c eb14 f30f7e00 f20f104808 f20f114c1008 660fd60410 } // n = 7, score = 100 // e8???????? | // 83c40c | add esp, 0xc // eb14 | jmp 0x16 // f30f7e00 | movq xmm0, qword ptr [eax] // f20f104808 | movsd xmm1, qword ptr [eax + 8] // f20f114c1008 | movsd qword ptr [eax + edx + 8], xmm1 // 660fd60410 | movq qword ptr [eax + edx], xmm0 $sequence_1 = { f3a5 66899880000000 66899082000000 8d8c24b0000000 832000 e8???????? e9???????? } // n = 7, score = 100 // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // 66899880000000 | mov word ptr [eax + 0x80], bx // 66899082000000 | mov word ptr [eax + 0x82], dx // 8d8c24b0000000 | lea ecx, [esp + 0xb0] // 832000 | and dword ptr [eax], 0 // e8???????? | // e9???????? | $sequence_2 = { f7472400100000 740c ff36 e8???????? 59 85c0 7504 } // n = 7, score = 100 // f7472400100000 | test dword ptr [edi + 0x24], 0x1000 // 740c | je 0xe // ff36 | push dword ptr [esi] // e8???????? | // 59 | pop ecx // 85c0 | test eax, eax // 7504 | jne 6 $sequence_3 = { f644242407 5f 5e 5d 5b 740a ff74241c } // n = 7, score = 100 // f644242407 | test byte ptr [esp + 0x24], 7 // 5f | pop edi // 5e | pop esi // 5d | pop ebp // 5b | pop ebx // 740a | je 0xc // ff74241c | push dword ptr [esp + 0x1c] $sequence_4 = { f20f108424c0000000 f20f108c24c8000000 8d8c2490000000 8d7c2418 896f08 f20f114908 f20f1101 } // n = 7, score = 100 // f20f108424c0000000 | movsd xmm0, qword ptr [esp + 0xc0] // f20f108c24c8000000 | movsd xmm1, qword ptr [esp + 0xc8] // 8d8c2490000000 | lea ecx, [esp + 0x90] // 8d7c2418 | lea edi, [esp + 0x18] // 896f08 | mov dword ptr [edi + 8], ebp // f20f114908 | movsd qword ptr [ecx + 8], xmm1 // f20f1101 | movsd qword ptr [ecx], xmm0 $sequence_5 = { e9???????? 89f9 8d9424a4000000 e8???????? 807c243809 0f844ffdffff 8dbc2400010000 } // n = 7, score = 100 // e9???????? | // 89f9 | mov ecx, edi // 8d9424a4000000 | lea edx, [esp + 0xa4] // e8???????? | // 807c243809 | cmp byte ptr [esp + 0x38], 9 // 0f844ffdffff | je 0xfffffd55 // 8dbc2400010000 | lea edi, [esp + 0x100] $sequence_6 = { ff74241c e8???????? e9???????? f6450408 8b4d1c 745c 8b9c24b4000000 } // n = 7, score = 100 // ff74241c | push dword ptr [esp + 0x1c] // e8???????? | // e9???????? | // f6450408 | test byte ptr [ebp + 4], 8 // 8b4d1c | mov ecx, dword ptr [ebp + 0x1c] // 745c | je 0x5e // 8b9c24b4000000 | mov ebx, dword ptr [esp + 0xb4] $sequence_7 = { ff700c 57 e8???????? 83c40c 8b442450 8b4c2434 49 } // n = 7, score = 100 // ff700c | push dword ptr [eax + 0xc] // 57 | push edi // e8???????? | // 83c40c | add esp, 0xc // 8b442450 | mov eax, dword ptr [esp + 0x50] // 8b4c2434 | mov ecx, dword ptr [esp + 0x34] // 49 | dec ecx $sequence_8 = { f6c301 750f c6463800 eb09 f6c301 0f84903c0000 b101 } // n = 7, score = 100 // f6c301 | test bl, 1 // 750f | jne 0x11 // c6463800 | mov byte ptr [esi + 0x38], 0 // eb09 | jmp 0xb // f6c301 | test bl, 1 // 0f84903c0000 | je 0x3c96 // b101 | mov cl, 1 $sequence_9 = { ff15???????? 688cb50000 ff761c 68???????? 50 680a180000 894614 } // n = 7, score = 100 // ff15???????? | // 688cb50000 | push 0xb58c // ff761c | push dword ptr [esi + 0x1c] // 68???????? | // 50 | push eax // 680a180000 | push 0x180a // 894614 | mov dword ptr [esi + 0x14], eax condition: 7 of them and filesize < 6196224 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY