According to Cisco Talos, this is a customized shellcode loader that has been observed to stage Mimikatz and CobaltStrike.
rule win_soundbill_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.soundbill." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbill" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4c8d0dffb30100 b904000000 4c8d05ebb30100 488d15ecb30100 e8???????? 4c8d0df8b30100 b907000000 } // n = 7, score = 100 // 4c8d0dffb30100 | cmp eax, -1 // b904000000 | je 0x1e6 // 4c8d05ebb30100 | je 0x43f // 488d15ecb30100 | dec esp // e8???????? | // 4c8d0df8b30100 | lea esi, [0x2540b] // b907000000 | dec eax $sequence_1 = { 4983ff10 490f43c6 3a1438 753a 4885ff 7510 } // n = 6, score = 100 // 4983ff10 | inc ecx // 490f43c6 | and dword ptr [ecx + 0x34], 0 // 3a1438 | inc esp // 753a | mov ebp, edi // 4885ff | mov dword ptr [ebp - 0x75], edi // 7510 | jmp 0x776 $sequence_2 = { 83f8ff 7453 c6430800 33ff 4c8b742430 85f6 0f85f4000000 } // n = 7, score = 100 // 83f8ff | dec eax // 7453 | lea edx, [0x1e47a] // c6430800 | dec ecx // 33ff | mov edx, 0x76d77870 // 4c8b742430 | mov eax, 0x41a11d36 // 85f6 | mov byte ptr [esp], al // 0f85f4000000 | cmp byte ptr [ebp - 0x77], 0 $sequence_3 = { 4c8d05c6440400 4c8905???????? 4c8bd1 4d85c9 7413 498b01 48635004 } // n = 7, score = 100 // 4c8d05c6440400 | jae 0x157 // 4c8905???????? | // 4c8bd1 | inc esp // 4d85c9 | cmp esp, esi // 7413 | jg 0x24b // 498b01 | inc dword ptr [esp + 0x24] // 48635004 | jmp 0x268 $sequence_4 = { 488d55c0 488d4c2470 e8???????? 90 660f6f05???????? f30f7f442460 c644245000 } // n = 7, score = 100 // 488d55c0 | dec eax // 488d4c2470 | lea edx, [0x4751d] // e8???????? | // 90 | dec esp // 660f6f05???????? | // f30f7f442460 | mov eax, eax // c644245000 | dec eax $sequence_5 = { 8bcf e8???????? 488bd7 4c8d0557a30200 83e23f 488bcf } // n = 6, score = 100 // 8bcf | add esp, 0x130 // e8???????? | // 488bd7 | inc ecx // 4c8d0557a30200 | pop edi // 83e23f | inc ecx // 488bcf | pop esi $sequence_6 = { 0f87a3030000 e8???????? 0f10442428 0f11442450 } // n = 4, score = 100 // 0f87a3030000 | dec eax // e8???????? | // 0f10442428 | mov ecx, dword ptr [ebx] // 0f11442450 | je 0x362 $sequence_7 = { 660f73d908 66480f7ec8 4883f810 480f43ca e8???????? 4885c0 } // n = 6, score = 100 // 660f73d908 | dec eax // 66480f7ec8 | lea edx, [esp + 0x70] // 4883f810 | dec eax // 480f43ca | cmp edx, 0x10 // e8???????? | // 4885c0 | jb 0x8fc $sequence_8 = { 488d1d64fe0300 488d0575fe0300 480f44d8 ba01000000 488d4c2428 e8???????? 4c8bc0 } // n = 7, score = 100 // 488d1d64fe0300 | dec eax // 488d0575fe0300 | lea ecx, [0x4c573] // 480f44d8 | mov dword ptr [ebp - 0x18], 0x65746f72 // ba01000000 | mov word ptr [ebp - 0x14], 0x7463 // 488d4c2428 | inc esp // e8???????? | // 4c8bc0 | mov byte ptr [ebp - 0x12], ch $sequence_9 = { ba01000000 488d4daf e8???????? 90 33ff 498bd7 488bcb } // n = 7, score = 100 // ba01000000 | mov ecx, eax // 488d4daf | call ebx // e8???????? | // 90 | dec esp // 33ff | mov edi, eax // 498bd7 | dec eax // 488bcb | test eax, eax condition: 7 of them and filesize < 973824 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY