Actor(s): Thrip
There is no description at this point.
rule win_spedear_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.spedear." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 99 83e207 03c2 c1f803 83c40c } // n = 5, score = 600 // 99 | cdq // 83e207 | and edx, 7 // 03c2 | add eax, edx // c1f803 | sar eax, 3 // 83c40c | add esp, 0xc $sequence_1 = { 8b4718 8a5f06 50 894608 } // n = 4, score = 500 // 8b4718 | mov eax, dword ptr [edi + 0x18] // 8a5f06 | mov bl, byte ptr [edi + 6] // 50 | push eax // 894608 | mov dword ptr [esi + 8], eax $sequence_2 = { 53 50 e8???????? 8b7e0c 895e10 } // n = 5, score = 500 // 53 | push ebx // 50 | push eax // e8???????? | // 8b7e0c | mov edi, dword ptr [esi + 0xc] // 895e10 | mov dword ptr [esi + 0x10], ebx $sequence_3 = { 83c408 c20800 51 53 } // n = 4, score = 400 // 83c408 | add esp, 8 // c20800 | ret 8 // 51 | push ecx // 53 | push ebx $sequence_4 = { 83fe12 7cd7 8d754c bb04000000 bf80000000 } // n = 5, score = 400 // 83fe12 | and edx, 7 // 7cd7 | add eax, edx // 8d754c | sar eax, 3 // bb04000000 | add esp, 0xc // bf80000000 | cdq $sequence_5 = { 5f 8b4c2428 33cc e8???????? 83c42c c20800 56 } // n = 7, score = 400 // 5f | pop edi // 8b4c2428 | mov ecx, dword ptr [esp + 0x28] // 33cc | xor ecx, esp // e8???????? | // 83c42c | add esp, 0x2c // c20800 | ret 8 // 56 | push esi $sequence_6 = { 6a00 68???????? e8???????? 83c40c 68d0070000 } // n = 5, score = 400 // 6a00 | push 0 // 68???????? | // e8???????? | // 83c40c | add esp, 0xc // 68d0070000 | push 0x7d0 $sequence_7 = { 0fb6d9 894c2414 0fb6e8 c1e808 8bc8 } // n = 5, score = 400 // 0fb6d9 | and edx, 7 // 894c2414 | add eax, edx // 0fb6e8 | sar eax, 3 // c1e808 | add esp, 0xc // 8bc8 | add eax, edx $sequence_8 = { 894618 ffd7 89461c 5f } // n = 4, score = 400 // 894618 | mov dword ptr [esi + 0x18], eax // ffd7 | call edi // 89461c | mov dword ptr [esi + 0x1c], eax // 5f | pop edi $sequence_9 = { 8b4718 894608 8b4f1c 51 e8???????? 894604 } // n = 6, score = 400 // 8b4718 | mov eax, dword ptr [edi + 0x18] // 894608 | mov dword ptr [esi + 8], eax // 8b4f1c | mov ecx, dword ptr [edi + 0x1c] // 51 | push ecx // e8???????? | // 894604 | mov dword ptr [esi + 4], eax $sequence_10 = { ff7608 ff5604 6800800000 6a00 } // n = 4, score = 300 // ff7608 | push dword ptr [esi + 8] // ff5604 | call dword ptr [esi + 4] // 6800800000 | push 0x8000 // 6a00 | push 0 $sequence_11 = { 8bc7 5e 5f 5b 5d c3 6a08 } // n = 7, score = 300 // 8bc7 | mov eax, edi // 5e | pop esi // 5f | pop edi // 5b | pop ebx // 5d | pop ebp // c3 | ret // 6a08 | push 8 $sequence_12 = { 833e00 741a 6a00 6a00 ff7608 } // n = 5, score = 300 // 833e00 | cmp dword ptr [esi], 0 // 741a | je 0x1c // 6a00 | push 0 // 6a00 | push 0 // ff7608 | push dword ptr [esi + 8] $sequence_13 = { 394878 7456 39487c 7451 } // n = 4, score = 300 // 394878 | cmp dword ptr [eax + 0x78], ecx // 7456 | je 0x58 // 39487c | cmp dword ptr [eax + 0x7c], ecx // 7451 | je 0x53 $sequence_14 = { 53 50 89b5d8fbffff e8???????? 8b3d???????? } // n = 5, score = 200 // 53 | push ebx // 50 | push eax // 89b5d8fbffff | mov dword ptr [ebp - 0x428], esi // e8???????? | // 8b3d???????? | $sequence_15 = { 6a00 50 8906 e8???????? 83c410 c3 } // n = 6, score = 100 // 6a00 | call dword ptr [esi + 4] // 50 | push 0x8000 // 8906 | push 0 // e8???????? | // 83c410 | push 0 // c3 | push dword ptr [esi + 8] $sequence_16 = { 83c8ff e9???????? 4c8bfb 4c8bf3 488d0540d30000 } // n = 5, score = 100 // 83c8ff | sar esp, 5 // e9???????? | // 4c8bfb | dec esp // 4c8bf3 | lea ebp, [0xab56] // 488d0540d30000 | and ebx, 0x1f $sequence_17 = { 4863d9 4c8be3 49c1fc05 4c8d2d56ab0000 83e31f } // n = 5, score = 100 // 4863d9 | dec eax // 4c8be3 | arpl cx, bx // 49c1fc05 | dec esp // 4c8d2d56ab0000 | mov esp, ebx // 83e31f | dec ecx $sequence_18 = { 7cc1 034004 8b4804 8b10 03d1 } // n = 5, score = 100 // 7cc1 | push 0 // 034004 | push dword ptr [esi + 8] // 8b4804 | call dword ptr [esi + 4] // 8b10 | push 0x8000 // 03d1 | push dword ptr [esi + 8] $sequence_19 = { 4889842480040000 488bd9 33ff 488d8c2471030000 } // n = 4, score = 100 // 4889842480040000 | inc edx // 488bd9 | movsx ecx, byte ptr [eax + ecx + 0xb370] // 33ff | and ecx, 0xf // 488d8c2471030000 | jmp 0x11 $sequence_20 = { 4c8d4c2440 488d542448 41b820000000 488bcf 48c744242000000000 ff15???????? } // n = 6, score = 100 // 4c8d4c2440 | mov esi, ebx // 488d542448 | dec eax // 41b820000000 | lea eax, [0xd340] // 488bcf | dec eax // 48c744242000000000 | movsx eax, ch // ff15???????? | $sequence_21 = { 448ba088000000 488b4110 4c896c2410 4c89742408 468b74201c 468b6c2024 428b6c2020 } // n = 7, score = 100 // 448ba088000000 | mov ecx, edi // 488b4110 | dec eax // 4c896c2410 | mov dword ptr [esp + 0x20], 0 // 4c89742408 | dec eax // 468b74201c | mov dword ptr [esp + 0x480], eax // 468b6c2024 | dec eax // 428b6c2020 | mov ebx, ecx $sequence_22 = { 8b4d08 8945f0 8b450c 8945f4 8b4514 40 c745ec2dba2300 } // n = 7, score = 100 // 8b4d08 | call dword ptr [esi + 4] // 8945f0 | push 0x8000 // 8b450c | push 0 // 8945f4 | push dword ptr [esi + 8] // 8b4514 | push 0 // 40 | push 0 // c745ec2dba2300 | push dword ptr [esi + 8] $sequence_23 = { 89430c 8d4310 8d89bc182400 5a 668b31 668930 83c102 } // n = 7, score = 100 // 89430c | call dword ptr [esi + 4] // 8d4310 | je 0x1c // 8d89bc182400 | push 0 // 5a | push 0 // 668b31 | push dword ptr [esi + 8] // 668930 | call dword ptr [esi + 4] // 83c102 | push 0x8000 $sequence_24 = { 0fb7444b10 6641898448b81c0100 ffc2 89542420 ebe2 8bd7 89542420 } // n = 7, score = 100 // 0fb7444b10 | dec esp // 6641898448b81c0100 | lea ecx, [esp + 0x40] // ffc2 | dec eax // 89542420 | lea edx, [esp + 0x48] // ebe2 | inc ecx // 8bd7 | mov eax, 0x20 // 89542420 | dec eax $sequence_25 = { 480fbec5 420fbe8c0870b30000 83e10f eb03 } // n = 4, score = 100 // 480fbec5 | or eax, 0xffffffff // 420fbe8c0870b30000 | dec esp // 83e10f | mov edi, ebx // eb03 | dec esp $sequence_26 = { b964000000 ff15???????? 48ffc3 4883ef01 75db } // n = 5, score = 100 // b964000000 | xor edi, edi // ff15???????? | // 48ffc3 | dec eax // 4883ef01 | lea ecx, [esp + 0x371] // 75db | movzx eax, word ptr [ebx + ecx*2 + 0x10] condition: 7 of them and filesize < 188416 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY