There is no description at this point.
rule win_splitloader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.splitloader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.splitloader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 418b8424f82a0000 4129b424fc2a0000 297518 01751c 418b8c24fc2a0000 03c6 } // n = 6, score = 100 // 418b8424f82a0000 | lea edx, [0x66df] // 4129b424fc2a0000 | dec eax // 297518 | lea ecx, [0x66c0] // 01751c | dec eax // 418b8c24fc2a0000 | mov edi, edx // 03c6 | xor edx, edx $sequence_1 = { ffc2 4183f802 7514 81fa04010000 730c 4885c9 } // n = 6, score = 100 // ffc2 | sub esp, 0x20 // 4183f802 | mov edi, 0x24 // 7514 | dec eax // 81fa04010000 | lea ebx, [0x9774] // 730c | mov esi, edi // 4885c9 | dec eax $sequence_2 = { 4883c108 48ffcb 7409 488b05???????? ebe6 4533c0 488d1593970000 } // n = 7, score = 100 // 4883c108 | mov dword ptr [ebp + 0x6c0], eax // 48ffcb | pop ebp // 7409 | ret // 488b05???????? | // ebe6 | inc ecx // 4533c0 | movzx ecx, word ptr [esp] // 488d1593970000 | cmp ecx, -1 $sequence_3 = { ff15???????? 85c0 7445 4863ef 488d0dfcb20000 } // n = 5, score = 100 // ff15???????? | // 85c0 | test eax, ebx // 7445 | jne 0x18a3 // 4863ef | dec eax // 488d0dfcb20000 | cmp ecx, edi $sequence_4 = { 4883c002 66443918 74f6 0fb708 85c9 7467 } // n = 6, score = 100 // 4883c002 | dec ecx // 66443918 | add edx, ebp // 74f6 | test eax, eax // 0fb708 | je 0x1802 // 85c9 | inc esi // 7467 | dec ecx $sequence_5 = { 7436 90 66413bc1 742f } // n = 4, score = 100 // 7436 | inc esp // 90 | mov eax, esi // 66413bc1 | dec eax // 742f | lea eax, [0x9702] $sequence_6 = { 488b442470 4c2bdb 4c8918 41f6c209 0f8432010000 4585e4 0f8829010000 } // n = 7, score = 100 // 488b442470 | dec eax // 4c2bdb | add ebx, 8 // 4c8918 | inc esp // 41f6c209 | add eax, ecx // 0f8432010000 | add ecx, eax // 4585e4 | movzx eax, byte ptr [ebx - 6] // 0f8829010000 | inc esp $sequence_7 = { ff15???????? 448b5c2440 41bc08000000 8bd6 458bd4 448bce } // n = 6, score = 100 // ff15???????? | // 448b5c2440 | sar esp, 5 // 41bc08000000 | dec esp // 8bd6 | lea esi, [0xb542] // 458bd4 | and ebx, 0x1f // 448bce | dec eax $sequence_8 = { eb0a 4883c002 41ba22000000 0fb708 6683f922 7438 90 } // n = 7, score = 100 // eb0a | dec eax // 4883c002 | imul eax, eax, 0x15b0 // 41ba22000000 | dec esp // 0fb708 | sub ecx, eax // 6683f922 | dec ebp // 7438 | test ebx, ebx // 90 | je 0x59b $sequence_9 = { 6644391f 750e 0f1f4000 4883c702 } // n = 4, score = 100 // 6644391f | jne 0x67a // 750e | dec eax // 0f1f4000 | mov edx, dword ptr [esp + 0x80] // 4883c702 | sub dword ptr [ebp + 8], edx condition: 7 of them and filesize < 174080 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY