SquidLoader (Malware Family)

SquidLoader

VTCollection
There is no description at this point.
References

2025-07-15 ⋅ Trellix ⋅ Charles Crofford
Threat Analysis: SquidLoader - Still Swimming Under the Radar
SquidLoader
2024-06-19 ⋅ AT&T ⋅ Fernando Dominguez
LevelBlue Labs Discovers Highly Evasive, New Loader Targeting Chinese Organizations
SquidLoader
2024-04-12 ⋅ Github (kevoreilly) ⋅ Kevin O’Reilly
DoomedLoader YARA rule
SquidLoader
Yara Rules

[TLP:WHITE] win_squidloader_auto (20260504 | Detects win.squidloader.)
rule win_squidloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.squidloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squidloader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f114c2440 0f114c2450 0f114c2460 0f114c2470 }
            // n = 4, score = 200
            //   0f114c2440           | movups              xmmword ptr [esp + 0x40], xmm1
            //   0f114c2450           | movups              xmmword ptr [esp + 0x50], xmm1
            //   0f114c2460           | movups              xmmword ptr [esp + 0x60], xmm1
            //   0f114c2470           | movups              xmmword ptr [esp + 0x70], xmm1

        $sequence_1 = { 498bd7 488d4d9f e8???????? 90 }
            // n = 4, score = 100
            //   498bd7               | mov                 dword ptr [esp + 0x78], edi
            //   488d4d9f             | dec                 esp
            //   e8????????           |                     
            //   90                   | cmovae              eax, dword ptr [ebp - 0x78]

        $sequence_2 = { 0f104f10 0f114a10 0f1102 488b4718 48894228 48894220 }
            // n = 6, score = 100
            //   0f104f10             | inc                 ebp
            //   0f114a10             | xor                 ebx, ebx
            //   0f1102               | mov                 eax, dword ptr [edx + ecx]
            //   488b4718             | jle                 0x3d
            //   48894228             | dec                 eax
            //   48894220             | lea                 ecx, [0x31422]

        $sequence_3 = { 0fb60a 83e10f 4a0fbe8431c0690200 428a8c31d0690200 }
            // n = 4, score = 100
            //   0fb60a               | lea                 ecx, [0x2939a]
            //   83e10f               | call                eax
            //   4a0fbe8431c0690200     | inc    eax
            //   428a8c31d0690200     | mov                 dh, 1

        $sequence_4 = { 0f104f10 0f114e34 0f114624 488b4c2468 }
            // n = 4, score = 100
            //   0f104f10             | movss               xmm2, dword ptr [ebx + 0x14]
            //   0f114e34             | movups              xmm1, xmmword ptr [edi + 0x10]
            //   0f114624             | movups              xmmword ptr [esi + 0x10], xmm1
            //   488b4c2468           | movups              xmmword ptr [esi], xmm0

        $sequence_5 = { 0f104f10 0f114e50 0f114640 896e68 }
            // n = 4, score = 100
            //   0f104f10             | movups              xmmword ptr [esi + 0x10], xmm1
            //   0f114e50             | movups              xmmword ptr [esi], xmm0
            //   0f114640             | inc                 ebx
            //   896e68               | dec                 eax

        $sequence_6 = { 8b040a 3905???????? 7e38 488d0d22140300 }
            // n = 4, score = 100
            //   8b040a               | dec                 eax
            //   3905????????         |                     
            //   7e38                 | lea                 edx, [0x27611]
            //   488d0d22140300       | dec                 eax

        $sequence_7 = { 0f104f10 0f114e10 0f1106 0f104728 }
            // n = 4, score = 100
            //   0f104f10             | cmp                 byte ptr [esi + 0x18], 0
            //   0f114e10             | je                  0x70
            //   0f1106               | dec                 eax
            //   0f104728             | mov                 eax, dword ptr [esi]

        $sequence_8 = { 488bcf 41b80a000000 e8???????? 8bc3 }
            // n = 4, score = 100
            //   488bcf               | dec                 eax
            //   41b80a000000         | mov                 ecx, edi
            //   e8????????           |                     
            //   8bc3                 | inc                 ecx

        $sequence_9 = { 4889442430 488bb424a0000000 4c8d15d35e0100 4533db }
            // n = 4, score = 100
            //   4889442430           | inc                 edx
            //   488bb424a0000000     | mov                 cl, byte ptr [ecx + esi + 0x269d0]
            //   4c8d15d35e0100       | dec                 eax
            //   4533db               | cmp                 dword ptr [ebp - 0x60], 8

        $sequence_10 = { 0f104f10 0f114e28 0f114618 488b0b }
            // n = 4, score = 100
            //   0f104f10             | movups              xmm1, xmmword ptr [edi + 0x10]
            //   0f114e28             | movups              xmmword ptr [esi + 0x10], xmm1
            //   0f114618             | movups              xmmword ptr [esi], xmm0
            //   488b0b               | dec                 eax

        $sequence_11 = { 48837da008 488d1511760200 48897c2478 4c0f434588 }
            // n = 4, score = 100
            //   48837da008           | movzx               ecx, byte ptr [edx]
            //   488d1511760200       | and                 ecx, 0xf
            //   48897c2478           | dec                 edx
            //   4c0f434588           | movsx               eax, byte ptr [ecx + esi + 0x269c0]

        $sequence_12 = { 488d0d9a930200 ffd0 40b601 e8???????? }
            // n = 4, score = 100
            //   488d0d9a930200       | mov                 eax, 0xa
            //   ffd0                 | mov                 eax, ebx
            //   40b601               | dec                 eax
            //   e8????????           |                     

        $sequence_13 = { 0f104f10 0f114e14 0f114604 0f10442428 }
            // n = 4, score = 100
            //   0f104f10             | mov                 byte ptr [edi], 0
            //   0f114e14             | dec                 eax
            //   0f114604             | mov                 eax, dword ptr [esp + 0xe8]
            //   0f10442428           | movups              xmm1, xmmword ptr [edi + 0x10]

        $sequence_14 = { 0f104f10 0f114c0810 0f110408 807e1800 }
            // n = 4, score = 100
            //   0f104f10             | dec                 eax
            //   0f114c0810           | mov                 dword ptr [esp + 0x20], edi
            //   0f110408             | movups              xmmword ptr [esp + 0x40], xmm1
            //   807e1800             | movups              xmmword ptr [esp + 0x50], xmm1

    condition:
        7 of them and filesize < 18701312
}
Download all Yara Rules
SquidLoader Propose Change

References

Yara Rules

SquidLoader
