Actor(s): APT32
There is no description at this point.
rule win_strikesuit_gift_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.strikesuit_gift." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strikesuit_gift" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 06 2000100000 1f40 2801000006 } // n = 4, score = 100 // 06 | add byte ptr [eax], al // 2000100000 | // 1f40 | push es // 2801000006 | and byte ptr [eax], al $sequence_1 = { 7245000070 7e1b00000a 6f2500000a 1305 1105 7249000070 } // n = 6, score = 100 // 7245000070 | das // 7e1b00000a | outsd dx, dword ptr [esi] // 6f2500000a | xor dword ptr [eax], eax // 1305 | add byte ptr [edx], cl // 1105 | outsd dx, dword ptr [esi] // 7249000070 | xor dword ptr [eax], eax $sequence_2 = { 2d3f 08 8e 69 05 59 } // n = 6, score = 100 // 2d3f | or byte ptr [ebx], al // 08 | or byte ptr [ecx + 0x1709112b], dl // 8e | pop eax // 69 | or eax, 0x2192b09 // 05 | pop es // 59 | xchg eax, ecx $sequence_3 = { 2801000006 0b 16 0c 2b0e 07 08 } // n = 7, score = 100 // 2801000006 | pop eax // 0b | fiadd word ptr es:[eax] // 16 | push es // 0c | sub al, 7 // 2b0e | add al, byte ptr [esi] // 07 | sub byte ptr [edi], al // 08 | add byte ptr [eax], al $sequence_4 = { 7503000002 0d 09 7e1e00000a 6f0c000006 } // n = 5, score = 100 // 7503000002 | add byte ptr [edx], cl // 0d | adc dword ptr [edi + ebp*2], eax // 09 | sub dword ptr [eax], eax // 7e1e00000a | add byte ptr [edx], cl // 6f0c000006 | adc dword ptr [eax + ebp], eax $sequence_5 = { a2 1105 17 58 1305 1105 08 } // n = 7, score = 100 // a2 | sub byte ptr [eax], bh // 1105 | add byte ptr [eax], al // 17 | or dl, byte ptr [ebx] // 58 | pop es // 1305 | mov gs, word ptr [ecx + 0x32] // 1105 | mov al, 0x7e // 08 | add dword ptr [eax], eax $sequence_6 = { 07 d003000002 282000000a 282100000a } // n = 4, score = 100 // 07 | jle 5 // d003000002 | add byte ptr [eax], al // 282000000a | add al, 0x8e // 282100000a | imul eax, dword ptr [edi], 0x7070691 $sequence_7 = { 1107 7e01000004 1b 6f1800000a } // n = 4, score = 100 // 1107 | mov gs, word ptr [ecx + 0x28] // 7e01000004 | xor al, 0 // 1b | add byte ptr [edx], cl // 6f1800000a | adc dword ptr [edi], eax $sequence_8 = { 731500000a 0b 16 0c } // n = 4, score = 100 // 731500000a | add byte ptr [edx], cl // 0b | outsd dx, dword ptr [esi] // 16 | sub dword ptr [eax], eax // 0c | add byte ptr [edx], cl $sequence_9 = { 03 282c00000a 0a 16 0b 2b19 02 } // n = 7, score = 100 // 03 | pop es // 282c00000a | pop ss // 0a | pop eax // 16 | or ebx, ebp // 0b | push ecx // 2b19 | add dword ptr [eax], eax // 02 | add byte ptr [esp + ecx], dl condition: 7 of them and filesize < 50176 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY