There is no description at this point.
rule win_synccrypt_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.synccrypt." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f644241840 0f857b010000 89da b830000000 e8???????? 8b4304 89da } // n = 7, score = 100 // f644241840 | test byte ptr [esp + 0x18], 0x40 // 0f857b010000 | jne 0x181 // 89da | mov edx, ebx // b830000000 | mov eax, 0x30 // e8???????? | // 8b4304 | mov eax, dword ptr [ebx + 4] // 89da | mov edx, ebx $sequence_1 = { c744240808000000 893424 85c0 b8???????? 0f45442464 89442404 89442464 } // n = 7, score = 100 // c744240808000000 | mov dword ptr [esp + 8], 8 // 893424 | mov dword ptr [esp], esi // 85c0 | test eax, eax // b8???????? | // 0f45442464 | cmovne eax, dword ptr [esp + 0x64] // 89442404 | mov dword ptr [esp + 4], eax // 89442464 | mov dword ptr [esp + 0x64], eax $sequence_2 = { c7450000000000 85db 7406 c70300000000 8b2f 85ed 7523 } // n = 7, score = 100 // c7450000000000 | mov dword ptr [ebp], 0 // 85db | test ebx, ebx // 7406 | je 8 // c70300000000 | mov dword ptr [ebx], 0 // 8b2f | mov ebp, dword ptr [edi] // 85ed | test ebp, ebp // 7523 | jne 0x25 $sequence_3 = { c785a02bfcff00000000 89856c2bfcff 8d858c2bfcff c685a42bfcff00 89b5d42afcff 8985842bfcff 8d85a42bfcff } // n = 7, score = 100 // c785a02bfcff00000000 | mov dword ptr [ebp - 0x3d460], 0 // 89856c2bfcff | mov dword ptr [ebp - 0x3d494], eax // 8d858c2bfcff | lea eax, [ebp - 0x3d474] // c685a42bfcff00 | mov byte ptr [ebp - 0x3d45c], 0 // 89b5d42afcff | mov dword ptr [ebp - 0x3d52c], esi // 8985842bfcff | mov dword ptr [ebp - 0x3d47c], eax // 8d85a42bfcff | lea eax, [ebp - 0x3d45c] $sequence_4 = { c744240c07100000 c744240800040000 c744240498030000 891c24 e8???????? 85c0 0f8e74fdffff } // n = 7, score = 100 // c744240c07100000 | mov dword ptr [esp + 0xc], 0x1007 // c744240800040000 | mov dword ptr [esp + 8], 0x400 // c744240498030000 | mov dword ptr [esp + 4], 0x398 // 891c24 | mov dword ptr [esp], ebx // e8???????? | // 85c0 | test eax, eax // 0f8e74fdffff | jle 0xfffffd7a $sequence_5 = { 8d7473d0 89742434 0f8ed1000000 0fb6580c 8d73d0 885c2438 89f3 } // n = 7, score = 100 // 8d7473d0 | lea esi, [ebx + esi*2 - 0x30] // 89742434 | mov dword ptr [esp + 0x34], esi // 0f8ed1000000 | jle 0xd7 // 0fb6580c | movzx ebx, byte ptr [eax + 0xc] // 8d73d0 | lea esi, [ebx - 0x30] // 885c2438 | mov byte ptr [esp + 0x38], bl // 89f3 | mov ebx, esi $sequence_6 = { f7ea 89d8 c1fa05 29ca 01d5 bac5b3a291 f7ea } // n = 7, score = 100 // f7ea | imul edx // 89d8 | mov eax, ebx // c1fa05 | sar edx, 5 // 29ca | sub edx, ecx // 01d5 | add ebp, edx // bac5b3a291 | mov edx, 0x91a2b3c5 // f7ea | imul edx $sequence_7 = { c744241057000000 c744240c20195900 c744240841000000 c744240470000000 c7042422000000 e8???????? ebc9 } // n = 7, score = 100 // c744241057000000 | mov dword ptr [esp + 0x10], 0x57 // c744240c20195900 | mov dword ptr [esp + 0xc], 0x591920 // c744240841000000 | mov dword ptr [esp + 8], 0x41 // c744240470000000 | mov dword ptr [esp + 4], 0x70 // c7042422000000 | mov dword ptr [esp], 0x22 // e8???????? | // ebc9 | jmp 0xffffffcb $sequence_8 = { c74424100f020000 c744240c20e95800 c744240864000000 c744240464000000 c7042424000000 89442420 e8???????? } // n = 7, score = 100 // c74424100f020000 | mov dword ptr [esp + 0x10], 0x20f // c744240c20e95800 | mov dword ptr [esp + 0xc], 0x58e920 // c744240864000000 | mov dword ptr [esp + 8], 0x64 // c744240464000000 | mov dword ptr [esp + 4], 0x64 // c7042424000000 | mov dword ptr [esp], 0x24 // 89442420 | mov dword ptr [esp + 0x20], eax // e8???????? | $sequence_9 = { c744240ca0505900 c744240865000000 c74424046a000000 c7042410000000 e8???????? 31c0 83c42c } // n = 7, score = 100 // c744240ca0505900 | mov dword ptr [esp + 0xc], 0x5950a0 // c744240865000000 | mov dword ptr [esp + 8], 0x65 // c74424046a000000 | mov dword ptr [esp + 4], 0x6a // c7042410000000 | mov dword ptr [esp], 0x10 // e8???????? | // 31c0 | xor eax, eax // 83c42c | add esp, 0x2c condition: 7 of them and filesize < 4489216 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY