There is no description at this point.
rule win_t34loader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.t34loader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.t34loader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4c8bc2 4c3bd2 4d0f46c2 498bcb e8???????? 488b5508 488d145502000000 } // n = 7, score = 100 // 4c8bc2 | mov edx, edi // 4c3bd2 | dec eax // 4d0f46c2 | mov ecx, ebx // 498bcb | dec eax // e8???????? | // 488b5508 | test eax, eax // 488d145502000000 | jne 0x1e1b $sequence_1 = { 4c8bc1 488bca e8???????? 498bc8 488bd8 e8???????? 488bc8 } // n = 7, score = 100 // 4c8bc1 | lea ecx, [0x4ea03] // 488bca | mov al, byte ptr [eax + ecx] // e8???????? | // 498bc8 | inc ecx // 488bd8 | mov byte ptr [esp], al // e8???????? | // 488bc8 | dec ebp $sequence_2 = { 41898a3cf6ffff 4883eb01 75c4 4d8d91500d0000 bb8c010000 458b1a 418bc3 } // n = 7, score = 100 // 41898a3cf6ffff | cmp edx, ecx // 4883eb01 | je 0x788 // 75c4 | dec eax // 4d8d91500d0000 | cmp ecx, dword ptr [esp + 0x80] // bb8c010000 | dec esp // 458b1a | mov dword ptr [edi], eax // 418bc3 | mov byte ptr [edi + 8], al $sequence_3 = { 488d05bf280300 488bd9 488901 f6c201 740a ba18000000 e8???????? } // n = 7, score = 100 // 488d05bf280300 | jne 0x1b3e // 488bd9 | cmp byte ptr [ebx + 8], al // 488901 | test al, al // f6c201 | jne 0x1cdf // 740a | dec eax // ba18000000 | lea ebx, [edi + 9] // e8???????? | $sequence_4 = { 4889442420 4c8b4d00 e8???????? 488d052faf0100 483be8 0f8c7bffffff 85ff } // n = 7, score = 100 // 4889442420 | je 0x1592 // 4c8b4d00 | dec esp // e8???????? | // 488d052faf0100 | lea esi, [0x2a53d] // 483be8 | mov dword ptr [ebx + 0x48], ebp // 0f8c7bffffff | inc eax // 85ff | mov byte ptr [ebx + 0x24], ch $sequence_5 = { 741c 420fb71c36 498bcd ff15???????? 488bc8 8bd3 ff15???????? } // n = 7, score = 100 // 741c | dec eax // 420fb71c36 | lea ecx, [0x381fa] // 498bcd | dec esp // ff15???????? | // 488bc8 | mov eax, ebp // 8bd3 | dec eax // ff15???????? | $sequence_6 = { 4889442420 e8???????? 84c0 0f84ee000000 488d4c2440 e8???????? 4885c0 } // n = 7, score = 100 // 4889442420 | jne 0x13cb // e8???????? | // 84c0 | mov byte ptr [edi + 0x72], 0 // 0f84ee000000 | mov al, 1 // 488d4c2440 | dec eax // e8???????? | // 4885c0 | mov ebx, dword ptr [esp + 0x78] $sequence_7 = { 488d4530 48837d4808 480f434530 663908 7508 8ada eb04 } // n = 7, score = 100 // 488d4530 | mov edx, 0x48 // 48837d4808 | dec esp // 480f434530 | lea ecx, [0x1881] // 663908 | dec eax // 7508 | lea ecx, [ebp + 0x20e0] // 8ada | inc esp // eb04 | lea eax, [edx + 0x30] $sequence_8 = { c744242822000000 c744242004000000 f20f11742450 488d0d0e4f0100 4c8b442450 } // n = 5, score = 100 // c744242822000000 | mov esi, ebx // c744242004000000 | dec esp // f20f11742450 | mov ebp, dword ptr [esp + 0x40] // 488d0d0e4f0100 | dec esp // 4c8b442450 | mov esi, dword ptr [esp + 0x60] $sequence_9 = { 488b4df0 ff15???????? b001 eb02 32c0 488b5c2460 488b742470 } // n = 7, score = 100 // 488b4df0 | mov edx, dword ptr [ecx + 4] // ff15???????? | // b001 | dec eax // eb02 | mov ebx, eax // 32c0 | mov edx, 9 // 488b5c2460 | dec eax // 488b742470 | mov ecx, ebp condition: 7 of them and filesize < 1212416 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY