There is no description at this point.
rule win_telepowerbot_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.telepowerbot." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.telepowerbot" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c705????????d0924100 c705????????f8954100 c705????????f0944100 e8???????? } // n = 4, score = 200 // c705????????d0924100 | // c705????????f8954100 | // c705????????f0944100 | // e8???????? | $sequence_1 = { 0f8eb1000000 8b45d4 0fb644012e 0fbe8000914100 40 } // n = 5, score = 200 // 0f8eb1000000 | jle 0xb7 // 8b45d4 | mov eax, dword ptr [ebp - 0x2c] // 0fb644012e | movzx eax, byte ptr [ecx + eax + 0x2e] // 0fbe8000914100 | movsx eax, byte ptr [eax + 0x419100] // 40 | inc eax $sequence_2 = { 85c9 0f84b5050000 8b048d5c3d4100 8985a8f8ffff 85c0 } // n = 5, score = 200 // 85c9 | test ecx, ecx // 0f84b5050000 | je 0x5bb // 8b048d5c3d4100 | mov eax, dword ptr [ecx*4 + 0x413d5c] // 8985a8f8ffff | mov dword ptr [ebp - 0x758], eax // 85c0 | test eax, eax $sequence_3 = { 74bc 83f807 77c7 ff24852d374000 8bce e8???????? } // n = 6, score = 200 // 74bc | je 0xffffffbe // 83f807 | cmp eax, 7 // 77c7 | ja 0xffffffc9 // ff24852d374000 | jmp dword ptr [eax*4 + 0x40372d] // 8bce | mov ecx, esi // e8???????? | $sequence_4 = { 0fb63485c73c4100 8bf9 898598f8ffff c1e702 57 } // n = 5, score = 200 // 0fb63485c73c4100 | movzx esi, byte ptr [eax*4 + 0x413cc7] // 8bf9 | mov edi, ecx // 898598f8ffff | mov dword ptr [ebp - 0x768], eax // c1e702 | shl edi, 2 // 57 | push edi $sequence_5 = { 885c012e 8b0495f09d4100 804c012d04 46 } // n = 4, score = 200 // 885c012e | mov byte ptr [ecx + eax + 0x2e], bl // 8b0495f09d4100 | mov eax, dword ptr [edx*4 + 0x419df0] // 804c012d04 | or byte ptr [ecx + eax + 0x2d], 4 // 46 | inc esi $sequence_6 = { ff75f8 ffd6 85c0 7550 ff75fc ffd7 } // n = 6, score = 200 // ff75f8 | push dword ptr [ebp - 8] // ffd6 | call esi // 85c0 | test eax, eax // 7550 | jne 0x52 // ff75fc | push dword ptr [ebp - 4] // ffd7 | call edi $sequence_7 = { 83e03f c1f906 6bc038 03048df09d4100 } // n = 4, score = 200 // 83e03f | and eax, 0x3f // c1f906 | sar ecx, 6 // 6bc038 | imul eax, eax, 0x38 // 03048df09d4100 | add eax, dword ptr [ecx*4 + 0x419df0] $sequence_8 = { eb56 8b0485341b4100 6800080000 6a00 50 8945fc ff15???????? } // n = 7, score = 200 // eb56 | jmp 0x58 // 8b0485341b4100 | mov eax, dword ptr [eax*4 + 0x411b34] // 6800080000 | push 0x800 // 6a00 | push 0 // 50 | push eax // 8945fc | mov dword ptr [ebp - 4], eax // ff15???????? | $sequence_9 = { 897de4 8365fc00 8b049df09d4100 8b4de0 } // n = 4, score = 200 // 897de4 | mov dword ptr [ebp - 0x1c], edi // 8365fc00 | and dword ptr [ebp - 4], 0 // 8b049df09d4100 | mov eax, dword ptr [ebx*4 + 0x419df0] // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] condition: 7 of them and filesize < 237568 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY