According to Cisco Talos, this is loader is written in Rust and was observed to stage Cobalt Strike Beacons and VShell.
rule win_tetra_loader_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.tetra_loader." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tetra_loader" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4c89642458 4931cf 4c897c2460 4c31cd 49c1c120 4931e9 488d7c2430 } // n = 7, score = 100 // 4c89642458 | dec ecx // 4931cf | xor edx, ebx // 4c897c2460 | dec esp // 4c31cd | mov dword ptr [esp + 0x48], edx // 49c1c120 | dec esp // 4931e9 | xor edi, ecx // 488d7c2430 | dec ecx $sequence_1 = { eb13 4883cd05 eb0d 4983cb06 eb04 4983cb07 4c89dd } // n = 7, score = 100 // eb13 | cmp edx, 3 // 4883cd05 | dec ecx // eb0d | add ecx, eax // 4983cb06 | dec ebp // eb04 | cmp esp, ecx // 4983cb07 | ja 0xa44 // 4c89dd | dec ebp $sequence_2 = { b8ff000000 e9???????? 488d154b370000 488d0d2c370000 e8???????? c705????????02000000 eb08 } // n = 7, score = 100 // b8ff000000 | jmp 0xed8 // e9???????? | // 488d154b370000 | xor edi, edi // 488d0d2c370000 | dec eax // e8???????? | // c705????????02000000 | // eb08 | add ebp, 2 $sequence_3 = { 4883ec48 488daa80000000 660f7f742430 488b9580000000 4885d2 740f 488b4d78 } // n = 7, score = 100 // 4883ec48 | ja 0xfffff69d // 488daa80000000 | shl edx, 4 // 660f7f742430 | inc esp // 488b9580000000 | or edx, edx // 4885d2 | inc ebp // 740f | lea edx, [ebx - 0x30] // 488b4d78 | inc ecx $sequence_4 = { 57 53 4883ec48 488daa80000000 488b4d68 488b4570 4883780800 } // n = 7, score = 100 // 57 | mov eax, edi // 53 | inc ecx // 4883ec48 | call dword ptr [esp + 0x18] // 488daa80000000 | dec esp // 488b4d68 | mov ebp, dword ptr [eax + 0x30] // 488b4570 | dec esp // 4883780800 | lea edi, [edx + edx] $sequence_5 = { 66440f38dedb 66440f38dede 66440f38deda 66440f38ded9 66440f38dfd8 f30f6f00 } // n = 6, score = 100 // 66440f38dedb | inc sp // 66440f38dede | inc sp // 66440f38deda | inc sp // 66440f38ded9 | inc sp // 66440f38dfd8 | inc sp // f30f6f00 | inc sp $sequence_6 = { 80f9f0 722d 0fb64e03 4883c604 83e007 c1e012 } // n = 6, score = 100 // 80f9f0 | jg 0xb1 // 722d | jne 0x261 // 0fb64e03 | dec ecx // 4883c604 | add esp, ebx // 83e007 | dec eax // c1e012 | mov ecx, edi $sequence_7 = { 0f8524010000 4189f0 4d39c4 0f854dffffff ff15???????? 83f87a 0f8533010000 } // n = 7, score = 100 // 0f8524010000 | je 0x125 // 4189f0 | dec eax // 4d39c4 | mov edx, dword ptr [ebp + 8] // 0f854dffffff | dec eax // ff15???????? | // 83f87a | test edx, edx // 0f8533010000 | je 0x13a $sequence_8 = { 0f83b0010000 48ffcb 49ffc6 e9???????? 4531c9 4484cd 0f859a030000 } // n = 7, score = 100 // 0f83b0010000 | movaps xmmword ptr [ebp + 0x10], xmm0 // 48ffcb | movaps xmmword ptr [ebp - 0x60], xmm0 // 49ffc6 | movups xmm0, xmmword ptr [ebx + 0x10] // e9???????? | // 4531c9 | movaps xmmword ptr [ebp - 0x50], xmm0 // 4484cd | dec eax // 0f859a030000 | lea ecx, [ebp - 0x20] $sequence_9 = { 49b800000f0f00000f0f 4c21c0 4889c1 48c1e104 4809c1 4c31c9 48898c2490020000 } // n = 7, score = 100 // 49b800000f0f00000f0f | dec eax // 4c21c0 | mov dword ptr [ebp + 0x4b8], eax // 4889c1 | dec eax // 48c1e104 | lea eax, [ebp + 0x558] // 4809c1 | dec eax // 4c31c9 | lea eax, [ebp + 0x5bd] // 48898c2490020000 | dec eax condition: 7 of them and filesize < 847872 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY