Actor(s): Kimsuky
There is no description at this point.
rule win_troll_stealer_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.troll_stealer." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troll_stealer" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 0fca 4084d7 453ad6 81f22940ac2d f7d2 f8 41f6c0a2 } // n = 7, score = 100 // 0fca | mov dword ptr [eax + 8], ebx // 4084d7 | pushfd // 453ad6 | inc ecx // 81f22940ac2d | pop dword ptr [eax] // f7d2 | cdq // f8 | bts dx, si // 41f6c0a2 | movsx ebx, cx $sequence_1 = { 410fcb 99 410f90c0 48c1c992 41c1c303 66440f4ecc f6d0 } // n = 7, score = 100 // 410fcb | test dl, bh // 99 | inc ecx // 410f90c0 | push eax // 48c1c992 | dec esp // 41c1c303 | arpl dx, ax // 66440f4ecc | xor dword ptr [esp], esi // f6d0 | inc eax $sequence_2 = { 53 f9 d3c3 d2cf 310c24 66d3c3 5b } // n = 7, score = 100 // 53 | sub ebp, 4 // f9 | dec ecx // d3c3 | mov edi, dword ptr [ebx + 8] // d2cf | add cl, 0x11 // 310c24 | inc cl // 66d3c3 | inc ecx // 5b | mov cl, byte ptr [ebx + 0x10] $sequence_3 = { fecb 6681ebec79 310c24 66440fbbc3 0fbfdd 5b 4863c9 } // n = 7, score = 100 // fecb | xor edx, ebx // 6681ebec79 | cmc // 310c24 | inc ecx // 66440fbbc3 | add edx, 0x74a66a1c // 0fbfdd | clc // 5b | inc ecx // 4863c9 | not edx $sequence_4 = { f8 f5 d1cd 6641f7c77652 664181fef414 f8 4150 } // n = 7, score = 100 // f8 | inc ecx // f5 | push edx // d1cd | inc ecx // 6641f7c77652 | shl dl, 0x84 // 664181fef414 | xor dword ptr [esp], esi // f8 | neg esi // 4150 | add esi, 0x4d71e4c $sequence_5 = { 3adf 4184c1 f9 4153 490fbae3a3 4d0f4fdd 310c24 } // n = 7, score = 100 // 3adf | stc // 4184c1 | neg eax // f9 | clc // 4153 | stc // 490fbae3a3 | ror eax, 1 // 4d0f4fdd | xor eax, 0x415330e8 // 310c24 | not eax $sequence_6 = { c0f328 0adc 410fbfdd 80f18c 80e954 48c1dba3 f6d9 } // n = 7, score = 100 // c0f328 | arpl cx, di // 0adc | inc esp // 410fbfdd | movsx edi, bx // 80f18c | popfd // 80e954 | shl ax, 0x95 // 48c1dba3 | dec eax // f6d9 | sal eax, cl $sequence_7 = { d1c8 f9 4084e0 4151 490fbaf94d 310424 } // n = 6, score = 100 // d1c8 | dec ebp // f9 | arpl dx, dx // 4084e0 | clc // 4151 | rcr cl, 0x1f // 490fbaf94d | inc ecx // 310424 | pop ecx $sequence_8 = { 40f6c49f 81c11f68a01e f8 f7d1 f8 0fc9 } // n = 6, score = 100 // 40f6c49f | inc eax // 81c11f68a01e | and dl, bh // f8 | pop ebx // f7d1 | inc esp // f8 | and al, bl // 0fc9 | inc ecx $sequence_9 = { 4963fe 311c24 40c0e73d 40d2ef 5f f8 } // n = 6, score = 100 // 4963fe | sbb ecx, 0x8b481a28 // 311c24 | insb byte ptr es:[edi], dx // 40c0e73d | and eax, 0x448948f8 // 40d2ef | and eax, 0x9db14100 // 5f | dec eax // f8 | mov esp, dword ptr [ebp - 0x10] condition: 7 of them and filesize < 45868032 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY