Actor(s): Tonto Team
There is no description at this point.
rule win_typehash_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.typehash." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8841ff eb0a 49 51 e8???????? 83c404 8b8c24c0000000 } // n = 7, score = 100 // 8841ff | mov byte ptr [ecx - 1], al // eb0a | jmp 0xc // 49 | dec ecx // 51 | push ecx // e8???????? | // 83c404 | add esp, 4 // 8b8c24c0000000 | mov ecx, dword ptr [esp + 0xc0] $sequence_1 = { f6c303 7509 8b0c85b02b4100 eb07 8b0c85e42b4100 034d20 837d0801 } // n = 7, score = 100 // f6c303 | test bl, 3 // 7509 | jne 0xb // 8b0c85b02b4100 | mov ecx, dword ptr [eax*4 + 0x412bb0] // eb07 | jmp 9 // 8b0c85e42b4100 | mov ecx, dword ptr [eax*4 + 0x412be4] // 034d20 | add ecx, dword ptr [ebp + 0x20] // 837d0801 | cmp dword ptr [ebp + 8], 1 $sequence_2 = { 8818 8a9c0a93e54000 88990f354100 40 83f903 } // n = 5, score = 100 // 8818 | mov byte ptr [eax], bl // 8a9c0a93e54000 | mov bl, byte ptr [edx + ecx + 0x40e593] // 88990f354100 | mov byte ptr [ecx + 0x41350f], bl // 40 | inc eax // 83f903 | cmp ecx, 3 $sequence_3 = { 7524 8b5750 6a04 6800300000 52 50 ffd6 } // n = 7, score = 100 // 7524 | jne 0x26 // 8b5750 | mov edx, dword ptr [edi + 0x50] // 6a04 | push 4 // 6800300000 | push 0x3000 // 52 | push edx // 50 | push eax // ffd6 | call esi $sequence_4 = { 8a442403 53 55 56 33ed } // n = 5, score = 100 // 8a442403 | mov al, byte ptr [esp + 3] // 53 | push ebx // 55 | push ebp // 56 | push esi // 33ed | xor ebp, ebp $sequence_5 = { 7514 c1e902 83e203 83f908 7229 f3a5 ff2495f8334000 } // n = 7, score = 100 // 7514 | jne 0x16 // c1e902 | shr ecx, 2 // 83e203 | and edx, 3 // 83f908 | cmp ecx, 8 // 7229 | jb 0x2b // f3a5 | rep movsd dword ptr es:[edi], dword ptr [esi] // ff2495f8334000 | jmp dword ptr [edx*4 + 0x4033f8] $sequence_6 = { ff15???????? bf???????? 83c9ff 33c0 68???????? f2ae } // n = 6, score = 100 // ff15???????? | // bf???????? | // 83c9ff | or ecx, 0xffffffff // 33c0 | xor eax, eax // 68???????? | // f2ae | repne scasb al, byte ptr es:[edi] $sequence_7 = { 66f7460c0c01 7552 833c852835410000 53 57 8d3c8528354100 } // n = 6, score = 100 // 66f7460c0c01 | test word ptr [esi + 0xc], 0x10c // 7552 | jne 0x54 // 833c852835410000 | cmp dword ptr [eax*4 + 0x413528], 0 // 53 | push ebx // 57 | push edi // 8d3c8528354100 | lea edi, [eax*4 + 0x413528] $sequence_8 = { 5f 89b0f83a4100 5e 5b } // n = 4, score = 100 // 5f | pop edi // 89b0f83a4100 | mov dword ptr [eax + 0x413af8], esi // 5e | pop esi // 5b | pop ebx $sequence_9 = { 8d8424a80a0000 8d8c2404010000 89442474 3bfb } // n = 4, score = 100 // 8d8424a80a0000 | lea eax, [esp + 0xaa8] // 8d8c2404010000 | lea ecx, [esp + 0x104] // 89442474 | mov dword ptr [esp + 0x74], eax // 3bfb | cmp edi, ebx condition: 7 of them and filesize < 180224 }
rule win_typehash_w0 { meta: author = "Jeff White (karttoon@gmail.com) @noottrak" date = "15APR2020" hash = "d81ba465fe59e7d600f7ab0e8161246a5badd8ae2c3084f76442fb49f6585e95" description = "Detects an observed Negastealer campaign payload" source = "https://github.com/karttoon/iocs/blob/899dac6045a73045baa8966a16b7402d625ee26b/Negasteal/troj_win_negasteal.yar" malpedia_rule_date = "20200817" malpedia_hash = "" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash" malpedia_version = "20201007" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "Mozilla/5.0 (Windows NT 5.2) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30" $s2 = "news.php" $s3 = "http://%s/%s" $s4 = "type=0" $s5 = "time=%s" condition: all of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
