There is no description at this point.
rule win_underminer_ek_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.underminer_ek." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8a450f 884708 0fb6450b 89470c e9???????? 3cc8 } // n = 6, score = 100 // 8a450f | mov al, byte ptr [ebp + 0xf] // 884708 | mov byte ptr [edi + 8], al // 0fb6450b | movzx eax, byte ptr [ebp + 0xb] // 89470c | mov dword ptr [edi + 0xc], eax // e9???????? | // 3cc8 | cmp al, 0xc8 $sequence_1 = { 3d40420f00 734f 83ec18 8bcc 68???????? e8???????? 8d4dc8 } // n = 7, score = 100 // 3d40420f00 | cmp eax, 0xf4240 // 734f | jae 0x51 // 83ec18 | sub esp, 0x18 // 8bcc | mov ecx, esp // 68???????? | // e8???????? | // 8d4dc8 | lea ecx, [ebp - 0x38] $sequence_2 = { 8904bd582c4300 85c0 7514 6a0c 5e 8975e4 c745fcfeffffff } // n = 7, score = 100 // 8904bd582c4300 | mov dword ptr [edi*4 + 0x432c58], eax // 85c0 | test eax, eax // 7514 | jne 0x16 // 6a0c | push 0xc // 5e | pop esi // 8975e4 | mov dword ptr [ebp - 0x1c], esi // c745fcfeffffff | mov dword ptr [ebp - 4], 0xfffffffe $sequence_3 = { c3 ff742408 8b442408 ff10 c3 } // n = 5, score = 100 // c3 | ret // ff742408 | push dword ptr [esp + 8] // 8b442408 | mov eax, dword ptr [esp + 8] // ff10 | call dword ptr [eax] // c3 | ret $sequence_4 = { 897df8 6681384d5a 0f85bd000000 8b703c 03f0 } // n = 5, score = 100 // 897df8 | mov dword ptr [ebp - 8], edi // 6681384d5a | cmp word ptr [eax], 0x5a4d // 0f85bd000000 | jne 0xc3 // 8b703c | mov esi, dword ptr [eax + 0x3c] // 03f0 | add esi, eax $sequence_5 = { 6a00 50 ff5604 8d460c 6a00 50 ff16 } // n = 7, score = 100 // 6a00 | push 0 // 50 | push eax // ff5604 | call dword ptr [esi + 4] // 8d460c | lea eax, [esi + 0xc] // 6a00 | push 0 // 50 | push eax // ff16 | call dword ptr [esi] $sequence_6 = { 0fb6560b c1e008 0bc2 8be8 8d470c 3bc8 7278 } // n = 7, score = 100 // 0fb6560b | movzx edx, byte ptr [esi + 0xb] // c1e008 | shl eax, 8 // 0bc2 | or eax, edx // 8be8 | mov ebp, eax // 8d470c | lea eax, [edi + 0xc] // 3bc8 | cmp ecx, eax // 7278 | jb 0x7a $sequence_7 = { 8b75c8 8d4de0 ff75d8 8b55f0 83ff10 0f43c6 } // n = 6, score = 100 // 8b75c8 | mov esi, dword ptr [ebp - 0x38] // 8d4de0 | lea ecx, [ebp - 0x20] // ff75d8 | push dword ptr [ebp - 0x28] // 8b55f0 | mov edx, dword ptr [ebp - 0x10] // 83ff10 | cmp edi, 0x10 // 0f43c6 | cmovae eax, esi $sequence_8 = { 47 884607 897df4 c745f04a50fa7e eb18 3ca0 7214 } // n = 7, score = 100 // 47 | inc edi // 884607 | mov byte ptr [esi + 7], al // 897df4 | mov dword ptr [ebp - 0xc], edi // c745f04a50fa7e | mov dword ptr [ebp - 0x10], 0x7efa504a // eb18 | jmp 0x1a // 3ca0 | cmp al, 0xa0 // 7214 | jb 0x16 $sequence_9 = { 8d45e0 50 8d8d08ffffff e8???????? 8b55f4 83fa10 } // n = 6, score = 100 // 8d45e0 | lea eax, [ebp - 0x20] // 50 | push eax // 8d8d08ffffff | lea ecx, [ebp - 0xf8] // e8???????? | // 8b55f4 | mov edx, dword ptr [ebp - 0xc] // 83fa10 | cmp edx, 0x10 $sequence_10 = { 3bd8 3be2 3bf3 3bf8 } // n = 4, score = 100 // 3bd8 | cmp ebx, eax // 3be2 | cmp esp, edx // 3bf3 | cmp esi, ebx // 3bf8 | cmp edi, eax $sequence_11 = { 7473 3bc3 c7450c32000000 7538 8b35???????? bf1453fa7e } // n = 6, score = 100 // 7473 | je 0x75 // 3bc3 | cmp eax, ebx // c7450c32000000 | mov dword ptr [ebp + 0xc], 0x32 // 7538 | jne 0x3a // 8b35???????? | // bf1453fa7e | mov edi, 0x7efa5314 $sequence_12 = { c7431000000000 8d5101 c743140f000000 c60300 0f1f8000000000 8a01 } // n = 6, score = 100 // c7431000000000 | mov dword ptr [ebx + 0x10], 0 // 8d5101 | lea edx, [ecx + 1] // c743140f000000 | mov dword ptr [ebx + 0x14], 0xf // c60300 | mov byte ptr [ebx], 0 // 0f1f8000000000 | nop dword ptr [eax] // 8a01 | mov al, byte ptr [ecx] $sequence_13 = { 8b450c 0fb684c848914200 c1e804 c9 c20800 8bff } // n = 6, score = 100 // 8b450c | mov eax, dword ptr [ebp + 0xc] // 0fb684c848914200 | movzx eax, byte ptr [eax + ecx*8 + 0x429148] // c1e804 | shr eax, 4 // c9 | leave // c20800 | ret 8 // 8bff | mov edi, edi $sequence_14 = { 3836 42 3653 3658 } // n = 4, score = 100 // 3836 | cmp byte ptr [esi], dh // 42 | inc edx // 3653 | push ebx // 3658 | pop eax $sequence_15 = { 03c8 3b4de8 7751 395de0 7440 83c00d 50 } // n = 7, score = 100 // 03c8 | add ecx, eax // 3b4de8 | cmp ecx, dword ptr [ebp - 0x18] // 7751 | ja 0x53 // 395de0 | cmp dword ptr [ebp - 0x20], ebx // 7440 | je 0x42 // 83c00d | add eax, 0xd // 50 | push eax condition: 7 of them and filesize < 466944 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY