This is possibly related to the MATA framework / Dacls.
rule win_unidentified_106_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.unidentified_106." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_106" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 4d8bc6 488bd7 e8???????? 85c0 781d 488d8da8000000 448bce } // n = 7, score = 100 // 4d8bc6 | cmp ebp, 7 // 488bd7 | mov eax, 0xb // e8???????? | // 85c0 | inc bp // 781d | cmovo ebx, ebx // 488d8da8000000 | mov ecx, 9 // 448bce | dec ebp $sequence_1 = { eb57 4c8b4c2450 418bcc 2bcf 412bce 4103cf 4183fc02 } // n = 7, score = 100 // eb57 | shr edx, 6 // 4c8b4c2450 | inc ecx // 418bcc | and edx, 0x3f // 2bcf | inc edx // 412bce | movzx eax, byte ptr [esp + edx] // 4103cf | mov byte ptr [ecx + 2], al // 4183fc02 | dec eax $sequence_2 = { f0440108 488d4138 41b806000000 488d15196a0300 483950f0 740c 488b10 } // n = 7, score = 100 // f0440108 | dec eax // 488d4138 | lea ecx, [ebx + ebx*4] // 41b806000000 | dec eax // 488d15196a0300 | lea ecx, [eax + ecx*8] // 483950f0 | push eax // 740c | jmp 0x136 // 488b10 | dec eax $sequence_3 = { eb15 6685c0 7510 66c783480400000f10 c6834a04000001 33c0 488bbc24a8000000 } // n = 7, score = 100 // eb15 | mov eax, eax // 6685c0 | inc edx // 7510 | mov byte ptr [eax + edi], bl // 66c783480400000f10 | dec ecx // c6834a04000001 | mov ecx, esi // 33c0 | test ebx, ebx // 488bbc24a8000000 | jns 0x151a $sequence_4 = { e8???????? e9???????? b948000000 4889ac2440010000 e8???????? 488be8 4885c0 } // n = 7, score = 100 // e8???????? | // e9???????? | // b948000000 | push edx // 4889ac2440010000 | pushfd // e8???????? | // 488be8 | dec ecx // 4885c0 | mov edx, 0x7da1244e $sequence_5 = { ffc1 8bc2 3bca 7cef 85d2 7e1f 4c8b4310 } // n = 7, score = 100 // ffc1 | mov ebp, edi // 8bc2 | dec eax // 3bca | arpl ax, cx // 7cef | dec eax // 85d2 | mov dword ptr [ebx], ecx // 7e1f | inc ecx // 4c8b4310 | mov ebx, esi $sequence_6 = { e8???????? f5 91 32baf8b76637 44e81b3bc545 205943 30ba84ffde36 } // n = 7, score = 100 // e8???????? | // f5 | je 0x2d2 // 91 | dec ecx // 32baf8b76637 | mov eax, eax // 44e81b3bc545 | dec ecx // 205943 | mov edx, eax // 30ba84ffde36 | dec ecx $sequence_7 = { e8???????? 8bc3 eb05 b856ffffff 4c8d5c2460 498b5b10 498b7318 } // n = 7, score = 100 // e8???????? | // 8bc3 | dec eax // eb05 | lea edx, [0x253b56] // b856ffffff | mov ecx, eax // 4c8d5c2460 | mov dword ptr [esi], eax // 498b5b10 | dec eax // 498b7318 | lea ecx, [esp + 0x30] $sequence_8 = { e9???????? 80bb4704000002 7518 b206 488bcb e8???????? 8983e4020000 } // n = 7, score = 100 // e9???????? | // 80bb4704000002 | dec eax // 7518 | sub esp, 0x40 // b206 | dec eax // 488bcb | mov dword ptr [esp + 0x28], ebp // e8???????? | // 8983e4020000 | dec eax $sequence_9 = { e8???????? 8bd0 85c0 7561 0fb68f28020000 458bc7 450fafc6 } // n = 7, score = 100 // e8???????? | // 8bd0 | jne 0xc47 // 85c0 | dec eax // 7561 | mov ecx, ebx // 0fb68f28020000 | mov dword ptr [ebx + 0x2e4], eax // 458bc7 | mov dword ptr [ebx + 0x2e4], eax // 450fafc6 | test eax, eax condition: 7 of them and filesize < 27402240 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY
