SYMBOLCOMMON_NAMEaka. SYNONYMS
win.unidentified_118 (Back to overview)

Unidentified 118

VTCollection    

There is no description at this point.

References
2025-02-11SekoiaPierre Le Bourhis
RATatouille: Cooking Up Chaos in the I2P Kitchen
Unidentified 118
2024-12-16GdataBanu Ramakrishnan
New I2PRAT communicates via anonymous peer-to-peer network
Unidentified 118
2024-11-20CofenseKahng An
Custom I2P RAT “I2Parcae” Delivered via Pornographic Customer Support Form Spam
I2PRAT Unidentified 118
2024-09-01X (@naumovax)
Suspected PrivateLoader
Unidentified 118
Yara Rules
[TLP:WHITE] win_unidentified_118_auto (20260504 | Detects win.unidentified_118.)
rule win_unidentified_118_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.unidentified_118."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_118"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d4c2428 488b742420 418d5708 482bce 4489742438 89442428 895c2444 }
            // n = 7, score = 300
            //   488d4c2428           | and                 eax, 3
            //   488b742420           | je                  0xfe
            //   418d5708             | dec                 eax
            //   482bce               | sub                 eax, 1
            //   4489742438           | je                  0xe7
            //   89442428             | dec                 eax
            //   895c2444             | cmp                 eax, 1

        $sequence_1 = { 488bce e8???????? 6644893c33 eb0c 448a45c4 488bcf e8???????? }
            // n = 7, score = 300
            //   488bce               | test                eax, eax
            //   e8????????           |                     
            //   6644893c33           | jne                 0xdfa
            //   eb0c                 | dec                 ebp
            //   448a45c4             | test                esp, esp
            //   488bcf               | je                  0xdf2
            //   e8????????           |                     

        $sequence_2 = { 488b4330 488b10 ffd2 4883633800 488b5c2430 4883c420 }
            // n = 6, score = 300
            //   488b4330             | dec                 eax
            //   488b10               | mov                 edi, ecx
            //   ffd2                 | dec                 eax
            //   4883633800           | lea                 ecx, [esp + 0x20]
            //   488b5c2430           | inc                 esp
            //   4883c420             | lea                 eax, [edx + 0x40]

        $sequence_3 = { 488bda 4883611800 e8???????? 4883631000 48c743180f000000 c60300 4883c420 }
            // n = 7, score = 300
            //   488bda               | pop                 ebp
            //   4883611800           | dec                 eax
            //   e8????????           |                     
            //   4883631000           | add                 edx, eax
            //   48c743180f000000     | mov                 eax, 0x54
            //   c60300               | mov                 ecx, eax
            //   4883c420             | dec                 eax

        $sequence_4 = { 488bc8 e8???????? 4c8d4c2450 33c9 4c8d442420 488d542448 ffd0 }
            // n = 7, score = 300
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   4c8d4c2450           | mov                 ebx, dword ptr [esp + 0x60]
            //   33c9                 | dec                 eax
            //   4c8d442420           | mov                 ebp, dword ptr [esp + 0x70]
            //   488d542448           | inc                 esp
            //   ffd0                 | mov                 ecx, dword ptr [esp + 0x88]

        $sequence_5 = { 4883c004 4803c2 8b4808 8b400c 85c9 0f84cafeffff }
            // n = 6, score = 300
            //   4883c004             | dec                 eax
            //   4803c2               | xor                 ecx, esp
            //   8b4808               | mov                 edi, 0x1000
            //   8b400c               | dec                 eax
            //   85c9                 | mov                 edx, dword ptr [ebp - 0x19]
            //   0f84cafeffff         | dec                 ecx

        $sequence_6 = { 4103c8 3bd9 721a 8bd3 498bc9 e8???????? 4c8bd0 }
            // n = 7, score = 300
            //   4103c8               | mov                 esi, 8
            //   3bd9                 | dec                 eax
            //   721a                 | mov                 dword ptr [esp + 0x48], esi
            //   8bd3                 | movaps              xmm0, xmmword ptr [esp + 0x40]
            //   498bc9               | nop                 
            //   e8????????           |                     
            //   4c8bd0               | dec                 eax

        $sequence_7 = { 488bd6 4c8b8c2488000000 488bcd 4c8b842480000000 89442428 8b842490000000 }
            // n = 6, score = 300
            //   488bd6               | dec                 ecx
            //   4c8b8c2488000000     | mov                 dword ptr [eax + 8], edx
            //   488bcd               | inc                 edx
            //   4c8b842480000000     | mov                 cl, byte ptr [ecx + ebx + 0x21c60]
            //   89442428             | dec                 eax
            //   8b842490000000       | sub                 edx, eax

        $sequence_8 = { 488d442440 4889442420 4533c9 4533c0 8bd3 488b4c2450 e8???????? }
            // n = 7, score = 300
            //   488d442440           | dec                 eax
            //   4889442420           | mov                 ecx, edi
            //   4533c9               | dec                 eax
            //   4533c0               | mov                 ecx, ebx
            //   8bd3                 | nop                 
            //   488b4c2450           | dec                 eax
            //   e8????????           |                     

        $sequence_9 = { 4584ed 7420 0fb7442420 3b4210 0f829d010000 3b4214 0f8394010000 }
            // n = 7, score = 300
            //   4584ed               | mov                 edx, esi
            //   7420                 | dec                 eax
            //   0fb7442420           | mov                 ecx, ebp
            //   3b4210               | call                edi
            //   0f829d010000         | dec                 eax
            //   3b4214               | mov                 ebx, dword ptr [esp + 0x50]
            //   0f8394010000         | jmp                 0x7e

    condition:
        7 of them and filesize < 413696
}
Download all Yara Rules