SYMBOLCOMMON_NAMEaka. SYNONYMS
win.venomloader (Back to overview)

VenomLoader

VTCollection    

There is no description at this point.

References
2024-12-02ZscalerMuhammed Irfan V A
Unveiling RevC2 and Venom Loader
RevC2 VenomLoader
Yara Rules
[TLP:WHITE] win_venomloader_auto (20260504 | Detects win.venomloader.)
rule win_venomloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.venomloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.venomloader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 53 4883ec20 488d0594160400 80796f00 488901 4889cb 7438 }
            // n = 7, score = 100
            //   53                   | mov                 ebx, ecx
            //   4883ec20             | dec                 eax
            //   488d0594160400       | lea                 ecx, [0x9261]
            //   80796f00             | dec                 eax
            //   488901               | mov                 edx, eax
            //   4889cb               | dec                 eax
            //   7438                 | mov                 eax, dword ptr [ebx]

        $sequence_1 = { 488379e800 0f8452fdffff 4084ff 0f8549fdffff 4584ff 0f8416030000 488b842400010000 }
            // n = 7, score = 100
            //   488379e800           | mov                 dword ptr [esp + 0x60], 0
            //   0f8452fdffff         | dec                 eax
            //   4084ff               | cmp                 dword ptr [esp + 0x28], 0xa
            //   0f8549fdffff         | dec                 eax
            //   4584ff               | cmp                 eax, dword ptr [ecx + 0x18]
            //   0f8416030000         | jae                 0xdba
            //   488b842400010000     | dec                 eax

        $sequence_2 = { 89da 4889f1 4189c5 e8???????? 85c0 7506 }
            // n = 6, score = 100
            //   89da                 | add                 esp, 0x98
            //   4889f1               | pop                 ebx
            //   4189c5               | pop                 esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7506                 | jle                 0x1e40

        $sequence_3 = { 4829c8 48d1f8 48894350 4889da 4889f1 e8???????? 488d0593d00200 }
            // n = 7, score = 100
            //   4829c8               | add                 eax, 0x28
            //   48d1f8               | dec                 eax
            //   48894350             | lea                 ecx, [ebx + 0x10]
            //   4889da               | dec                 eax
            //   4889f1               | mov                 dword ptr [ebx + 0xd8], eax
            //   e8????????           |                     
            //   488d0593d00200       | dec                 eax

        $sequence_4 = { 5d c3 55 53 4883ec38 488d6c2430 488d45f7 }
            // n = 7, score = 100
            //   5d                   | dec                 eax
            //   c3                   | sub                 esp, 0x28
            //   55                   | dec                 esp
            //   53                   | lea                 ebp, [0x41375]
            //   4883ec38             | dec                 eax
            //   488d6c2430           | lea                 esi, [ecx + 0xd0]
            //   488d45f7             | push                ebp

        $sequence_5 = { 85d2 752e 8340f801 48894308 488d05ff060600 488903 4883c438 }
            // n = 7, score = 100
            //   85d2                 | dec                 esp
            //   752e                 | lea                 eax, [0xfff56232]
            //   8340f801             | dec                 eax
            //   48894308             | lea                 edx, [0xf9fb]
            //   488d05ff060600       | dec                 eax
            //   488903               | mov                 ecx, eax
            //   4883c438             | test                eax, eax

        $sequence_6 = { 488d157ffc0400 4889d9 e8???????? 488b05???????? 4889f1 4883c010 488983e0000000 }
            // n = 7, score = 100
            //   488d157ffc0400       | mov                 ebx, ecx
            //   4889d9               | dec                 eax
            //   e8????????           |                     
            //   488b05????????       |                     
            //   4889f1               | lea                 ecx, [ecx + 0x10]
            //   4883c010             | dec                 eax
            //   488983e0000000       | mov                 ecx, ebx

        $sequence_7 = { 488d1509b00a00 c70002000000 48895008 c3 488d15f7af0a00 c70002000000 48895008 }
            // n = 7, score = 100
            //   488d1509b00a00       | dec                 eax
            //   c70002000000         | lea                 eax, [0x31584]
            //   48895008             | dec                 eax
            //   c3                   | mov                 dword ptr [ecx], eax
            //   488d15f7af0a00       | dec                 eax
            //   c70002000000         | mov                 ebx, ecx
            //   48895008             | dec                 eax

        $sequence_8 = { 29d0 85c0 0f8fcb020000 4183fd6f 0f8429020000 4439fa 0f8d88020000 }
            // n = 7, score = 100
            //   29d0                 | xor                 eax, 1
            //   85c0                 | inc                 eax
            //   0f8fcb020000         | and                 ch, al
            //   4183fd6f             | je                  0xedc
            //   0f8429020000         | mov                 edx, 0x65
            //   4439fa               | dec                 eax
            //   0f8d88020000         | mov                 ecx, esi

        $sequence_9 = { 85d2 0f8f64ffffff 4883e918 4c89e2 e8???????? 488b8424b0000000 e9???????? }
            // n = 7, score = 100
            //   85d2                 | mov                 ecx, dword ptr [esp + 0x60]
            //   0f8f64ffffff         | dec                 esp
            //   4883e918             | mov                 ebx, dword ptr [edx + 0x40]
            //   4c89e2               | dec                 ecx
            //   e8????????           |                     
            //   488b8424b0000000     | cmp                 ebx, ecx
            //   e9????????           |                     

    condition:
        7 of them and filesize < 2592768
}
Download all Yara Rules