There is no description at this point.
rule win_warezov_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.warezov." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warezov" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { c6842451020000ac c6842452020000b1 c6842453020000a6 c6842454020000b3 c6842455020000af c6842456020000ba c6842457020000c3 } // n = 7, score = 100 // c6842451020000ac | mov byte ptr [esp + 0x251], 0xac // c6842452020000b1 | mov byte ptr [esp + 0x252], 0xb1 // c6842453020000a6 | mov byte ptr [esp + 0x253], 0xa6 // c6842454020000b3 | mov byte ptr [esp + 0x254], 0xb3 // c6842455020000af | mov byte ptr [esp + 0x255], 0xaf // c6842456020000ba | mov byte ptr [esp + 0x256], 0xba // c6842457020000c3 | mov byte ptr [esp + 0x257], 0xc3 $sequence_1 = { ffd5 50 8d8c24ac010000 51 8bcb e8???????? 83f8ff } // n = 7, score = 100 // ffd5 | call ebp // 50 | push eax // 8d8c24ac010000 | lea ecx, [esp + 0x1ac] // 51 | push ecx // 8bcb | mov ecx, ebx // e8???????? | // 83f8ff | cmp eax, -1 $sequence_2 = { c644247bcc c644247ccc c644247d16 c644247efb c644247f92 c684248000000094 c6842481000000c6 } // n = 7, score = 100 // c644247bcc | mov byte ptr [esp + 0x7b], 0xcc // c644247ccc | mov byte ptr [esp + 0x7c], 0xcc // c644247d16 | mov byte ptr [esp + 0x7d], 0x16 // c644247efb | mov byte ptr [esp + 0x7e], 0xfb // c644247f92 | mov byte ptr [esp + 0x7f], 0x92 // c684248000000094 | mov byte ptr [esp + 0x80], 0x94 // c6842481000000c6 | mov byte ptr [esp + 0x81], 0xc6 $sequence_3 = { 33c0 e9???????? 6a44 c645fc01 e8???????? 83c404 3bc3 } // n = 7, score = 100 // 33c0 | xor eax, eax // e9???????? | // 6a44 | push 0x44 // c645fc01 | mov byte ptr [ebp - 4], 1 // e8???????? | // 83c404 | add esp, 4 // 3bc3 | cmp eax, ebx $sequence_4 = { 83f8ff 0f853c010000 b0b0 88442409 8844241b b08c } // n = 6, score = 100 // 83f8ff | cmp eax, -1 // 0f853c010000 | jne 0x142 // b0b0 | mov al, 0xb0 // 88442409 | mov byte ptr [esp + 9], al // 8844241b | mov byte ptr [esp + 0x1b], al // b08c | mov al, 0x8c $sequence_5 = { 50 e8???????? 83c40c 83bdecfcffff00 7511 8d85f0fcffff 50 } // n = 7, score = 100 // 50 | push eax // e8???????? | // 83c40c | add esp, 0xc // 83bdecfcffff00 | cmp dword ptr [ebp - 0x314], 0 // 7511 | jne 0x13 // 8d85f0fcffff | lea eax, [ebp - 0x310] // 50 | push eax $sequence_6 = { 8854242c c644242d5f c644242e64 c644242f63 c644243069 c644243165 c64424326e } // n = 7, score = 100 // 8854242c | mov byte ptr [esp + 0x2c], dl // c644242d5f | mov byte ptr [esp + 0x2d], 0x5f // c644242e64 | mov byte ptr [esp + 0x2e], 0x64 // c644242f63 | mov byte ptr [esp + 0x2f], 0x63 // c644243069 | mov byte ptr [esp + 0x30], 0x69 // c644243165 | mov byte ptr [esp + 0x31], 0x65 // c64424326e | mov byte ptr [esp + 0x32], 0x6e $sequence_7 = { c644241c9a c644241e8c c644241fef e8???????? 8d4c241c 8d542414 c644241473 } // n = 7, score = 100 // c644241c9a | mov byte ptr [esp + 0x1c], 0x9a // c644241e8c | mov byte ptr [esp + 0x1e], 0x8c // c644241fef | mov byte ptr [esp + 0x1f], 0xef // e8???????? | // 8d4c241c | lea ecx, [esp + 0x1c] // 8d542414 | lea edx, [esp + 0x14] // c644241473 | mov byte ptr [esp + 0x14], 0x73 $sequence_8 = { ffd7 55 6a00 56 ffd7 8b442444 50 } // n = 7, score = 100 // ffd7 | call edi // 55 | push ebp // 6a00 | push 0 // 56 | push esi // ffd7 | call edi // 8b442444 | mov eax, dword ptr [esp + 0x44] // 50 | push eax $sequence_9 = { 0f8438ffffff 8d45cc 50 8d4d90 e8???????? 8b7dc0 8b5f08 } // n = 7, score = 100 // 0f8438ffffff | je 0xffffff3e // 8d45cc | lea eax, [ebp - 0x34] // 50 | push eax // 8d4d90 | lea ecx, [ebp - 0x70] // e8???????? | // 8b7dc0 | mov edi, dword ptr [ebp - 0x40] // 8b5f08 | mov ebx, dword ptr [edi + 8] condition: 7 of them and filesize < 827392 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY