Actor(s): Comment Crew
There is no description at this point.
rule win_webc2_rave_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.webc2_rave." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 83f830 720b 83f839 7706 83c004 c20400 83f82d } // n = 7, score = 100 // 83f830 | cmp eax, 0x30 // 720b | jb 0xd // 83f839 | cmp eax, 0x39 // 7706 | ja 8 // 83c004 | add eax, 4 // c20400 | ret 4 // 83f82d | cmp eax, 0x2d $sequence_1 = { 85db 759e 8dbc242c010000 83c9ff 33c0 } // n = 5, score = 100 // 85db | test ebx, ebx // 759e | jne 0xffffffa0 // 8dbc242c010000 | lea edi, [esp + 0x12c] // 83c9ff | or ecx, 0xffffffff // 33c0 | xor eax, eax $sequence_2 = { 03de 81e3ff000000 8bf3 8a5c3410 885c0c10 } // n = 5, score = 100 // 03de | add ebx, esi // 81e3ff000000 | and ebx, 0xff // 8bf3 | mov esi, ebx // 8a5c3410 | mov bl, byte ptr [esp + esi + 0x10] // 885c0c10 | mov byte ptr [esp + ecx + 0x10], bl $sequence_3 = { be???????? 8d8c241c010000 8a01 8ad0 3a06 } // n = 5, score = 100 // be???????? | // 8d8c241c010000 | lea ecx, [esp + 0x11c] // 8a01 | mov al, byte ptr [ecx] // 8ad0 | mov dl, al // 3a06 | cmp al, byte ptr [esi] $sequence_4 = { 8b3d???????? 8d542414 8d4604 51 } // n = 4, score = 100 // 8b3d???????? | // 8d542414 | lea edx, [esp + 0x14] // 8d4604 | lea eax, [esi + 4] // 51 | push ecx $sequence_5 = { b941000000 33c0 8dbc24b0020000 83c410 } // n = 4, score = 100 // b941000000 | mov ecx, 0x41 // 33c0 | xor eax, eax // 8dbc24b0020000 | lea edi, [esp + 0x2b0] // 83c410 | add esp, 0x10 $sequence_6 = { 33c9 eb05 1bc9 83d9ff 85c9 7423 8b4508 } // n = 7, score = 100 // 33c9 | xor ecx, ecx // eb05 | jmp 7 // 1bc9 | sbb ecx, ecx // 83d9ff | sbb ecx, -1 // 85c9 | test ecx, ecx // 7423 | je 0x25 // 8b4508 | mov eax, dword ptr [ebp + 8] $sequence_7 = { 56 57 b900010000 33c0 8d7c2414 } // n = 5, score = 100 // 56 | push esi // 57 | push edi // b900010000 | mov ecx, 0x100 // 33c0 | xor eax, eax // 8d7c2414 | lea edi, [esp + 0x14] $sequence_8 = { 5d 5b 81c454030000 c3 6a20 ffd7 } // n = 6, score = 100 // 5d | pop ebp // 5b | pop ebx // 81c454030000 | add esp, 0x354 // c3 | ret // 6a20 | push 0x20 // ffd7 | call edi $sequence_9 = { 85c0 0f8426010000 8d4c244c 6804010000 8d542450 } // n = 5, score = 100 // 85c0 | test eax, eax // 0f8426010000 | je 0x12c // 8d4c244c | lea ecx, [esp + 0x4c] // 6804010000 | push 0x104 // 8d542450 | lea edx, [esp + 0x50] condition: 7 of them and filesize < 57344 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY