SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wslink (Back to overview)

Wslink

aka: FinickyFrogfish
VTCollection    

There is no description at this point.

References
2022-03-01ESET ResearchVladislav Hrčka
Under the hood of Wslink’s multilayered virtual machine
Wslink
2021-10-27ESET ResearchVladislav Hrčka
Wslink: Unique and undocumented malicious loader that runs as a server
Wslink
2021-10-27Twitter (@darienhuss)Darien Huss
Tweet on FinickyFrogfish/Wslink malware used by TA444
Wslink
Yara Rules
[TLP:WHITE] win_wslink_auto (20260504 | Detects win.wslink.)
rule win_wslink_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.wslink."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 33c0 4883c450 5e c3 488bc6 4883c450 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33c0                 | dec                 esp
            //   4883c450             | mov                 esi, edx
            //   5e                   | dec                 esp
            //   c3                   | mov                 edi, ecx
            //   488bc6               | test                eax, eax
            //   4883c450             | inc                 ecx

        $sequence_1 = { 8d4f25 448d476f c74424208d010000 e8???????? 33c0 4883c430 5f }
            // n = 7, score = 100
            //   8d4f25               | jne                 0xfe4
            //   448d476f             | dec                 eax
            //   c74424208d010000     | cmp                 dword ptr [edi + 0x10], 0
            //   e8????????           |                     
            //   33c0                 | jne                 0xfe4
            //   4883c430             | dec                 eax
            //   5f                   | mov                 eax, dword ptr [eax]

        $sequence_2 = { 4c8d0db6ec0700 498d440d00 488d15caec0700 488bcd 483bc6 488d0561b40800 4c0f44c8 }
            // n = 7, score = 100
            //   4c8d0db6ec0700       | add                 esp, 0x30
            //   498d440d00           | mov                 dword ptr [esp + 0x20], 0x247
            //   488d15caec0700       | dec                 esp
            //   488bcd               | lea                 ecx, [0xa4042]
            //   483bc6               | inc                 esp
            //   488d0561b40800       | lea                 eax, [eax + 0x71]
            //   4c0f44c8             | dec                 eax

        $sequence_3 = { 488bd3 0f4fc8 4c63c9 85c9 7e2b 4c8b4508 }
            // n = 6, score = 100
            //   488bd3               | dec                 esp
            //   0f4fc8               | lea                 ecx, [0xa76cc]
            //   4c63c9               | inc                 ebp
            //   85c9                 | lea                 eax, [edi + 0x7b]
            //   7e2b                 | dec                 eax
            //   4c8b4508             | lea                 edx, [0x95747]

        $sequence_4 = { e8???????? 2507000f00 3d02000100 751a c7442420da000000 4c8d0d0c6f0b00 41b8aa000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   2507000f00           | mov                 ecx, dword ptr [eax]
            //   3d02000100           | dec                 ecx
            //   751a                 | dec                 eax
            //   c7442420da000000     | mov                 dword ptr [esp + 0x20], ebx
            //   4c8d0d0c6f0b00       | cmp                 ecx, 9
            //   41b8aa000000         | ja                  0xd4a

        $sequence_5 = { 7756 4898 8b8c867ca40400 4803ce ffe1 834f4801 eb42 }
            // n = 7, score = 100
            //   7756                 | jne                 0x1189
            //   4898                 | jmp                 0xe82
            //   8b8c867ca40400       | inc                 ecx
            //   4803ce               | mov                 esi, edi
            //   ffe1                 | inc                 ecx
            //   834f4801             | mov                 ecx, 0x1001
            //   eb42                 | inc                 esp

        $sequence_6 = { 418d48bd e8???????? 488bf8 4885c0 743b 48837d0000 750e }
            // n = 7, score = 100
            //   418d48bd             | mov                 ebp, dword ptr [esp + 0x78]
            //   e8????????           |                     
            //   488bf8               | dec                 eax
            //   4885c0               | mov                 esi, dword ptr [esp + 0x70]
            //   743b                 | dec                 eax
            //   48837d0000           | test                ebx, ebx
            //   750e                 | dec                 eax

        $sequence_7 = { 750e 4883c458 415f 415d 415c 5f 5d }
            // n = 7, score = 100
            //   750e                 | dec                 eax
            //   4883c458             | mov                 edx, edi
            //   415f                 | dec                 eax
            //   415d                 | mov                 ecx, ebx
            //   415c                 | test                eax, eax
            //   5f                   | je                  0x5d5
            //   5d                   | inc                 ecx

        $sequence_8 = { 4863c8 4c3bf9 7422 ba64000000 4c8d0dcd6e0600 c7442420be000000 8d4ac7 }
            // n = 7, score = 100
            //   4863c8               | dec                 esp
            //   4c3bf9               | mov                 esp, ecx
            //   7422                 | inc                 ecx
            //   ba64000000           | mov                 ebx, edi
            //   4c8d0dcd6e0600       | inc                 ebp
            //   c7442420be000000     | mov                 esi, edi
            //   8d4ac7               | dec                 eax

        $sequence_9 = { 83f9ff 7508 b910000000 418bf3 488b457f 4c8d4d6f 33d2 }
            // n = 7, score = 100
            //   83f9ff               | dec                 eax
            //   7508                 | je                  0x31b
            //   b910000000           | dec                 eax
            //   418bf3               | jne                 0x35d
            //   488b457f             | dec                 eax
            //   4c8d4d6f             | jne                 0x361
            //   33d2                 | dec                 eax

    condition:
        7 of them and filesize < 2007040
}
Download all Yara Rules