There is no description at this point.
rule win_xiangoop_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.xiangoop." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiangoop" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { d1e9 894de4 c745f400000000 eb09 } // n = 4, score = 100 // d1e9 | shr ecx, 1 // 894de4 | mov dword ptr [ebp - 0x1c], ecx // c745f400000000 | mov dword ptr [ebp - 0xc], 0 // eb09 | jmp 0xb $sequence_1 = { ba01000000 d1e2 8b4df4 0fb6541118 } // n = 4, score = 100 // ba01000000 | mov edx, 1 // d1e2 | shl edx, 1 // 8b4df4 | mov ecx, dword ptr [ebp - 0xc] // 0fb6541118 | movzx edx, byte ptr [ecx + edx + 0x18] $sequence_2 = { 81e2ff000000 8b048d587d0110 33049558650110 8b4dec c1e908 81e1ff000000 33048d58610110 } // n = 7, score = 100 // 81e2ff000000 | and edx, 0xff // 8b048d587d0110 | mov eax, dword ptr [ecx*4 + 0x10017d58] // 33049558650110 | xor eax, dword ptr [edx*4 + 0x10016558] // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // c1e908 | shr ecx, 8 // 81e1ff000000 | and ecx, 0xff // 33048d58610110 | xor eax, dword ptr [ecx*4 + 0x10016158] $sequence_3 = { e9???????? c745e410430110 ebb8 d9e8 8b4510 } // n = 5, score = 100 // e9???????? | // c745e410430110 | mov dword ptr [ebp - 0x1c], 0x10014310 // ebb8 | jmp 0xffffffba // d9e8 | fld1 // 8b4510 | mov eax, dword ptr [ebp + 0x10] $sequence_4 = { 88540104 8b55f4 c1ea08 81e2ff000000 } // n = 4, score = 100 // 88540104 | mov byte ptr [ecx + eax + 4], dl // 8b55f4 | mov edx, dword ptr [ebp - 0xc] // c1ea08 | shr edx, 8 // 81e2ff000000 | and edx, 0xff $sequence_5 = { 8bc6 8bd6 83e03f c1fa06 6bc838 8b0495a8b00110 f644082801 } // n = 7, score = 100 // 8bc6 | mov eax, esi // 8bd6 | mov edx, esi // 83e03f | and eax, 0x3f // c1fa06 | sar edx, 6 // 6bc838 | imul ecx, eax, 0x38 // 8b0495a8b00110 | mov eax, dword ptr [edx*4 + 0x1001b0a8] // f644082801 | test byte ptr [eax + ecx + 0x28], 1 $sequence_6 = { 05f0000000 8945fc 8b4d10 8b5508 8d448a60 8945f0 } // n = 6, score = 100 // 05f0000000 | add eax, 0xf0 // 8945fc | mov dword ptr [ebp - 4], eax // 8b4d10 | mov ecx, dword ptr [ebp + 0x10] // 8b5508 | mov edx, dword ptr [ebp + 8] // 8d448a60 | lea eax, [edx + ecx*4 + 0x60] // 8945f0 | mov dword ptr [ebp - 0x10], eax $sequence_7 = { 6bd100 8b45f4 0fb64c1008 81e1ff000000 c1e118 } // n = 5, score = 100 // 6bd100 | imul edx, ecx, 0 // 8b45f4 | mov eax, dword ptr [ebp - 0xc] // 0fb64c1008 | movzx ecx, byte ptr [eax + edx + 8] // 81e1ff000000 | and ecx, 0xff // c1e118 | shl ecx, 0x18 $sequence_8 = { 7741 7206 837df40a 7339 } // n = 4, score = 100 // 7741 | ja 0x43 // 7206 | jb 8 // 837df40a | cmp dword ptr [ebp - 0xc], 0xa // 7339 | jae 0x3b $sequence_9 = { 7208 8b45f8 3b450c 7365 } // n = 4, score = 100 // 7208 | jb 0xa // 8b45f8 | mov eax, dword ptr [ebp - 8] // 3b450c | cmp eax, dword ptr [ebp + 0xc] // 7365 | jae 0x67 condition: 7 of them and filesize < 246784 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY