There is no description at this point.
rule win_zeoticus_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.zeoticus." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 6a0e b9b7070247 e8???????? 83c408 a3???????? 8d4c2408 51 } // n = 7, score = 100 // 6a0e | push 0xe // b9b7070247 | mov ecx, 0x470207b7 // e8???????? | // 83c408 | add esp, 8 // a3???????? | // 8d4c2408 | lea ecx, [esp + 8] // 51 | push ecx $sequence_1 = { 5e 0f28ac2408020000 660feff1 660fd4ac2458010000 660f380035???????? 0f28a42448010000 660fd4eb } // n = 7, score = 100 // 5e | pop esi // 0f28ac2408020000 | movaps xmm5, xmmword ptr [esp + 0x208] // 660feff1 | pxor xmm6, xmm1 // 660fd4ac2458010000 | paddq xmm5, xmmword ptr [esp + 0x158] // 660f380035???????? | // 0f28a42448010000 | movaps xmm4, xmmword ptr [esp + 0x148] // 660fd4eb | paddq xmm5, xmm3 $sequence_2 = { 0f29742460 660fd4c3 0f294c2410 0f298424d0000000 660fd4cc 660fefc5 } // n = 6, score = 100 // 0f29742460 | movaps xmmword ptr [esp + 0x60], xmm6 // 660fd4c3 | paddq xmm0, xmm3 // 0f294c2410 | movaps xmmword ptr [esp + 0x10], xmm1 // 0f298424d0000000 | movaps xmmword ptr [esp + 0xd0], xmm0 // 660fd4cc | paddq xmm1, xmm4 // 660fefc5 | pxor xmm0, xmm5 $sequence_3 = { 8bf0 e8???????? 83c408 a3???????? 8d4c241c 51 56 } // n = 7, score = 100 // 8bf0 | mov esi, eax // e8???????? | // 83c408 | add esp, 8 // a3???????? | // 8d4c241c | lea ecx, [esp + 0x1c] // 51 | push ecx // 56 | push esi $sequence_4 = { ba???????? 6811e7c138 6a14 b93c0b0ae9 e8???????? 83c408 a3???????? } // n = 7, score = 100 // ba???????? | // 6811e7c138 | push 0x38c1e711 // 6a14 | push 0x14 // b93c0b0ae9 | mov ecx, 0xe90a0b3c // e8???????? | // 83c408 | add esp, 8 // a3???????? | $sequence_5 = { 2b8564ffffff 898534ffffff 8b45b8 2b8568ffffff 898530ffffff 8b45bc 2b856cffffff } // n = 7, score = 100 // 2b8564ffffff | sub eax, dword ptr [ebp - 0x9c] // 898534ffffff | mov dword ptr [ebp - 0xcc], eax // 8b45b8 | mov eax, dword ptr [ebp - 0x48] // 2b8568ffffff | sub eax, dword ptr [ebp - 0x98] // 898530ffffff | mov dword ptr [ebp - 0xd0], eax // 8b45bc | mov eax, dword ptr [ebp - 0x44] // 2b856cffffff | sub eax, dword ptr [ebp - 0x94] $sequence_6 = { 660f6e5c244c 660f62d8 0f294c2410 660f6e4c2448 0f29542460 0f295c2470 } // n = 6, score = 100 // 660f6e5c244c | movd xmm3, dword ptr [esp + 0x4c] // 660f62d8 | punpckldq xmm3, xmm0 // 0f294c2410 | movaps xmmword ptr [esp + 0x10], xmm1 // 660f6e4c2448 | movd xmm1, dword ptr [esp + 0x48] // 0f29542460 | movaps xmmword ptr [esp + 0x60], xmm2 // 0f295c2470 | movaps xmmword ptr [esp + 0x70], xmm3 $sequence_7 = { 83e904 79ed 8b4c2444 8d51fe 85d2 } // n = 5, score = 100 // 83e904 | sub ecx, 4 // 79ed | jns 0xffffffef // 8b4c2444 | mov ecx, dword ptr [esp + 0x44] // 8d51fe | lea edx, [ecx - 2] // 85d2 | test edx, edx $sequence_8 = { 53 ffd0 85c0 7511 39742414 750b } // n = 6, score = 100 // 53 | push ebx // ffd0 | call eax // 85c0 | test eax, eax // 7511 | jne 0x13 // 39742414 | cmp dword ptr [esp + 0x14], esi // 750b | jne 0xd $sequence_9 = { 68ebe5da62 6a10 e8???????? 83c408 a3???????? 8d4c2418 51 } // n = 7, score = 100 // 68ebe5da62 | push 0x62dae5eb // 6a10 | push 0x10 // e8???????? | // 83c408 | add esp, 8 // a3???????? | // 8d4c2418 | lea ecx, [esp + 0x18] // 51 | push ecx condition: 7 of them and filesize < 468992 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY